Comment by merb

Well the best solution is basically to allow the creation of the account but keep it deactivated so that a human needs to check it. That at least works for things like gitlab or other things were an Organisation signs up. The problem of the hd claim is actually not one since you need to validate your domain and if your a saas provider that is b2b only that’s ok. Microsoft is even worst tough, where you need a different claim than email, depending on what you are doing. (UPN)