We have had to shorten the Compliance Grace period from 30 days (default) to 3 days due to a bug it seems where if a user has MS Authenticator app installed and removes Company Portal from device, the user is still able to access O365 resources. This is apparently down to how the auth token is being used in the authenticator app, and the user is able to access resources until the grace period expires. As we have set it to 3 days the experience with users is that their device becomes inactive quicker usually after a weekend or holiday and goes out of compliance. Users try to access O365 eg email and they get an unhelpful message. There is no indication that they should go into company portal so a check in is done to become active again.
There should really be a notification which takes you into company portal to resolve the compliance conflict when this occurs as we have in our current MDM platform (IBM Maas360)