Device Registration from untrusted networks
I have created a conditional access block policy for unknown locations in which I'm only allowing access to the Office 365 applications, so this was added as an exclusion.
In a separate policy, I'm requiring that those Office applications can only be accessed from external locations when the device is marked as compliant, so I want to allow the users to be able to register BYOD devices and bring them to compliance so that resources can be accessed but the block policy does not allow users to register the devices from unknow locations. I'm unable to exclude the Microsoft Auth broker or the Intune Enrollment application from conditional access applications, it just don't appear, but it does get matched as "all apps are included."