Is there any risk enabling conditional access to all users in Azure AD when using synced identities from on-premise AD including user accounts, shared mailboxes and resource mailboxes?
I mean the shared & resource mailbox user accounts are disabled but does that CA policy affect them in any way? I am trying to enable the CA to all users without needing to remember to exclude any shared and resource mailboxes when creating new ones in addition to the existing.
What about licensing perspective with those disabled accounts?
You don't login directly to shared/resource mailboxes, you access them via your own user credentials. When it comes to licensing, technically the requirement is to have a license, but I guess the MS folks can look the other way for such objects. In any case, no one here is qualified to quote licensing terms on behalf of Microsoft, if you want a proper answer contact your TAM or local Microsoft representatives.