@Denis Pasternak, Thanks for posting in Q&A.
For your phenomenon, I wonder if you have configured conditional access policy requires device to be marked as compliant. If yes, then the device will be asked to install company portal to enroll when access the cloud resource.
Also, you can use the Microsoft Defender for Endpoint app with the approved client app policy in Intune to set the device compliance policy to Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while you're setting up Conditional Access. Although Microsoft Defender for Endpoint on Android and iOS (app ID dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it has permission to report device security posture. This permission enables the flow of compliance information to Conditional Access.
But from your description, I know we use Microsoft Defender for Business instead of Microsoft Defender for Endpoint. Please contact Microsoft Defender for Business support to confirm if it supports to set the device compliance policy to conditional Access policies. If not, I think we need to change the grant in conditional access policy to bypass the installation of company portal.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.