The company i manage Intune for, states that when installing office 365 on their private device and they sign in to it, they join Azure AD. I've checked my devices in intune and this is really the case...
I've found out that Automatic Enrollment was set to All users.
How can i prevent users for not Azure AD joining via an Office 365 installation or Private device?
actually the device does not Azure AD join, it gets Azure AD registered. This is a slight difference as you still logon via your user you used before. With Azure AD join you would logon after Azure AD join with the Azure AD user afterwards. Regarding your concern about private devices, this would be the same. I assume you won't like to have private devices managed by Intune. As soon as they get registered (aka Workplace Join) they receive Intune policies for example. With auto enrollment an Azure AD register will end up in a device MDM managed by Intune. If we talk about Windows 10 you could easily prevent Azure AD join via:
device enrollment > enrollment restrictions > device type restriction > new policy > Properties > configure platforms > Windows (MDM) set to "Personally Owened" > Block
This will only allow Windows Autopilot devices to enroll into MDM and block personal devices
If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment. Unauthorized enrollments will be blocked.
The following methods qualify as being authorized as a Windows corporate enrollment: