At my last workplace, I somehow managed to get away with only Microsoft Authenticator on my phone, with no actual remote management capabilities enabled. That's pretty much exactly where I draw the line: if I have to have a device to perform work functions, the workplace needs to supply it. I'm not going to put work data on my personal machines, and I'm definitely not letting a third party root my phone for me "for sekhurity", and apply work policies on my personal device. I'm okay with work 2FA on my phone, but only without MDM, as an exception for where otherwise there's no reason for me to have a work phone.

These days a lot of folks can probably do more than just authenticator on their personal device. Teams and Outlook, for example, are both able to run with the MDM-level controls the company wants but without the device-level MDM. It's part of the app and has no control over anything else.