Some devices were failing the Intune “Default Device Compliance Policy”.  This in turn was preventing access to 365 resources due to a Conditional Access policy requiring a compliant device.  The policy was failing with “Enrolled user exists”

The non complaint policy showed a logged in user as an account that was disabled.

Logging on as the normal user, navigating to: https://portal.manage.microsoft.com/ and selecting the device, performing a sync from the intune portal and then waiting 30 minutes or so the device was now showing compliant.

References:

https://www.reddit.com/r/Intune/comments/gntqmk/noncompliant_devices_enrolled_user_exists/