In regards to your first question, you can use Azure Arc to register your old servers, then use Azure Security Center to evaluate their security posture, When you do this, those machines get Defender for Endpoint automatically, see https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction to get started

Migrating your antivirus solution from Sophos to Microsoft Defender Antivirus and Microsoft Defender for Endpoint (ATP) is a good choice, as it provides comprehensive security features for your server estate. Let's address your questions and concerns:

Servers without MS Defender preinstalled: For servers running operating systems like Windows Server 2008 R2, 2012, and 2012 R2, Microsoft System Center Endpoint Protection (SCEP) is indeed a suitable solution. SCEP provides antivirus and antimalware protection for down-level devices. Additionally, you can explore Azure Security Center's capabilities to protect on-premises servers. Azure Security Center offers threat protection and security monitoring for both cloud and on-premises environments.

Hybrid Azure AD setup and managing Defender AV and ATP: To manage Defender Antivirus and ATP for your servers, having the servers as Azure resources is not a strict requirement. While Azure integration provides additional capabilities, you can still manage Defender AV and ATP for your on-premises servers using other methods. For example, you can leverage Group Policy to configure Defender settings centrally. You can also utilize Microsoft Endpoint Manager (MEM) to manage Defender Antivirus and ATP for your servers, similar to how you manage your Windows 10 workstations.

Servers without internet access: If your servers do not have internet access, you can still utilize Defender ATP by configuring a hybrid setup. In this configuration, you can deploy an ATP sensor on a server with internet access, and it will act as a relay for collecting security data from the servers without direct internet connectivity. You can find detailed instructions in the Microsoft documentation for Defender ATP.

Prerequisites for onboarding servers: Before onboarding servers to ATP, it's recommended to ensure that they have the latest updates and patches installed. This includes both operating system updates and relevant telemetry services updates. It's important to keep the servers up to date to benefit from the latest security features and improvements in ATP.

Recommendations for on-premises server setup with Defender ATP: When setting up Defender ATP for on-premises servers, it's crucial to follow security best practices. Here are a few recommendations:
Implement a strong patch management strategy to keep servers up to date.
Configure appropriate network segmentation to isolate critical server workloads.
Regularly review and fine-tune ATP policies based on security analytics and alerts.
Integrate ATP with other security solutions, such as SIEM (Security Information and Event Management), for centralized monitoring and response.

It's also advisable to refer to the official Microsoft documentation for detailed guidance on deploying and configuring Defender Antivirus and ATP for your specific server environment.