Hi, thanks for the additional information.
If I understand you right, you need a Conditional Access rule which is limited to a specific user or device group, right?
That's possible without AADDS (Azure Active Directory Domain Services). You only need to create a new Conditional Access rule as described in your posted doc and apply it in the configuration to a predefined AzureAD Group. The rule will be scoped on the defined group only.
I would recommend setting the newly created rule to Report only (like WhatIf) first. And when you see that the rule works fine, you can force it.
Consider, you need AzureAD P1 to use conditional access features.
If you need further assistance in creating such a conditional access rule, please contact me again.
If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you.