Blocking domain for group of users/or devices

You can create a Device Group in Defender for Endpoint to target specific devices for blocking YouTube.

Here’s how you can do it:

Go to Microsoft 365 Defender → Settings → Endpoints → Permissions → Device Groups.

Create a new device group based on tags or other criteria (like OS, domain, etc.).

Assign a tag (e.g., BlockYouTube) to the target devices under Manage Tags in the Devices section.

Go to Settings → Indicators → URLs/Domains → Add youtube.com as a blocked domain.

Select the device group you created as the target.

Alternatively, if you want to block YouTube for specific users rather than devices, you can set up a Conditional Access App Control policy in Defender for Cloud Apps:

Create a Conditional Access policy in Entra Admin Center targeting specific users.

In Defender for Cloud Apps, create a Session Policy to block YouTube for those users.

If you want to block access based on specific users, a Conditional Access policy + MCAS session control would be better.

If you want to block access based on specific devices, using Device Groups in Defender for Endpoint would be more effective.

you can do that easily with GSA and you control the ‘who’ by Conditional Access

you can also do that by MCAS and/or indicators of compromise (url) - basically Smart Screen - but that is extremely cumbersome, you have to select devices (and that weird concept that device can only belong to single device group) and not users, and slow to apply - minutes to hours, sometimes applies inconsistently - thats your second option