Remove threats from mailboxes or open external hole?

I'm looking for advice on the best way to handle this situation. My organization has recently switched from on prem exchange with an on prem email security solution to moving our security to a cloud solution (exchange still on prem). This new cloud solution has the ability to retroactively remove threats from users mailboxes if something was identified as malicious after it was delivered. However this requires opening an EWS connection to our internal exchange with admin creds that allow …

advice cloud cloud solution cybersecurity email email security exchange external moving organization remove security solution threats