Intune Hybrid User Affinity w/ 2FA and Apple DEP
Right now there is no way to assign user affinity to a device procured through Apple DEP with Microsoft MFA enabled.
There is a workaround on the Intune standalone where it pushes the company portal app then the user signs in, but on the Hybrid side we cannot accomplish this and must resort to No Device Affinity profiles.
Having the option of "Optional User Affinity" would work as we could just skip past the Apple Configuration piece that doesn't work with MFA but accomplish the same thing by signing into the Company Portal after the fact (which doesn't work when in SCCM it is set as No User Affinity.)
We have deprecated SCCM Hybrid.
For details, see here: