Error code: CAA50021 when trying to login to office 365

After registering a device in Entra ID, MS-Organization-Access certificates are automatically issued on the device as well. When the device is unregistered in Entra ID and the corresponding certificates are not also removed automatically, re-registering could cause authentication issues. You could try removing the old certificates manually and re-registering the device, thereby issuing a new certificate. 
https://learn.microsoft.com/en-us/entra/identity/devices/faq#what-are-the-ms-organization-access-certificates-present-on-our-windows-10-11-devices

Also Microsoft provides troubleshooting steps for this error, including the dsregcmd /leave command: https://learn.microsoft.com/en-us/office/troubleshoot/activation/activation-error-0xcaa50021

If you're selecting the option to "allow my organization to manage my device" the device is trying to enroll into Intune, when Automatic Enrollment is enabled for the user. 

If this device is a BYOD device, and it's only Entra registered / not Entra joined, the enrollment restrictions in Intune might block BYOD devices from enrolling. 

Conditional Access policy settings, e.g. requiring the device to be marked as compliant, could then also block sign ins, as the device would not be enrolled in Intune and therefore can't get a compliant status.  

I would recommend putting a general BYOD strategy for Windows devices in place.