I posted the original question - never did find a solution, and we have moved away from having any shared accounts (this was one of the reasons). As stated by the most recent commenter, the suggestion by JimmyYang is wrong - even if a user signs out, it doesn't forget the cached credentials and they can sign in again without being asked for the password.
MFA is also of limited use, as if shared devices are in an office location it may well be the case that the office is on a whitelist so that MFA isn't applied there.