We have a Office 365 E1 license. Our users use unmanaged/untrusted Windows 10 personal devices. We configured MFA for authentication and 30 minutes session timeout. In Windows Settings Access work or school, a user can enrol his device. The user is asked to do that after he choose to open a document with desktop App (Word). Afterwards when these users type in the url companyname.sharepoint.com he no longer is asked to authenticate with MFA and session timeout does not work. When the setting in Windows 10 is removed he again is asked to signin with MFA and session timeout works.
What is wrong in our server setting that this serious security problem arise?
Please help.