@rancesco, Thanks for posting in Q&A. For your questions, here are my answers:
A1: Based on my researching, SSO app extension type seems can help on this, Once Authenticator and the SSO app extension profile are installed on devices, users must enter their credentials to sign in, and establish a session on their devices. This session is then used across different applications without requiring users to authenticate again
A2: You can try to clear all the Microsoft 365 passwords recorded into the Safari cache, users can try clearing the Safari cache and cookies to see if the result will be different. They can do this by going to Settings > Safari > Clear History and Website Data.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.