Allow for specific exclusion of Non-hybrid Trusted devices
have ability to Exclude non hybrid trusted devices in Conditional Access Policies. You can exclude Hybrid Joined or Compliant, but cant exclude Non Joined. This would provide the ability to create a policy that would exert conditions such as MFA at trusted locations on non trusted devices while still having an allowance for non mfa access for Trusted location and trusted device.
Current set up triggers both policies and creates lockout.