my scenario is a visual studio web app template project, configured with its asp.net openauth feature and my customclient provider talking to acs. acs itself talks to azure ad, when so invoked with the whr parameter on the request. with multiple such issuers in an acs config and given the account linking ffeature of the site, many office or azure-ad tenants easily talk to my sites.
if an access token claim is sent down the chain (e.g. like Facebook via acs does), the web app can use it.
given all that (obvious stuff), I'm struggling with aal. I don't know what it buys me.