SMTP and "App Password" alternative

One of our clients is currently using Microsoft MFA and are looking at migrating to Duo and Conditional Access.

Their ERP system uses App Passwords and SMTP to impersonate and send emails from their individual accounts.

Does anyone know of a way to achieve the same goal with Duo?

Thanks in advance!

It sends from an ERP service account, or from each user’s account?

If it is a service account the easy answer is to not apply the CA rule that includes the Duo control to that account.

If it is each user’s account that might be tricker. Could you use the user agent from the inbound ERP system connection and exclude that UA from the CA conditions for the rule that includes the Duo control? Or maybe exclude the IP of the ERP system? I have not explored all possible CA policy conditions.

I was able to bypass the password requirements by setting up M365 SMTP Relay.