Disabling NTLM authentication over HTTP in on-premises Exchange environments

I am using a Hybrid Exchange Server 2016 on-premises alongside Exchange Online, and all mailboxes have been successfully migrated to Exchange Online.

My on-premises Active Directory (AD) is synchronised with Entra ID using Entra ID Connect.

I want to disable NTLM authentication over HTTP in my on-premises Exchange environment to prevent attackers from validating credentials without requiring Multi-Factor Authentication (MFA).

Could you please provide the procedure for achieving this in Exchange Server 2016?

Additionally, I'd like to know what impact this change will have on user email flow and wondering if the Exchange ECP must be published to the internet or is no longer required?