Microsoft have now released (14th December 2016) certificate based authentication into Office365 and AzureAD
Office365 Cert based auth config
CBA for iOS and Android
Get started with certificate-based authentication in Azure Active Directory
Enable Exchange Online for modern authentication
Skype for Business Online: Enable your tenant for modern authentication
Configure new Exchange ActiveSync config in MobileIron Core Server and point Server Address to outlook.office365.com and get certificate from internal Microsoft or Core CA Server
For Exchange ActiveSync clients, the client certificate must have the user’s routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. Azure Active Directory maps the RFC822 value to the Proxy Address attribute in the directory.
Using Office 365 modern authentication with Office clients
How modern authentication works for Office 2013 and Office 2016 client apps
Office 2013 and Office 365 ProPlus modern authentication and client access filtering policies : Things to know before onboarding
Q: If we configure cert based auth in Azure AD will it still accept basic auth?
A: Yes, it still can accept Basic auth, and EAS clients as well
Q: Cert based auth for Office365 apps (OneDrive etc) says to enter username and then select a certificate to use, does this option only present once the Azure AD & ADFS configurations are in place for Office365?
A: Yes. Federation services is a requirement. Also, CBA requires Modern Auth, which requires ADFS (or an STS).
Q: Can Office365 apps use the same x509 identity certificate on the iOS/Android OS that is installed via the MDM solution or does the certificate have to be pushed out tied to the specific Office365 app?
A: Microsoft Engineer needs to double check with an Office SME (Update to be provided)