Scoped User Identifiers
Recently a serious flaw was found in Office 365:
http://www.economyofmechanism.com/office365-authbypass.html
You should of course review the report and make your own determination but here’s a spoiler: The Office 365 application neglected to scope-check a user identifier, which allowed an arbitrary identity provider to assert any identifier whatsoever and thereby gain unauthorized access to the application.
Here are a few lessons learned from the Office 365 vulnerability.
Lesson Learned #1
An email address is not a user identifier.