Implement HSTS in ADFS
According to Microsoft's documentation ADFS does not require HSTS because it uses HTTPS. ADFS is still vulnerable to insecure redirect and MITM from an insecure / untrusted network.
On the first access over a non-secure network the browser sends a clear HTTP request. MITM intercepts this and responds as the endpoint and can now issue an insecure redirect to a malicious site OR proxy the real ADFS server to trick user into entering credentials etc.
HSTS prevents the very first HTTP call from ever being sent. The browser instead only sends HTTPS and does not allow the user to bypass a certificate warning due to attempted MITM attack. This mitigates the ability for them to issue an insecure redirect or mitm the traffic.
This HSTS header is used by Microsoft's other sites and log in forms to provide these mitigations but is not included in ADFS.
ADFS should be updated to allow HSTS header to be sent with a configurable lifetime and includesubdomains.