Account lockout visibility.
ADFS enabled user accounts can be locked out due to failed logins from federated services like O365, Skype, SharePoint, OneDrive, Azure, OMS, Visual Studio ... etc However, there is currently no auditability/traceability as to which federated service is causing the lockout. Hence, there is no way to know whether a lockout is due to simple user credential changes or due to malicious intent (brute force, or denial of service against the user account).
Extranet lockout protection is a mitigation should malicious intent be determined, but the missing piece is determining that the lockout is indeed malicious intent to begin with.
Federated cloud services need more useful visibility as when it comes to login or failed logins.