I have a situation where 15% of the users are knowledge workers, wherefore E5 will be purchased. All other users will have E3 or even F1. One add-on is purchased for alose the E3 amount of users, which is defender for endpoint P2.

With this in mind, what functionalities am I not allowed to use?

For what I have read, risk-based conditional access is used to calculate risky users based on the telemetry gathered via AAD identity protection. That functionality comes across with E5 or a separate AAD P2 license. I understand you are only allowed to use risk-based conditional access policies if  all users have the AAD P2 license. Thus, without, I cannot use these type of policies? Is this correct? (even scoped deployment is not possible as scoped deployment is about assigning a policy/function, but filtering telemetry is not possible).

Also, Defender for Identity, which of course, applies to the on-prem environment, can not be fully leveraged, as only a small amount of users are licensed for MDI (only 15%). Am I correct I cannot use MDI-based telemetry policies?

Especially using the telemetry that comes across MDI and AAD P2 for MDCA (defender for cloud apps)  policies is useful, but it seems useless if MDI or AAD p2 is not licensed for all the users. 

The question is, even when I purchase E5 for 15% of the users, am I required to purchase the MDI and AAD P2 for all the users to cover the identity protection fully / are allowed to use the telemetry that comes with the two separate capabilities?