Blocking domain for group of users/or devices

You can create a Device Group in Defender for Endpoint to target specific devices for blocking YouTube.

Here’s how you can do it:

Go to Microsoft 365 Defender → Settings → Endpoints → Permissions → Device Groups.

Create a new device group based on tags or other criteria (like OS, domain, etc.).

Assign a tag (e.g., BlockYouTube) to the target devices under Manage Tags in the Devices section.

Go to Settings → Indicators → URLs/Domains → Add youtube.com as a blocked domain.

Select the device group you created as the target.

Alternatively, if you want to block YouTube for specific users rather than devices, you can set up a Conditional Access App Control policy in Defender for Cloud Apps:

Create a Conditional Access policy in Entra Admin Center targeting specific users.

In Defender for Cloud Apps, create a Session Policy to block YouTube for those users.

If you want to block access based on specific users, a Conditional Access policy + MCAS session control would be better.

If you want to block access based on specific devices, using Device Groups in Defender for Endpoint would be more effective.