In this article I'm going to demonstrate the cutover of inbound mail flow from the on-premises Exchange servers to Exchange Online, so that the organization can use Exchange Online Protection (EOP) for email anti-spam and anti-malware protection.
Currently the mail flow looks like the diagram below. The MX records for the domain are pointing to the on-premises environment, which is using an Edge Transport server to receive incoming email.
In your own scenario the Edge Transport isn't mandatory, and could just as easily be a third party email security appliance, a cloud-hosted service, or mail might be going directly to Exchange. Whatever the case, if you're planning to start using EOP to protect your email then you can still follow this guide.
EOP is already enabled for all Exchange Online tenants, so there's nothing specifically required from you to turn it on or get it working. However, you might want to spend a little time looking at the EOP configuration, before you cut over mail flow to it. This is especially true if you are switching from a different email security appliance or system. Although all of these products basically do the same thing, they all do it in different ways, and they all have different administrative options and controls.
You can find the Exchange Online Protection settings for your Office 365 tenant by logging in to the Exchange admin center, and then navigating to the protection settings.
Once you're happy with the EOP settings for your tenant, and assuming that mail flow between the cloud and on-premises servers has been successfully tested, it's time to change your MX records. The MX record that will point your domain's email to EOP is found in the Office 365 admin center by navigating to Domains, and then clicking Domain settings for your domain name.
DNS changes of this nature can take some time to take effect, even if you have a low TTL set on your DNS records already. I recommend not making any changes to your firewall or any other configuration that might cut off your on-premises server from receiving emails, until perhaps 24-48 hours after the DNS change when you've confirmed that mail flow is going via EOP.
The end state will be something like the diagram below. If you don't have an Edge Transport server, mail flow from EOP will go to one or more of your other Exchange servers.
You can test the MX record change by sending emails from external sources, such as Gmail, and then inspecting the headers (ExRCA has an analyzer you can use for this) after the messages arrive. You should see the emails go from Gmail to Microsoft's EOP servers (with names like DB3FFO11FD931.mail.protection.outlook.com), before they are routed on to your on-premises servers.