Currently in hybrid situation. 65k+ users, two main forests.

A lot of things. -What is your auth strategy? How do you want users to log in? You said you want to use local dc auth but you have three different ways of doing it: password hash sync, pass thru auth, or federation (typically adfs). (Don’t do federation though, I really don’t recommend it).

-make sure your users user principal names match their email addresses. In most cases when MS asks a user for email for their username, they are asking for their upn. It’ll be easier on everyone when their upn and email match.

-what is your two factor strategy? If you don’t have one, maybe look at Microsoft’s offering. This may sway your auth strategy slightly.

-look at Azure Cloud Sync first before Azure AD Connect. They both perform the same function -synchronizing on prem objects in AD to AAD. Cloud sync is where MS wants to go but it’s not feature parity with AAD Connect. Likely would guess you’d end up with AADConnect

-We are currently doing Exchange migrations to Azure now. And it’s going I guess. It’s not easy, particularly with the sync side of things. I don’t have a lot to say here except I know it’s a massive process for us. I only see parts of it. GPOs, conditional access, adjusting in our MDM solutions to work with migrated mailboxes, etc.

-Use dynamic licensing groups where you can. Makes app on boarding easier.

I could go on for days. Looking back I really wish I had banged the drum to do password hash sync. Federation domains into Azure feels pretty bad in a lot of ways and only helpful in a small subset of others. I expect you’d do seamless sso too, to make using m365 apps easy.