Disabling security defaults may no longer be necessary with MFA enforcement. If you enable and then enforce MFA on a M365 account, you can go to the account’s MFA setup page and add an app password to use and bypass MFA. I got it working with a M365 Business Basic-licensed user with MFA enforcement, SMTP AUTH, and security defaults all enabled. I just had to turn up the SMTP open and read timeouts with two additional lines. 30 may be excessive, but 5 was too little.
Working app.yml entry, as of September 2023:
DISCOURSE_SMTP_ADDRESS: smtp.office365.com
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: user@domain.com
DISCOURSE_SMTP_PASSWORD: whatever-your-app-password-is
DISCOURSE_SMTP_AUTHENTICATION: login
DISCOURSE_SMTP_ENABLE_START_TLS: true
DISCOURSE_NOTIFICATION_EMAIL: user@domain.com
DISCOURSE_SMTP_OPEN_TIMEOUT: 30
DISCOURSE_SMTP_READ_TIMEOUT: 30