How to convert email accounts that are used as service accounts or specific applications to modern authentication

We are preparing to move fully to Modern Authentication in Microsoft 365 (Exchange Online). At this time, we have not disabled legacy authentication, because several of our applications and service accounts still rely on it. We want to plan the migration path before flipping that switch.

We currently have multiple service accounts in Exchange Online that are tied to apps, tools, or devices:

******@company.com → integrated with ServiceDesk Plus for ticket intake

******@company.com → receives vendor invoices and routes into workflows

******@company.com → used by Veeam Backup & Replication to send job notifications

******@company.com → used by scanning/printing devices for sending scans to email

All of these accounts currently authenticate via basic authentication / SMTP AUTH with username + password.

The Issue: Since Microsoft will fully enforce the deprecation of legacy auth, we need to transition these service accounts to Modern Authentication (OAuth2). The challenge is that not all of our applications and devices support OAuth2.

Questions for the Community:

What’s Microsoft’s recommended best practice for migrating service accounts / app mailboxes to Modern Auth?

Use Azure AD app registrations with Graph API?

  Set up **application access policies for specific mailboxes**?
  
     Keep using **SMTP AUTH with OAuth2** where supported?
     
     For applications/devices that **do not support Modern Auth**, what are our options?
     
        Use an **Exchange Online connector with IP allowlisting**?
        
           Use an **SMTP relay (Exchange Hybrid or third-party relay)** that supports OAuth2?
           
           Is it possible to convert these into **Shared Mailboxes with app access** (to reduce licensing costs), while still authenticating with Modern Auth?
           

1. Are there any step-by-step guides or migration docs specifically focused on service accounts, rather than just end-user mailboxes?We are preparing to move fully to Modern Authentication in Microsoft 365 (Exchange Online). At this time, we have not disabled legacy authentication, because several of our applications and service accounts still rely on it. We want to plan the migration path before flipping that switch. We currently have multiple service accounts in Exchange Online that are tied to apps, tools, or devices:
   • ******@company.com → integrated with ServiceDesk Plus for ticket intake
   • ******@company.com → receives vendor invoices and routes into workflows
   • ******@company.com → used by Veeam Backup & Replication to send job notifications
   • ******@company.com → used by scanning/printing devices for sending scans to email
   All of these accounts currently authenticate via basic authentication / SMTP AUTH with username + password. The Issue:
   Since Microsoft will fully enforce the deprecation of legacy auth, we need to transition these service accounts to Modern Authentication (OAuth2). The challenge is that not all of our applications and devices support OAuth2. Questions for the Community:
   1. What’s Microsoft’s recommended best practice for migrating service accounts / app mailboxes to Modern Auth?
      • Use Azure AD app registrations with Graph API?
      • Set up application access policies for specific mailboxes?
      • Keep using SMTP AUTH with OAuth2 where supported?
   2. For applications/devices that do not support Modern Auth, what are our options?
      • Use an Exchange Online connector with IP allowlisting?
      • Use an SMTP relay (Exchange Hybrid or third-party relay) that supports OAuth2?
   3. Is it possible to convert these into Shared Mailboxes with app access (to reduce licensing costs), while still authenticating with Modern Auth?
   4. Are there any step-by-step guides or migration docs specifically focused on service accounts, rather than just end-user mailboxes?