I've got 3 Surface Pro 3 tablets, each running windows 10 1703. Two of them have 256GB ram, one with 128.
The tablet with 128 is used as my test bed, the other two are confgured for end users to be deployed shortly. There are 3 user accounts all a member of the same MDM AD Security group, they should all receive the same configuration (a few policies, a couple of wifi profiles, a web app, and office 365).
However, I am seeing that the 2 devices that are to be deployed are getting the windows mail client configured for some reason?!? The test bed machine is not??
The only difference I can think of is that the test bed machine has been "reset" a number of times while the other 2 were configured during the OOBE?
Ideally, I do not want the windows mail client configured for these users - as we would prefer to use OWA. I don't even really know where to start with why it is getting configured or how to prevent it on these devices.
This is somewhat diffucult to answer because those two devices are what you should expect when Azure AD joined. It gives you SSO for a lot of apps.
There is no way to stop SSO, why would you? Since the mail app is a trusted app that is part of the Windows build, it may be diffcult to remove or block it. For example, you may deploy a CSP policy to remove, but it may come back after an update.
I am sure you have your reasons, but I would find a way to cope with the mail app rather than not.