Yes, MFA could be blocking the enrollment. Entra sign-in should confirm that. Try excluding a user and if the works then you can exclude the Intune enrollment app in the CA policy in question.
Enrolling Devices Already Joined to Azure AD
Mahmoud Madani
40
Reputation points
I synchronized all users and devices with AD Connect and used the Hybrid service to add on-prem devices to Azure as hybrid. Then, I configured the GPO to auto-enroll these devices, but they are still not showing up under Intune devices after waiting for two days. I received the error "Auto MDM Enroll: Device Credential (0x0), Failed (Mobile Device Management (MDM) is not configured.)" despite enabling MDM for all and using a user with an Intune license. Could MFA be on cause of this issue?