Federating with O365 and Services Accounts

For those that have federated their Office 365 tenants using Access Manager, what do you do for service/application accounts that do not support a federated login?

I've typically just kept them in the *.onmicrosoft.com domain and let them continue to use a static User ID and Password.  But what if the service account is in a domain you want to federate?  Is there any work around?  

Some consider this a security risk to leave the ID in the onmicrosoft domain.  

Is there anything that can be done through Azure Conditional Access maybe to handle this?