OIDC - Azure AD & pinned identifier

Following Azure Active Directory with OIDC Auth Method and External Groups | Vault | HashiCorp Developer

Setting the user_claim on the oidc role is listed as:

 vault write auth/oidc/role/${VAULT_LOGIN_ROLE} \
   user_claim="email" \...

Working user_claims can be:

  • email (A value that could be easily replaced by an attacker in a compromised directory)
  • sub (A unique uuid, that doesn’t seem apparent what Azure value it maps to)

Attempting to use oid, just gave that it wasn’t found in the claim.

Whilst, I feel sub is more secure. As it’s a unique identifier tied to the account.
If you can’t determine from the entity/alias, what account on Azure it’s relevant to. Then it’s difficult to assign access from this.

Ideally, I’d like to capture the Azure identifier that I can see.

Or could it be possible to bind on sub, but also capture the email as metadata for the entity?

I’ll be securing the actual accounts with 2FA regardless, but I’d like to make it more difficult for an attacker to simply change an email address on a higher privileged account.