I understand it is possible to read the tenantid property to retrieve source of log-in. My concern which needs further investigation is more: the scenario where user’s identities from different AD’s have already been consolidated into one account (linked account functionality). And in this case what would happen if after logging in through first Azure AD (with e.g. group {“First_AD_group_”, “Admin”}, then logging in through a second connection Azure AD which happens to use same group naming.
There would need to be a way whether the “Admin” group was retrieved from Azure AD #1, or #2, or a way to apply hook to the profile creation/update event, to add prefix to new groups e.g. “First_AD_group_Admin”.