MS Entra SCIM provisioning: why not trust the MS-generated token?

Question

I'm developing a SCIM 2.0 compliant service provider to receive SCIM-provisioning requests from MS Entra ID. The service provider is multi-tenant capable, and the provisioning requests are to be interpreted within the context of the MS Entra ID tenant.

Detecting the current context (the client's MS Entra ID tenant ID) is easiest done by evaluating the Oauth bearer token that is required to authenticate each request.

Typically, service providers require the tenant to create a long-lived token directly from the service provider, then paste that as the Secret Token when configuring the "Admin Credentials" in the "Provisioning" section of the Entra "Enterprise Application".

But if this field is left empty, Entra will create a signed bearer token itself; see see here. The token clearly identifies the tenant that issued the SCIM request both in the iss and tid claims.

To me, this sounds perfect. After verifying the signature of the token and asserting the issuer starts with a trusted domain, the service provider can reliably determine the tenant ID. This approach obviates the need for service-provider-managed, long-lived tokens.

Unfortunately, further down in the document, Microsoft discourages from using this method in production; see here:

Note: It's not recommended to leave this field blank and rely on a token generated by Microsoft Entra ID. This option is primarily available for testing purposes.

There is no explanation given as to why this this is not recommended. Can you help me out?