If we have a policy to monitor apps, that allows users to bypass for a few hours, how can we gather justification from them so that we can understand why they need to bypass?
In this case are you referring to monitoring a session through access control / session policy "or" discovery and MDE integration with custom indicators?
When using access or session policies there currently isn't a way to allow end users to temporarily bypass. This would be decided based on the CA policy configured in AAD and corresponding access/session policies in MDCA.
There is an option to bypass for administrators, but this is meant more for troubleshooting and onboarding of new applications though.