Hi @Leo Johnson · Thank you for reaching out.
There is no right or wrong approach here. However, if feasible, when adding users to a policy or some sort of Access control lists, the suggestion is to always go with groups rather than adding individual users. That way help desk can be leveraged to control the access without needing to grant them admin privileges to manage Conditional Access Policies or requiring engagement of admin to update the policies.
Also, the conditional access policies won't be required to update each time a user account gets created or required to be added to the policy. Adding a user to the group (in scope of the policy) will apply the CA Policy to the user.
Microsoft provides what-if tool in the azure portal, So, figuring out which policy will apply to a given user or application and what conditions will apply is not a challenge.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.