I recently discovered that Microsofts SSO doesn't guarantee email veracity. Basically you can spoof emails via ActiveDirectory, so if a site supports Microsoft's SSO and doesn't do a second verification, then someone could login to your site with someone else's email.

I mean, what's the point of their SSO if you're just going to need to verify it with an email code anyways?