Could someone confirm if my understanding of how the "Unmanaged devices" setting works in SPO. I could be completely wrong, but this is my understanding of it:
1. When you set the "Allow limited web-only access" option in SPO, it creates CA policies that apply to all users and all sites, that limit access from devices that are not hybrid or Intune compliant.
2. The CA policies created by 1. can be modified so the the user scope is limited to a subset of all users. Deleting the CA policies will mean that all devices will have the limited experience as no device info will be passed to SPO.
3. If the SPO setting is changed back to "Allow full..." with the CA policies from 1. still in place then the CA policies effectively do nothing.