The best approach I have implemented is Microsoft's way of excluding the users via a Group using Conditional Access policy and you can follow the steps - https://learn.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion
Hope this helps.
JS
==
Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.