Well there are apps that don't report login errors at all
I just tried revoking Aqua Mail's permission from my account and when the app tried to refresh the token the next time, it go this:
{
"error":"invalid_grant",
"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '906be9aa-2843-47e6-a01d-ab9361ca7009' named 'Aqua Mail'. Send an interactive authorization request for this user and resource."
}
... which does match what I did, but I'm not sure if the error would be different in your case (password expiration).
The "error" is the only thing we can count on (machine readable).
The "error_description" key is optional and then it would be a bad idea to try to parse that.
Re: instead of generic login error, in the main window account list for the account entry or the account specific notification indicate something like "Re-authentication is requested."
I'll try to make it be our already existing "please grant permission" message instead of the current "http 401".
But then again I don't know what exactly happens (what errors at what point) in your case.
Re: user clicks on account from main window list ... immediately goes to server provided OAuth
Click on account seems questionable (what if the user needs to read an already received message).
Clicking the error does run the account setup screen already.
---
On other observations:
If the password having expired causes the OAUTH refresh token to also expire - we'll need to get a new one, and this is done by running the login flow (the "login.microsoftonline.com..." in a window).
If that login flow does not require MFA specifically when the device is connected to the corporate network - sure, great, but that's "inside" that login flow and isn't controlled by our code.
We could try to remove the "consent" parameter to try to avoid the repeat permissions request - but I don't have enough info to know that this would work (and not prevent logins at all) with any degree of confidence.
---
Summary:
The only change I'm going to make right now is a special case for http 401 when there is OAUTH in use, and assume that the user needs to grant permission (our current error message for OAUTH errors).