Are you using Device Compliance, or are you using the soon-to-be-deprecated Conditional Access? Also curious if you are using ABM for DEP enrollment and does that work?
We are testing DP and I ran into issue after erasing a test machine whereby I couldn't sign in via Entra to start enrollment and setup because the device wasn't compliant and couldn't be compliant until macOS setup completed and it actually a user account. Looking at Azure / Entra Sign In logs, I identified our Azure SSO app for Jamf as the entity authenticating and failing there. I then updated the conditional access policy in Entra's Target resources > Exclude > Select excluded cloud apps to add our SSO app, that resolved that issue. I did check the sign-in logs for that SSO app to make sure excluding it wasn't a risk and didn't seem to be.
So that's why I asked about your new machine enrollments and how you are doing them - maybe excluding the SSO app will overcome your user-initated enrollment issue? But I don't know what's in your DP smartgroup criteria; if you're requiring the Self Service.app, you're in a catch-22.
