It's certainly sensible to be mindful of how Entra ID and macOS handle password policies differently, it can sometimes be a challenge to get them aligned just right. You've got five password policy related items in CIS Level 1 which can be automated;
- 5.2.1 - Limit Consecutive Failed Login Attempts to $ODV
- 5.2.1 - Set Account Lockout Time to $ODV Minutes
- 5.2.8 - Prohibit Password Reuse for a Minimum of $ODV Generations
- 5.2.7 - Restrict Maximum Password Lifetime to $ODV Days
- 5.2.2 - Require a Minimum Password Length of $ODV Characters
Of these, both 5.2.1 items and 5.2.2 have little scope for clashing if set as or less restrictive than Entra ID. It's 5.2.8 and 5.2.7 which may end up running on a different timing "cycle". For 5.2.7 you're pretty safe unless you have a minimum password lifetime value set, worst case scenario the user has to change their password more frequently than they otherwise might. This leaves 5.2.8, this could cause issues, however it depends on your password policies as to whether there is a significant likelihood of this happening.
As for what the interaction between your password policy and Platform SSO will be, that largely depends on which "flavour" of PSSO you're going with as each interacts differently with the local account password.
In summary, I think there isn't much in the CIS Level 1 which is likely to cause issues for end users, other than potentially 5.2.8 in some cases. It is an acceptable approach to modifying the CIS recommendations if you have good reason to, or if you have mitigations elsewhere which help to address a given control. Make sure that you document where you diverge from the recommendations, Jamf Compliance Editor is a really good way to manage this and it will even create custom documentation for your modified baseline. https://trusted.jamf.com/docs/establishing-compliance-baselines
