In offline mode (i.e. AD is unavailable) Defender Desktop Login is unable to check group membership to determine whether the user account needs to authenticate to Defender or can logon using just their Windows credentials.
Therefore, to ensure security is maintained, the default offline behaviour is to require Defender authentication for all domain accounts.
Local user accounts will be able to logon but domain users, who would normally logon using Windows credentials, will not be able to logon when offline.
Domain users, who would normally use their token for authentication, will be able to logon in offline mode providing they have logged on to the workstation previously and their offline token cache has been updated.