Hi @metalheart , The best way to approach this would be to map the email claim from the external identity provider to the signInNames.emailAddress claim in your custom policy. This way, you can ensure that the email address is consistent across all identity providers. You can do this by using the OutputClaimsTransformation element in your custom policy.
Here's an example of how you can map the email claim from the external identity provider to the signInNames.emailAddress claim in your custom policy:
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
</OutputClaims>
This will map the email claim from the external identity provider to the signInNames.emailAddress claim in your custom policy.
Please let me know if you have any questions and I can help you further.
If this answer helped you please mark it as "Verified" so other users can verify it.
Thank you,
James