Hi, @Alex2KGM
If you use Azure AD Connect to sync only 30 of the 100 users to synchronize hashed passwords to Microsoft 365, only those 30 users' credentials are synced and they can use their on-premises credentials to sign in to Microsoft 365 services. The credentials of the remaining 70 users are not synced, so they can't use their on-premises credentials to sign in to Microsoft 365 services. Because you already have a hybrid setup, sync users can seamlessly use on-premises and cloud resources.
For the 30 users who have synced and migrated to Exchange Online, EOP sends email directly to their Exchange Online mailboxes. If you plan to use Exchange Online Protection (EOP) as your email gateway through an on-premises Exchange 2016 Edge server, the remaining 70 users who are not synced to Microsoft 365 can still receive email from the Internet. EOP filters incoming emails and routes them to the on-premises Exchange server, which then delivers the emails to the appropriate mailboxes. You can refer to Manage mail flow with mailboxes in multiple locations | Microsoft Learn
If you create 70 "online users" with the same name and email address (*@OurDomain.Com) and assign licenses to those "online users" to use Microsoft 365 applications such as Outlook, Teams, Word, and so on, the email flow will still work. However, you need to make sure that the email address and User Principal Name (UPN) match between your local and online users to avoid any confusion or conflicts. On-premises users can still receive incoming email from the internet through EOP and Exchange 2016 Edge settings.
Also, in a hybrid deployment, if the recipient is both online and on-premises, the message will be routed to the online mailbox by default.
To ensure that messages are only sent to local mailboxes, you can take the following steps:
1.Disable online mailbox: Disable the user's mailbox in Exchange Online. This will ensure that all messages are routed to the local mailbox.
2.Configure mail flow rules: Configure mail flow rules in Exchange Online to route mail flow for specific users to on-premises mailboxes.
For more information about the error 550 5.4.1 Recipient address rejected: Access denied, please refer to it Fix NDR error code 550 5.4.1 in Exchange Online - Exchange | Microsoft Learn
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".