Azure AD Premium Licensing & permission to use MFA, SSPR, ConditionalAccess, etc.

Hey folks,

i'm wondering on how to deal with the following scenario correctly: (i know how to use the techniques, it's just about the correct licensing)

1. Contoso has e.g. 100 Users (Members)
   1. 50 Users are licensed with sth. that includes Azure AD Premium P1
   2. 30 Users are licensed with sth. that includes P2
   3. 20 Users are not licensed (Service accounts, administrative accounts, test accounts, ..)
   4. In addition there are e.g. 40 invited guest accounts, which are not licensed at all.
   5. (I guess this is a very common scenaraio) 
2. Contoso wants to use different technologies like
   1. SSPR (SelfService Password Reset)
   2. Azure AD Identity Protection: MFA Registration Policy
   3. Conditional Access Policies to require MFA
   4. Conditional Access Policies to react to User-Risk or SignIn Risk
   5. (Very common, too i guess)

Question: How to "use" these techniques correctly?

1. SSPR (SelfService Password Reset)
   1. Allow for anyone?
   2. Only allow for a dynamic group which includes all AAD P1 licensed users?
2. Azure AD Identity Protection: MFA Registration Policy
   1. Allow for anyone?
   2. Dynamic group with AAD P2 Users?
3. Conditional Access Policies to require MFA
   1. Allow for anyone?
   2. Dynamic group with AAD P1 Users?
4. Conditional Access Policies to react to User-Risk or SignIn Risk
   1. Allow for anyone?
   2. Dynamic group with AAD P2 Users?

Of course im fine with using dynamic groups including AADP1/P2 Users, but what about all the guest users for example.

What is allowed, what isn't allowed?

Thank you very much for any help in advance. 

Regards,

Patrick