Thanks Thomas, good point about not even reaching Entra ID. Conditional Access Policies only apply AFTER authentication. Here is Microsoft’s guidance on the options for disabling SMTP in Exchange Online. https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission

Regarding authenticated SMTP, I also recommend to implement authentication policy’s in exchange online and create exceptions for those who need it.
The result is that the attempt will not even reach Entra ID.
In most organizations the accounts that need authenticated SMTP can be counted on one hand.
Yet, this is only a add on to Conditional access and the recommendation to limit the accounts to specific WAN IPs still apply.

Thanks Jake! I see you already got your answer. I believe SMTP must be fully blocked whenever possible. Allowing any form of legacy authentication tenant wide opens the avenue for attack. My recommendation for accounts that require SMTP is to exclude them from this policy using a group and then apply a new CAP to heavily restrict those accounts by location or device. Accounts bypassing MFA, such as these, need to abide by more strict password guidelines, enforcing long and random passwords help mitigate risk. More stringent monitoring on these accounts would also help with detection of abnormal behaviors.