Hi Joe.
To enable Microsoft ATP for on-premises Exchange servers, you may need to configure the mail flow through EOP.
Here is a link introducing setting up EOP for on-premises Exchange server:
Set up your standalone EOP service
You may also need licenses for Microsoft ATP(Microsoft Defender for Office 365).
Here is a link on this topic for your reference:
Microsoft Defender for Office 365 service description
In addition, you may also refer to this link for an example scenario:
Implementing Exchange Online Advanced Threat Protection (Part 1)
(Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.