Microsoft ADFS 2.0 and 3.0 has a major shortcoming. It does not log the client IP address of failed authentication attempts.
I work in a company with many users who has more than 1 device, and sometime they even replace devices with the newest version. As a result, they often have devices configured to check mail using ActiveSync, which are not using the correct password. The result of this is, that their AD user account is logged out.
To help with this problem, Microsoft added a feature to ADFS to stop the user from being locked out of AD. But they did not help us with the main problem, helping us to identify the device which is attempting the bad logon. They try to hide the symptom, rather than help us fix the problem.
The only way to find the client IP address is to log all requests to the server using tcpdump / Wireshark, and then look at the POST data, or to replace ADFS with a 3rd party product, like something on Linux, designed for medium size and Enterprise usage. Seems like the target group for ADFS is still internal users and small worksgroups.