On prem domain - AD Connect Writeback to enable Intune/Defender and increased ASM

We are a small financial institution and are looking to increase our security.  Our on prem domain and on prem servers are not moving to cloud, but we are looking to strengthen our endpoint security for a hybrid workforce.  Intune and Defender for Endpoint offers a lot of what we need, and we have to upgrade to Microsoft E3/E5 anyway to meet audit requirement for Mobile Application Management anyway.  
In order to be able to access on premise printers and file shares, I need to enable password and device writeback in our AD Connect and change our hybrid joined devices to Azure domain joined.  This seems to increase our attack surface and ASM.  We do not have a website so our current lack of attack surface is an asset.  We are concerned with opening our attack surface, but I believe the addition of the capabilities of Intune and Defender for endpoint are worth the increased attack surface.
1. Am I correct in this assessment that the reward is worth the risk?
2. What can I do to lock down the attack surface so we don't have external attacks on our on premise assets or our accounts via O365?