Hi Steve,
Yes that is correct with the option 1 select all users for MFA and apply the ExcludeGroup for MFA containing breakglass account and service accounts, guest accounts.
Same principles will apply for 2nd Question and you can try the whatif tool on the portal to check the policies and how it will impact before making it live, also turn on Report only.
More detail steps over here and guidelines - concept-conditional-access-users-groups
Hope this helps.
JS
==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.