Improve app password support for non MFA capable applications
The generated app password should be more than lower case. Additionally, given that this is really a single factor authentication mechanism, password expiration needs to be supported. Customers run into a dilemma since MFA will be valuable for web access but the single password for non compliant application access with no automatic expiration makes it potentially worse from a security perspective for those apps. Creating an admin burden to periodically delete the app passwords is also not scalable for larger organizations.
Additionally office for MAC really needs to support MFA. Why it was not added to the recently released office 2016 for MAC package hard to understand. I'm sure there are a significant and growing number of mixed MAC/Windows environments using office365.