Matching OKTA account to original GSuite/MS365 one

Taking into account vulnerabilities like nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover
one should not rely on email. Our product however need access MS365/GSuite on behalf of the logged in OKTA user account. How can we get MS365/GSuite user ID (oid claim in MS365 case) from OKTA SAML response to verify user identity before acting on behalf of it?

You can try to send it to your app as an additional SAML attribute. It might require some effort to extract it from the app assignment though. I’ve never tried to do the latter. But this should help, I guess - Okta Expression Language overview guide | Okta Developer