Loophole: Issue 6: Partner is using Exchange Online PowerShell which does not support MFA
All partners can request exemption under Issue 6 here:
I'm unaware of a single partner who DOESN'T require use of PowerShell for Exchange. Invariably, as you work in Exchange, you find you have to run some PowerShell command instead of working through the GUI. As a result, you qualify for an exemption.
If I'm wrong, or if other partners disagree, please reply, as I'm fairly certain each of us has had to run PowerShell for Exchange along the way.
They do note:
"Even though the partner is unable to implement MFA for users who require access to Exchange Online PowerShell module, these users can still access Microsoft Online Services to manage customer resources using Partner Delegated Administration Privileges provided they can complete MFA registration and MFA verification when prompted during sign-in to customer tenant. Completing MFA registration does not automatically enable the user for MFA and therefore does not affect access to Exchange Online PowerShell module."
Partner to Partner
You can access Exchange Online PowerShell using Delegated Admin Permissions and the new MFA/Secure App Model. A guy name Kelvin worked out most of the details on his CyberDrain website.
I managed to get the Azure AD part working - that post has all the details, and a post further down includes a modified version of Kelvin's script.
So I imagine this loophole/exemption won't be allowed any longer. But yeah, we DO use ExO PS on the daily!