Device ownership a condition of conditional access
The potential to place a device into a quarantine before permission is granted to access any corporate resource. Many of my customers wish to use Intune and have a mobility strategy but wish to restrict access to corporate devices only.
Perhaps one way to achieve this is to make it a condition for conditional access scenarios that the device is 'corporate', which could be extended to Azure AD conditional access too. This may give the opportunity to have different access policies depending on the application or service being granted access to.
For a cloud only environment this is essential to prevent personal devices accessing company resources where device compliance of company devices is not so important.
It could work just like the require Hybrid-Joined Device control but for Azure AD Joined devices only.
Alternatively you could allow CA policies to apply to device groups and blocking personal devices could be achieved through deploying a CA policy to a dynamic device group containing only personal devices. This would ensure that company devices of cloud only environments can always access the necessary resources.