Re: So, in simple terms
"It sounds like MS expect you to control your domain and secure it. To me that doesn't sound massively unreasonable."
Not quite. It relies on HTTPS, not HTTP, so you might have a perfectly secure non-HTTPS website on a shared server (or even behind a firewall with port forwarding) and HTTPS is pointed at a control panel which you do not manage, or have any real sort of access. That's how I found it. We installed fail2ban on our shared web servers and one of our our clients got banned from their own website because someone was setting up a new iPhone and fail2ban was picking up failed login attempts on the control panel.