NameIdentifier vs ObjectIdentifier

Question

I have a multitenant ASP.NET application using OpenIdConnect and Azure AD as an Identity provider for Office 365. When the user is authenticated I receive my claims in

Answer 1

Precisely, if I create another application in Azure AD then, the NameIdentifier will not be the same for the same real Office365 user.

I made a quick test as following:

Register a multi-tenant-webapp and single-tenant-webapp in AD Contoso.

Log in with user1@contoso.onmicrosoft.com and get the name identifier in both web applications, it turns out the name identifier are the same in both applications. So the name identifier should be able to identify users cross applications, but it can not be used to identify the user in Azure AD.

For the object identifier, it is a GUID which you can used to identify a user in Azure AD. For example, you can use object identifier to query the user in Azure AD.

Powershell:

$msolcred = get-credential
connect-msolservice -credential $msolcred
get-msoluser -ObjectId "{guid:object_identifier}"  

And more importantly, can you confirm that the ObjectIdentifier can be used as an "universal" identifier for a user in any Office 365 subscription.

Based on my understanding, the object identifier is a GUID which can identify for a user in Office 365 subscriptions.