Inquire about Microsoft Defender for Endpoint Deployment

The purpose of joining to Entra ID is solely for policies management. MDE, apart from local GPO, if you have to enforce endpoint security policies it must be only via device groups that are in Entra ID. 

The devices can be onboarded to MDE even without joining to the domain/Entra ID, there will be synthetic device registration that makes such devices visible in Intune for policy assignment even if they are not part of the domain. 

1. MDE onboarding by executing the onboarding script.

2. Once devices show up in MDE - Device Inventory, apply tag "MDE-Management" which will create a synthetic device registration in Intune.

3. After a sync (60mins - 24 hours), devices will appear in Intune where you can group them up and assign policies to those groups. 

More info: https://learn.microsoft.com/en-us/intune/intune-service/protect/mde-security-integration