BIG-IP with APM federation to O365 / Azure AD Connect requiring Web Application Proxy - can we do without WAP?

Are you looking to replace ADFS, or just ADFS proxy? Both scenarios should work. WAP role is not required if you want to use APM as a proxy to ADFS either - I suggest you simply give it a try using this guide: https://f5.com/solutions/deployment-guides/microsoft-active-directory-federation-services-big-ip-v11-ltm-apm

If you run into any issues, please report them here on this thread and we can look at it then.

Just ADFS proxy, I took your advice and just started putting it in and it seems to be working except I don't want users to get an actual login page. When we go straight to the ADFS farm, they're logged in with their computer credentials, is this supposed to do the same?

I am confused - if you are setting up ADFS proxy, then I presume it is for external/remote users, correct? If so, why would you want them to be logged in automatically? Are you saying that you only allow remote access from domain-joined machines? You can try to setup NTLM authentication on the APM policy to avoid the login page, but then you also need to have login page for non-domain-joined devices, right?

Check out this article and let me know if it makes sense.

https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication

Yes, that's correct, this is for external users. Our Windows admin says he wants users to be able to connect via SSO if they're on a domain machine regardless of whether they are inside the network or somewhere else. Any other machine should get the login page (which is working now). I followed the NTLM guide but I'm unsure about the iRule. I'm supposed to apply that to the ADFS VIP?

You apply the iRule to the same virtual that contains your access policy.