Azure AD premium and Defender for Cloud Apps License requirement

Hi Eddie79 

You will just need a single AAD P1 license and MDCA license (or a license that provides both of these) and then you'll likely want to scope the policy filters in MDCA to any device that is not Intune Compliant or Hybrid Azure AD Joined, meaning the policy will block downloads to any unmanaged device. You COULD scope it to users within the session control policy but ony if the user exists in your environment. 

I've written a couple blogs on session control that you're welcome to check out if you'd like!

MDCA Session Control – Cloudy Security (cloudy-sec.com)

MDCA & Endpoint DLP: Session Control in Harmony – Cloudy Security (cloudy-sec.com)