This isn't necessary. From the OIDC token, you should instead use the "oid" claim, which is mapped to the Azure AD user object's ObjectID, which is an immutable unique identifier. The "sub" claim is a pairwise hash of the Azure AD user object's ObjectID + the ApplicationId of the application, meaning it is an identifier that is unique per Azure AD application, but is not guaranteed to be unique across all of Azure AD.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens#payload-claims
From the SCIM provisioning side, you can then map for users: objectId -> externalId