@Leo Johnson From the sign in log, it shows the "Grant control" is not satisficed, It seems we configure "Require device to be marked as Compliant". But the device is not compliant. Could you check if the Azure AD registered device is enrolled into Intune and if it shows as Compliant.
if this is a non compliant device in Intune, we can check the device compliance to see which setting is not met and fix it. But if the device is not enrolled into Intune, we can check if all the devices the user used are not enrolled into Intune. if yes, we can exclude the user from this conditional access policy. Or consider to enroll these devices into Intune and make them as compliant.
Hope the above information can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.