Hi Nigel,
You’re correct that we can federate Office 365 with the on-premises AD and deploy SSO as necessary.
The Add-MSOLFederatedDomain cmdlet adds a new single sign-on domain (also known as identity-federated domain) to Microsoft Online Services and configures the relying party trust settings between the on-premises AD FS server and Microsoft Online Services. The Convert-MSOLDomainToFederated cmdlet converts the specified domain from standard authentication to single sign-on (also known as identity federation), including configuring the relying party trust settings between the Active Directory Federation Services (AD FS) server and Office 365.
For the detailed steps about how to deploy SSO between Office 365 and the local AD, please refer to: Directory integration overview (Applies to Office 365 Pre-Upgrade) or Single sign-on roadmap (Applies to Office 365 After-Upgrade).