When playing around with Windows 10 and modern device management – Automatic Azure AD enrollment is a part of this. With Windows 10 1703 you can “Enroll in Azure AD” with a provision packages created with Windows Configuration Designer.
When creating a provision packages to automatic enroll a device in Azure AD a user is created in Azure AD, it is a normal user – you dont know the password for the user.
The user will show up in your all user group, and other dynamic AzureAD groups – if you do not exclude it.
If you have a dynamic Azure AD group that’s get a licens assignment then you also need to exclude the package user. The packages does not need a specific licens assigned to be working.
Who is the user created:
Sign in with you Azure AD account (This does not require administrative rights in your Azure AD)
Enter the password for the device enrollment manager
You have to allow WCD to access your account in Azure AD
Then the “Bulk Token Fetched Successfully” and the packages user is created.
Every time you create a new provision packages with WCD then a new packages user is created!
Remember that :
The default number of devices that can be joined to an Azure AD tenant is limited to 20 – so you need to change this is you need to enroll more then 20 devices with one provision packages.
The user never expire – it is not possible to set a expire date on a cloud only user at the moment – please vote for “Set an AzureAD account to expire on a specified date” : https://feedback.azure.com/forums/34192–general-feedback/suggestions/16390489-set-an-azuread-account-to-expire-on-a-specified-da
Mobile-First Cloud-First 
Hi,
I tried to use the device enrollment manager a few days ago but when you enroll a device with this account it becomes the device owner, and when my users log into the computer they don’t get Intune policies (VPN, packages…).
Is there a way to make it work?
Did you create a device enrollment manager and AzureAD joined the device or did you use the new feature in Windows 10 1703 with Bulk enrollment?