@danijam
Thanks for the feedback! We are currently investigating and will get back on this.

@VikasPullagura-MSFT Good News. I was able to trace down the root cause.

The Windows 10 Azure AD Joined Device does not need to be Physical it can be Virtual. I've provided my feedback to Azure Support via my support ticket as this information was inaccurate.

The root cause was actually MFA. The docs page in question here does mention in the troubleshooting section that if you don't have Windows Hello for business but use MFA via conditional access then you need to exclude the Azure VM Login "App". Now I did the exclusion to our conditional access rule that implements MFA with no result. During my troubleshooting I went as far as to just turn off our conditional access rule all together, which should have resulted in no more MFA. However MFA still remained enforced. This lead me down a path that resulted in realising that our org implemented MFA before conditional access was GA. We initially used the per user Office 365 method to enforce MFA. This is still on and enforced and was the reason conditional access was being overridden. For anyone interested there is a page on this topic here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#convert-users-from-per-user-mfa-to-conditional-access-based-mfa

I might see if I can suggest a edit to the page in question on this ticket to see if we can put a note to help anyone else who will get stuck if they have the same old settings applied.

#please-close