hi all,
we actually found a solutions that worked for us.
- we figured there was a permission missing on our side. this was revealed by logging in with our o365 admin account. i checked the rclone documentation and, indeed, it needs 6 permissions in total where we had only 5 set.
- we used the
client_idandclient_secretwe created earlier. in addition, we added the auth_url (auth_token was not necessary)
[onedrive] type = onedrive drive_type = business client_id = xxxxxxxxx client_secret = xxxxxxxx auth_url = https://login.microsoftonline.com/*YOUR_TENANT_ID*/oauth2/v2.0/authorize
This allows us now to deploy the rconf config, refresh the token using MS MFA, and have happy rclone users 
we tested this on a few clients and also on win + mac. so far, so great. many thanks for your guidance, nick!