As you know, Azure AD Conditional Access allows you to define conditions to allow or block access to Azure/Office 365 resource (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview).
When configuring such conditional access, you define to which set of users/groups this apply (or not – aka exclude).
Now, you can apply the conditional access policy by using the Directory Roles to target the set of users – for both include and exclude (in preview)