If you have IMAP on GMail you get two choices, you can admit you're sacrificing security, and they'll mint a random password just for that IMAP application, or you can use OAUTHBEARER. As I understand it if enabled IMAP for Office365 can do OAUTHBEARER.

The nice thing about OAUTH is that it's a natural integration for your multi-factor authentication, which as I understand it doesn't fit well into Kerberos. But to be sure Kerberos is much better than yet another human memorable secret password exchange.