Per device policy is fine but if possible, this can be great:
Group Based Access - A policy can be applied based on their Active Directory groups so they can go to any computer and their policy follows them regardless of which device
We do have adam:UBA™ - User Assigned Policies although it doesn’t cover your group assignment aspect.
If anyone else is interested in this please upvote.