Hi Chris,

Absolutley agree with Vasil, one ADFS server is a recipe for disaster, even though a single ADFS server can handle thousands of logons, I always spec a minimum of 2 using hardware load balancing where possible and the same for the WAP in the DMZ, 2 with hardware load balancing.

Keep your AADConnect server seperate to your ADFS is my preferred practice as it ensures that the ADFS servers stay identicial which makes management easier in the future and keeps the roles sperate. (AADC may also self update depending on your configuration, so less risk if it's seperate.)

For the backup option, you can leave password sync in place, however the fail back in the event of you losing both of your ADFS servers (You did split them between virtual hosts/data centres hopefully..) then you need to force the Federated domain back to managed. This is a simple powershell command, BUT it takes about 30-45 minutes to fully take effect because of the number of logon servers in the office 365 arena.

Convert-MSOLDomainToStandard and ConvertMSOLDomainToFederated

Failing back is a case of changing the domain back to federated again, but again this takes time to take effect, so you can see why having a fully HA ADFS farm is a better option and leave this for when the stuff has really hit the fan!

You can configure Client Access Policy (now called Access Control Policy) templates to allow only people coming from trusted IP ranges however be warned if you're not using RFC1918 addresses internally (e.g. 10.0.0.0 etc) then your RegEx setup for the policies is going to be nasty! You can also allow a single group to ignore the ACP and get in. This technet article covers some of the common scenarios, including allowing ActiveSync for ADFS 2.0 (Limit access to Office 365 services based on location), (there was a later version but my links all seem to redirect to this now. Manage risk with conditional access control - Technet)

Good luck.

Paul.