So I'll start this with a brief rundown of how I've arrived at my current point:
Joined very young company in October and inherited very poor intune/mem deployment
Decided to implement Workspace One and get rid of intune/mem
After getting devices moved to WS1 and disabling intune/mem I was able to tick the box to none for "users may register their devices in AzureAD" following this reddit thread (https://www.reddit.com/r/AZURE/comments/nfm05l/users_may_register_their_devices_with_azuread/)
Now I need to re-enable intune/mem so that we can use the WS1 integration of compliance data for Azure conditional access policies
I do not want anyone to be able to register devices in Azure. I don't want AzureAD clogged up with a host of Azure AD Registered devices. We join our Windows computers to AzureAD when setting them up (Azure AD Joined) and both Windows and MacOS devices are enrolled into WS1 for MDM.
My understanding is that if I reverse the powershell command in the above reddit thread, this setting for registering Azure AD devices is going to grey out again and be set back to All. In my research, I can create intune/mem enrollment policies to keep people from registering personal devices into intune/mem but from what I'm reading that doesn't keep the devices from showing up in Azure AD as a registered device. How do I stop both from happening?
Also, am I correct in that the option when setting up some type of o365 service on a personal device of "Allow my organization to manage my device", that cannot be hidden or removed at some global level in O365?
