I was experimenting with Office 365's offering of InTune last night - and made an interesting discovery.
Don't just enable it. You'll find you lock out your user's devices from accessing resources until you "fix" the policies. The default policy seems to be that any device access a 365 resource must be enrolled into the Organisation's InTune account. Probably not a bad thing, but might not play nicely with companies if you have other MDM's deployed, such as Cisco Meraki or VMWare's AirWatch. Guess I'll need to do a bit more testing here.
To disable the policy and regain access, visit the InTune page at: https://protection.office.com/#/device
Then go to Security Policies, Device Management.
Edit the Default MDM Policy by Office 365.
I think you now have two choices: Disable the Deployment or add an exclusion. Personally I did both until I work things out - Deployment, set to No, and click on the Manage Organisation Wide Device Access Settings to get to the exclusions option (I added the Default group here - which basically disabled intune!).