Excluding machines from agentless scanning for machines at scale

We can configure the exclusion of machines based on tags in the environment settings under Defender plans > Settings & monitoring at the subscription level. This process is detailed in the https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-agentless-scanning-vms#exclude-machines-from-scanning.

However, configuring the exclusion of certain tags for all subscriptions at scale is not straightforward. Neither the https://www.azadvertizer.net/azpolicyadvertizer/5eb6d64a-4086-4d7a-92da-ec51aed0332d.html nor the https://www.azadvertizer.net/azpolicyadvertizer/72f8cee7-2937-403d-84a1-a4e3e57f3c21.html Azure Policy provides such a parameter.

The following PowerShell command works: 

 Set-AzSecurityPricing -Name "CloudPosture" -PricingTier "Standard" -Extension '[{"name":"SensitiveDataDiscovery","isEnabled":"True","additionalExtensionProperties":null},{"name":"ContainerRegistriesVulnerabilityAssessments","isEnabled":"True","additionalExtensionProperties":null},{"name":"AgentlessDiscoveryForKubernetes","isEnabled":"True","additionalExtensionProperties":null},{"name":"AgentlessVmScanning","isEnabled":"True","additionalExtensionProperties":{"ExclusionTags":"[{\"key\":\"Microsoft\",\"value\":\"Defender\"},{\"key\":\"For\",\"value\":\"Cloud\"}]"}}]'

Is directly calling the Azure Resource Manager API (e.g. via Az PowerShell) for every subscription or creating a custom Azure Policy definition the only option? Would be great if this is supported by the built-in policy definition.