Re: Email != Webmail
"MAPI/RPC is the protocol used by older Outlook clients"
RPC is the protocol, MAPI is a programming interface. Outlook shouldn't be connecting directly to exchange over the Internet, there should be a VPN involved.
"a certificate is NOT 2FA, it's too easy to proxy."
Not sure I follow you. The server holds the public key, client holds the private key. This key pair is unique to the user/client combination. If the device is lost/compromised the key is revoked. How does a proxy affect this?
The point here is that you can force some form of 2FA for all email users. If you say you can't because you need to support xyz crappy outdated client then you don't have a secure system. Security vs usability is always a balancing act. If you're the government you should probably be tipping the scales towards security