We have a standalone Exchange server and we are using EOP. All of the users exist in Azure AD via FIM synchronization. What attributes need to be set on the individual users for their safe and blocked senders to be honored?

We have tried both DirSync and FIM. they seem to be synchronizing:

msExchSafeSendersHash
msExchBlockedSendersHash
msExchSafeRecipientsHash

However the fields honored by EOP appear to be the following readonly fields:

cloudmsExchSafeSendersHash
cloudmsExchBlockedSendersHash
cloudmsExchSafeRecipientsHash

Are there any other fields that need to be synched with the users with dirsync or FIM for EOP to work when exchange is onpremises and not hybrid? We use Office 365 for office licensing and that is working fine. Users can log into the portal through ADFS and get their software fine.

Second question, how do we populate the cloud version of the fields when they are read only in dirsync and FIM?