Best Practive for Admin Accounts with ADFS / AAD - OnPremise ones or Cloud based

ErikVet The environments I have worked in, administrator accounts have tended to be synced accounts, the point about lateral movement is a good one though.  There is nothing that a synced account can't do that a cloud account for admin and visa versa in a practical matter. 

This is a really good article on https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-resilient-controls.  This is more if you start implementing Conditional Access and avoiding user or admin lockout with a set of recommendations.  It does include emergency access break glass accounts, outlined in its own https://docs.microsoft.com/en-gb/azure/active-directory/users-groups-roles/directory-emergency-access, as you alluded to here is Microsoft's recommendation:

"Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment."

Plenty more general https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure and https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices that you may have seen already.  This is Microsoft's https://docs.microsoft.com/en-us/office365/enterprise/protect-your-global-administrator-accounts for Office 365 and setting up dedicated admin accounts only to be used when global administrator access is required and using other administration roles for user accounts.