relay_passwd.db: # if necessary / not authenticated by IP
relay.server.tld user:pass
The relay can/should rewrite the Return-Path to pass SPF. It's no problem for DMARC as the DKIM signature added by the initial server still authenticates it.
It requires manually adding domains of custom 365 installations to the list - at this size I do this manually, but should probably be automated "on bounce" or maybe even by a smart rule based on the MX record.
In Exim4 it's also possible to conditionally rewrite based on for example the recipient domain.
How do you do this? Could you share details on the setup?