As an update, I am currently looking at onelogin.com. Options up to wazoo and better price than Okta.
To reiterate, you give the O365 account a 16 digit password that you don't tell the user, and set up the SSO program (Okta, OneLogin, Ping) for 2 factor auth. The user logs in to the SSO and chooses O365 as the app.
Seems like this is finally going to work.