I think this is a good compromise until you hit a key barrier:
We have employed your option 1 and therefore now we have the internal AD login enabled and successful. HOWever, when we create new users and this sends them an invitation. Rather than reading the invitation and actioning upon it. They will access the helpdesk through the IIS page or clicking on Active Directory login on the page and overwrite the account we created for them. If they later (2 minutes later) decide to create a password for he accont in case they need access to the helpdesk outside the office (and without VPN). They cant use the activation link anymore. The link now says the account is already activated and the user has never setup a known password. If the user then tries to login through the internet portal and clicks on "Forgotten Password" link. They'll recieve a message: "Could not find a user with that email address."
Isnt there anyway we can just have both without forcing the user to do anything first? This is really rather frustrating not knowing what account is being used - i.e. self registered or the one IT created.
Thanks for the detailed feedback @Haq Saq, I am sharing it with our SSO team to see if they have any suggestions or news that I can share about any improvements coming to our SSO implementation.