Hello @Taka !
For the first it is quite clear
The conditional access policy that needs Compliant Devices is the solution
Now for the Second one , it depends , What are the autorization criteria ?
CA have the option for Filters as seen below, you can apply a specific Extension attribute for example !
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards