That means you know the pain of discovering that some of the on-premises services, like AD FS, are lagging behind in their capabilities. For example, AD FS 3.0 (Windows Server 2012) does not support OpenID Connect, OAuth password authentication for confidential clients (aka web sites), to name a few. And if you ever tried to configure multi-factor authentication, you know the real pain.
One of the scenarios you may want to consider: while maintaining your preccccious infrastructure, provision Azure AD and federate it with your on-premises domain. The result? Magically, you now have support for OpenID Connect (so you can try approaches previously unavailable to you), and MFA is an absolute breeze.