Azure AD premium and Defender for Cloud Apps License requirement

Hi Eddie79 

You will just need a single AAD P1 license and MDCA license (or a license that provides both of these) and then you'll likely want to scope the policy filters in MDCA to any device that is not Intune Compliant or Hybrid Azure AD Joined, meaning the policy will block downloads to any unmanaged device. You COULD scope it to users within the session control policy but ony if the user exists in your environment. 

I've written a couple blogs on session control that you're welcome to check out if you'd like!

MDCA Session Control – Cloudy Security (cloudy-sec.com)

MDCA & Endpoint DLP: Session Control in Harmony – Cloudy Security (cloudy-sec.com)

1) As far as I know, you are correct: AAD P1 and MDCA is sufficient. Be however aware that this only works for all SharePoints. If you want MDCA to be only used for subset of SharePoint sites marked, you will need E5 compliance to map auth context to sensitivity labels.
2) You will need licenses for everyone "benefiting" from the functionality. So if you restrict the CA rule to external users, then you need only licenses for these. But this only applies if your external users are managed inside your tenant (like employees). Azure AD B2B users (aka guest users) are licensed differently: Old license model: 5 B2B guest licenses per 1 employee license; New model: B2B guests must be licensed per "monthly active user" (MAU), but 50000 per month are free and they can be used with the highest license in your tenant.

As always with licensing: Look into the details and discuss this with your Microsoft accounting team.

Greetings,
Tobias / MrAzureAD