Welcome to the world of enterprise IT, security and data loss prevention. AIP prevents data loss prevention and doesn't have much to do with actual authentication. If they are worried about data loss then they are never going to let you sync Outlook with iCloud Calendars nor Apple Mail. Authentication is handled via either Microsoft Authenticator and some form of Ping, Okta, AzureAD, or other Identity Provider or if an Apple device is managed via the Microsoft Company Portal App. There's a mix of BYOD solutions plus full control MDM - Mobile Device Management that can be employed using Microsoft Intune, JAMF, Vmware Workspace ONE or many other tools that enterprise decides upon.
Things could be locked down to the point of an iPad, iPhone, or Mac being hardly recognizable as an Apple product. As an example, I've witnessed a company owned iPad fully managed by an MDM, missing ALL the Apple things we take for granted. Having only Microsoft Edge, Outlook, Word, Excel, PowerPoint, Office, Teams, OneNote, OneDrive, AIP, Microsoft Company Portal, Zscaler VPN (TLS Inspecting Proxy), Zimperium zIPS. All the Apple Apps hidden and locked down. No copy/paste nor transfer of corporate data into or out of the managed environment. No way to connect to a computer with Lightning nor USB-C. No iCloud backups, etc. If the user wants any additional Apps, they have to request them from IT and the Apps either magically appear on the device or appear as optional installs in the Company Portal App.
There are levels of access when it comes to BYOD (Bring Your Own Device) that have layers of control and privacy. Apple has a wonderful new BYOD MDM capability with federated corporate Apple IDs and the user can have their own Apple ID at the same time and sandbox the work Apps and limit the amount of data collection the employer can accomplish outside of corporate apps. In that case, they cannot even pull the devices serial number. But most companies have yet to adopt these new BYOD MDM features. Other BYOD methods might authenticate you with multi-factor cloud based login and control Apps such as Outlook, etc. but not interfere with personal use.
Bottom line, the moment you let an IT department start managing your device you need to pay attention to just what they have access to if you own the device. Depending on the employer and the technology they employ, your privacy may be at risk.
My opinion? If they are using an MDM Configuration Profile then the device ought to be owned by the employer and not you. I would never install an MDM Configuration Profile on my personally owned devices. If the device is not owned by you then you have no choice
Watch out with two employers both requiring restrictions like this. They will not both be able to manage your device at the same time. It's one or the other not both. You may require more than one device.
