As someone who practices good password doctrine, and likes having 2FA, I'm happy that MS supports both. However, currently any app that you want to allow access to OneDrive on the phone asks you to enter your email+password+2FA*. As far as I can tell, after that the app seems to have carte blanche as to what it can do on your OneDrive.

• The app for which happens to be on my phone.

First, I suggest that apps are forced to tell whether they do or don't have carte blanche on the OneDrive service. I would also suggest that they be allowed to only stick to one folder, thereby forgoing any fears that the app developers might overstep their intent.

Second, I would like there to be the ability to log into OneDrive once and then to use system-level notifications (so it shows up in the system notifications) to confirm permissions for other programs to access OneDrive. This would satisfy security (particularly if we have the option to type our pin in to either confirm once or give access only for the session), while also getting rid of the absurd level of complexity.