@John20211216 note that the usage of basic authentication with SMTP to EXO is excluded from the announced change on the 1st of October 2022. Nevertheless, you should really try to get rid of any remaining usage of basic authentication to EXO before said date (or Microsoft will get rid of it for you) and ensure you have proper authentication policies in place (although you could keep around a few SMTP exceptions...).

Secondly, it seems that not a lot of these devices support modern authentication today unfortunately... (and certainly don't offer native integration with the Microsoft Graph API which they should). If they support modern authentication they would most likely still be using POP/IMAP and/or SMTP in combination with either the OAuth 2.0 device code flow or the authorization code flow - if they're leveraging one of these OAuth 2.0 flows then there's no issue having MFA enforced on the user (mailbox) as you would only be signing in only once interactively with that user (interactively = in a browser window where you will be able to satisfy the MFA requirement). After that - if the application leveraged in Azure AD is correctly configured with the "offline_access" permission - the device will receive a refresh token from Azure AD which it can use to request new token pairs (access token + refresh token) to authenticate non-interactively (i.e.: set up and forget - as long as you do not revoke the refresh tokens for this user).