Its often the case that tiny companies (with Office 365 tenancies, or AD Azure tenancies these days) get bought by some large company (with a larger O365 or Azure AD tenancy).
I always assumed that the immutableID (a PUID) exists to accommodate this motive for transitioning a user from one UPN to another. Obviously, the user wants the same mailbox content before and after the UPN change. The big issue then is access to content (which may be DRM controlled by the old UPN, of signed/encrypted old email)
Now, my thoughts are to now issue the user certs (for email signing) with the same immutableID - in a certain X.509 field (designed for EXACTLY the same purpose as immutableID was designed, evidently: public name transition between forests/domain naming contexts).
having raw interoperability between Office365 Federation (now Azure AD federation) was once what defined "commercial" grades products (the know-how being semi-secret). Now its not (2 years in). What commercial value-adders need to be doing is accommodating commercial value-add (that doesn't affect the bottom 20% of the market). My guess is that certs name-rollover (via ADCA enterprise templates) and Azure AD doesn't have a complete story yet.
No question needs answering.