This is based on you already have an on-premise Exchange and a Office 365 tennant, with EOP (Exchange Online Protection) licenses on. If you need ATP (Advanced Threat Protection) you need licenses for that also.
I synced my users to Office 365 with Azure AD connect, its best practice but is not necessary with EOP only.
There is plenty of articles of that on the internet, so I wont be covering that.
Your domains needs to be added to the portal, which you will find under Settings and Domains.
Only add the TXT record for now.
We will change the MX record later
Next go to the Exchange admin center under mail flow and accepted domains. Here you will find all your domains. All of these need to be set to Internal Relay.
If they are set to Authoritative, Office 365 will only send the emails to the on-premise server if it knows the email exist in Office 365.
Now we need to create the connector that will transport the email from Office 365 to the On-Premise Exchange
You will find it under the Exchange admin center, mail flow and connectors.
Create a new connector, which will go from Office 365 To Your Organization’s email server.
Under the creation it will ask for when we want to use this connector, it will be “For email messages sent to all accepted domains in your organization”.
Next specify your smart host, which Office 365 will deliver your mail to, my FQDN is the same as the webmail URL.
Then it ask for certificate I use “Any digital certificate, including self-signed certificates”.
After that you will have the possibility to test the connector.
Here it is created:
Now you can redirect your MX records to Office 365 and you will have EOP as spamfiltrering.
I started with one domain which wasnt in use to test if everything was okay.
To activate ATP go to your users and activate the licenses, next go to Exchange admin center and configure it.