Microsoft is rolling out a change from
August 9th August 24th 2017 for Azure Active Directory conditional access policies. Before this change rolls out any user logins to the Office 365 portal are not subject to conditional access requirements (e.g. enforcing multi-factor authentication or other conditions). It is only after the user clicks on a tile to access an application such as Outlook on the web, OneDrive, or Planner that they will be prompted to meet the requirements of your conditional access policies.
From August 9th this behavior will change, and conditional access policies that you apply to Exchange Online and SharePoint Online will also apply to the Office 365 portal. This is a positive change in that it levels the field for securing access to online portals, however it does introduce one potential issue. If a user wants to install the Office 365 ProPlus applications on a computer, they would normally log in to the portal to download the installer. If your conditional access policies require domain-joined or Intune-compliant devices, the user may not be able to login at all (e.g. from an unmanaged home PC).
To get around this, Microsoft advises that the user can still download the Office 365 ProPlus installer from this URL.
Update: Message Center now has this change occuring on the 24th of August in the tenants where I have been notified so far.