SMTP Auth is currently enabled for all users.  An opinion is that it’s not a risk with the users having MFA.  Meaning, it is not a risk for users who are all using MFA and disabling it per user is a wasted effort.  I’d appreciate feedback on whether that opinion is valid, and if not, why.