Hi Bourne
Thanks for your suggestions. I've given other considerations below and would like you to comment again:
1) We currently do not have an on-premise SharePoint server so will be starting this component from fresh.
2) Our users also have external access - so potentially the DMZ proxy setup is just optional (if one requires a extra security layer)? Theoretically external users could pass through the firewall to a single internal ADFS server if we decide to go this path? (We would replicate this internal ADFS server VM for DR).
3) DirSync could be a simpler option - currently we have 4x smaller business units that have already been using O365 email for quite a while with no syncing (i.e. a separate password). They use Outlook, OWA and mobile devices and it hasn't been too much hassle managing two passwords. Would this change much if we starting implementing SharePoint online, Team sites, shared mailboxes, etc?
Reducing our on-premise server environment is important to justify our overall move to cloud services.
Keen to hear your comments.
Thanks