Send Veeam notifications via 365

With the advent of more “modern” and secure authentication methods being demanded by the main email service protagonists (Microsoft, Google et al), the days of using a basic username and password to send email out from internal devices and systems via an SMTP server are numbered. Where once you could send alerts via smtp.gmail.com or smtp.office365.com with a basic account, you now have to jump through hoops to find the correct settings (assuming your device will still work with the newer protocols). In any event, now Google have announced (from May 2022) they are dropping support for “less secure” sign-in technologies; their suggestion being you update the device/app to use a “sign in with Google” option (how feasible is that for the majority of cases? Not very I think is the answer), we needed a better solution for email notifications.

Using Veeam as an example, the configuration options for their email notifications are somewhat limited, so it was a bit of trial and error and checking of log files to identify and find a solution (that is still not ideal, and I suspect will be deprecated by Microsoft somewhere down the line, but works for now).

Create a mailbox in your 365 tenant (called alerts@ for example) and assign it a password
Enable MFA for the mailbox and create an app password for the system your are sending notifications from (sign in as the new mailbox, click user icon, View Account | My Sign-Ins | Security Info | Add Method | App Password)

For relatively recently added 365 tenants SMTPAuth is likely to be disabled. You can enable it for the tenant or an individual mailbox via PowerShell. Check the status of the mailbox and amend if necessary (False = not disabled):

Get-CASMailbox -Identity mailbox@domain.com | Format-List SmtpClientAuthenticationDisabled
Set-CASMailbox -Identity mailbox@domain.com -SmtpClientAuthenticationDisabled $false

To check or set the tenant status (but explicitly setting the above option should override the tenant-wide setting):

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled
Set-TransportConfig -SmtpClientAuthenticationDisabled $false

It may take some time for any changes to fully replicate through the Microsoft infrastructure but once complete the following settings should work for the Veeam notification configuration options:

Email: recipient@domain.com
Password: <app password created above for mailbox@>
SMTP server: smtp.office365.com
Port: 587
Sender address: mailbox@domain.com
Use Secure connection (SSL/TLS): Checked

You can then click Test Message and it should work…