This is flagged as a security risk, but that's very much dependent upon
the site config. We trust that if Entra claims a user has an email
address of user@cam.ac.uk, they this is unquestionably true. (The
warnings all concern cases where you can't necessarily trust this
attribute)

The use cases I have for doing this include:

- being able to proactively set node ownership when doing a site import
  (we need user accounts to exist if they are to own content)
- for content like staff pages we make use of the "can edit own content"
  permission. Although in principle we could implement a custom
  permission check (e.g. compare field_person_crsid to
  $current_user->getUsername() ) that feels like a bad strategy.