Below comments/suggestions might be considered blunt, so beware !
It is my opinion that the issue you are facing is related to the ‘Quality of Data’ offered over your SAML connection.
the environment is rather dynamic, meaning the identifier changes … I know what you are thinking now, how can someones name change … thing is the admins sometimes want to normalise the case usage of a name.
This is the best indication of the situation you are in, your admins are changing vital information you are depending on, without (i guess) having any clue as to what it does to the monitoring solution, thus breaking your monitoring whenever they change something.
As from where i stand (if i were in your position) is that you need to get a grip on the attributes you are using, and engage in a conversation with your IDP-admin to solve this.
In esssence a SAML connection is a mutual agreement between an IDP and its SP in how and what is being sent in regards of information (the assertion).
In your case you have avoided the conversation and have created a workaround yourself (which is creative) by using the GUID as unique identifyer for data-consistency, but now you are running into audit-related issues as mentioned in your topicstarter.
so we don’t have to worry anymore and don’t have to discuss with the administrator
This feels as if you are actively avoiding the conversation with the IDP-admins for reasons not given, and again are searching for a workaround on top of your already in-place workaround.
Chances are that - if the IDP-admins are different from the EntraID they are not even aware of your struggles.
This even tho the IDP-Admins are the ones who could offer you data consistency by just sending attributes to be always lowercase, meaning if admins change a username regarding casing in EntraID, then your monitoring will not be affected, as you are already receiving ‘normalised’ attributes.
Hopefully also these types of discussion will create awareness with the IDP- and EntraID- admins as to the issues you are facing now, and in the future.