When enrolling a device that is already Hybrid Joined you may run into an issue when the account that is first logging into the machine has MFA enabled on it.
Depending on how you rolled out MFA, if you did the entire identity option in the classic portal or if you are using CA and you choose all cloud apps as your MFA target you may run into an issue that will require users to complete an MFA challenge to enroll the device into Intune. That prompt usually takes the form of a notification that reads something like 'your account needs attention', 'there is an issue with your account', or 'login to fix your account', etc...
Once you select this prompt a traditional modern auth window should pop up and ask for an MFA prompt. Once you complete this the device should then enroll after some time has elapsed.
To remediate this either complete the prompt, move your MFA to Conditional Access, or exclude Intune Enrollment options from your MFA policy (which sometimes does not work as 'All Cloud Apps' protects some backend services that you can not exclude when included in a CA policy)
Hope this helps some of you out.
