Recently when deploying Microsoft Office Macro controls using the Office cloud policy service the deployment approach was to create two policies – the first blocking the use of macros, and the second policy allowing the use of macros.
The theory is that everyone without a business justification is blocked from using macros (as per the Essential 8 guidance), however if a person has an approved business justification they are then added to the group for the macro allow policy.
This works really well, however one behaviour to be aware of is how being assigned to multiple policies is handled. Rather than simply applying the policy with the higher priority, the settings across the policies are merged and the individual settings are applied based on the policy with the higher priority.