Hey,
Google has the "Advanced Protection Program", why don't you?
All you need to do it make your apps use a similar authentication method, outlook should work with it using the same popup dialog as adfs uses right now.
"App passwords" are just security holes that bypass your 2factor.
Right now it is not possible to say "Security keys" as a standalone thing, the checkbox "Verification code from mobile app or hardware token" is the only option, and that method requires the user to first configure TOTP (an insecure, phishable medhod) and only then after that, can he add a security key. The most messed up thing, is that after doing that, the user can remove the totp method... Why even require it‽