I'm revisiting my own post as I see this is still a problem.  Onboarded new customer and users prefer the native Mail app. Still continuous prompts with MFA enforced or if the Security Defaults is enabled. The app password is not 100% reliable.

So anyone figure out a decent work around?  Still seems like broken promises from Apple that they have resolved this issues with Microsoft 365...

@Alex Melching We have the same issue here.  Users work fine in the Outlook mobile app, but the handful using the native iOS mail client repeatedly receive the prompt for password/edit settings.  I haven't been able to find a solution to this anywhere other than forcing people to use Outlook Mobile.  We have been using Conditional Access for some time.  Everyone is properly licensed and our org is enabled globally for modern auth.  I'm not exactly sure where to go from here.  There's a disconnect somewhere.

@JQ_IT_Admin Please somebody correct me if I'm wrong, but wouldn't allowing ActiveSync open up a security hole (since it's a basic authentication method)?

I have a couple of iOS users who are having the same issue since enabling MFA and disabling basic authentication methods. Some but not all. I have also been recommending the Outlook app & appreciate @vortiz posting the link about syncing contacts through the app.

I may take this up with MS support to see if I can get any further. Will update the thread if I do!

I can confirm what Thijs Lecomte said. We enabled MFA across the company on 9/1/2021. Many but not all iPhone users had this problem where the built-in mail app kept asking for the password. We found the solution was this:
1. Delete the exchange account from mail settings.
2. Add the mail account back again.
3. Choose "Microsoft Exchange" NOT Outlook.com (Important)
4. Enter email address. The default description of "Exchange" is fine.
5. When prompted for "Configure Manually" or "Sign In" choose "Sign In". This is the critical thing. the “Sign In” option supports MFA authentication, “Configure Manually” does not.
6. Enter your password and do the MFA approval.
7. After verification, you’re good to go.

Our conditional access policy still has this:

I worked round the MDM issue on an iPad as follows:
1. Temporarily excluded the user account from enforced MDM using Classic Policies at https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/ClassicPolicies
2. Removed the management profile from the iPad - which removed the non-working Mail account
3. Added the email account to Apple's mail client manually, including MFA.

4: Used Company Portal to download a new profile and installed it. Because the email account was already there, the profile did not add a non-working one.

5. Restored the MDM configuration in Azure AD

6. Removed the email account, and then put it back.

Step 6 is needed because the Mail account was created before the profile was installed, so the login was from a context which is no longer valid on the server. It will fail after some hours and you must reinstall it to get a valid login. Do not leave it without any account for any substantial time. If you do, the downloaded profile will cause the system to create a non-removable mail account that cannot use modern authentication, and you are back to Step 1.

You can recognise an account that came from the downloaded profile - the option to remove it it missing from its properties.

I also tried downloading the profile from an account that has full Intune on the license instead of the O365 MDM, and in this case it did not try to create the Mail account at all. Hence, with that option you never hit a problem because you manually add the Mail account after downloading the profile.