We have a diverse group of end-users. Partly knowledge workers, but also name them task-worker. The last group do not need all the capabilities of the IT environment but uses a small piece of the functionality.

When I assign (name it small) 1 license of E5, (as far as I can oversee), all types of functionalities become available directly. For this particular scop, I get all type of Defender for X-capabilities enabled. Is this correct?

Other functionality will only become available when I assign the E5 license to that particular user.

How do I manage that only those that are protected by the security features of E5 are correctly licensed?

What I mean is that due to adding 1 E5 license, all types of capabilities become available, which could be applicable for ALL users in the tenant. From a compliance issue, I only want those licenses purchased (and assigned) to the knowledge workers' usergroup. At the same time, the task workers could have benefits. I need to exclude them from a compliance point of view to not run into the risk that I have to purchase a license for them also.

Is the "scoped deployment" scenario, where I proof who should and should not have the full-features benefits of Defender 365 be the only possibility? Or is there a more robust method that distinguish the two?

The main reason I asked is; all the task workers are within the same environment, and - I understand - I cannot allow them to be protected by Defender for Identity without purchasing a license. Of course, they could be protected due to the fact a the small-group of E5 licenses are added. And as the features become available they could be protected already, but this is not compliant with the license agreement. On the other hand, they do not need to be protected by MDCA capabilities. Therefore we do not need E5 license for this group. 

So, what is the best approach from a licensing perspective, without making the technical set up too complex?