so just came across your post, we had some queries regarding sso and scim, since you are also doing sso(using openid) and scim, what is your approach, we do the following

1. Get the users using scim(Here in azure ad attribute mapping we have mapped the oid with external id, so when we get the users , we get oid as well as other attributes ie firstname , lastname etc, this we store )
2. when the user does sso, we make sure that we decode the token, and get the oid, this oid we check with the oid stored in the step1 and if yes we give access to the api, let me know if you are following the same approcah

Let me know if the same approach you follow, and let me know what we are following is a proper approcah, as i couldnt find any documentation or steps on how to use both together,

thanks in advance