I know from
2103 onwards, the Azure AD user discovery dependency is removed for
Tenant Attach. We "just" need to enable AD User Discovery to make
Tenant Attach work.
Let's have a quick go through of very specific requirements that we have interms of user IDs or user discovery records such as:
- - AD Domain, from where users are discovered via SCCM AD Discovery, must have AAD Connect configured to sync identities to the Azure AD (to satisfy hybrid identity requirement)
- - The user UPN must be the same in both AAD and AD.
- - The user must be part of the same AAD tenant attached to Intune.
- - The AAD User ID column must be populated with the correct value in the User_DISC table?

Pic credits to Microsoft
I know the user identities must be synced with Azure AD is the main requirement (that is the same for Exchange Online as well). But I thought there is a difference between the exchange online hybrid identity requirement and the tenant attach hybrid identify requirement.
So you can enable tenant attach with just a click of a button if you have a well-organized single AD forest/domain. However, if you have a very complex AD structure, it will take time to implement the SCCM tenant attach. It might even not be possible for some organizations to implement tenant attach.
NOTE! - These are not because of Configuration Manager-related issues or limitations but because more user ID and AAD connect sync setup for complex organizations.
You can remove the SCCM
MPs,
DPs, and
SUPs in branch offices with the Cloud Management Gateway (
CMG) server implementations.