I found a few issues (thanks also to @Douwe Riepma for #2)...
- Our federation provider didn't support WS-Trust 1.3 and the MEX endpoints... we had to go back to AzureAD password-only authentication - https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual#set-up-issuance-of-claims
- We had to explicitly exclude "Intune" and "Intune Enrolment" apps from MFA requirements so the MDM devices can register successfully in AzureAD via the Graph API
- For iOS native mail access: We also had to exclude MFA requirements for our MDM-compliant devices to allow "Apple Internet Accounts" for access to iOS native mail (for approved users)
So the conditional access policies used were:
- MAM group - require app protection policy and approved client app (exclude MDM iOS native mail users)
- MDM group - require MFA and compliant devices (exclude MDM iOS native mail users?, and exclude Intune/Enrollment apps)
- Register or join cloud action requires MFA
- iOS native mail users (also in MDM group) - require compliant devices for all cloud application access (excluding Intune/Enrollment apps) - "Apple Internet Accounts" only was not sufficient
- Block all browsers and classic access on iOS and Android devices
- Geo-block other regions
I'm not sure if I need to add iOS native mail users to the two groups in sequence - for CA policies #2 and #4 to apply successfully. If we don't do this, I guess this means we might end up with some users where we have not verified MFA but it will be on a per-exception basis.
Cheers,
Nigel