Security considerations for force-unique-email-across-social-identities

[eskaufel]

As a user can choose his e-mail in AAD and other IdPs, creating an account with an e-mail you do not have access to will be easy. The hacker maintains access through the IdP if the e-mail owner later does a password reset to gain access.

To alleviate this, when using an e-mail address from an IdP to create a local account, you should require an e-mail verification step.