...
<IIRC, the intent of this paragraph is to keep SPs from requiring custom values, such as Microsoft's "password" instead of "PPT". I don't know if this language would affect
Microsoft's use of that context>
Authentication Context
...
requests
An SP that has an authentication-related business requirement to require authncontextclassref values in assertions MUST specify the allowable values in the RequestedAuthnContext element of authnrequests it generates. Conversely, if an SP does not specify RequestedAuthnContext values in authnrequests it generates, or if the SP does not support the generation of authentication requests (reference to SP-initiated, above), then the SP MUST NOT restrict allowable authcontextclassref values in IdP assertions.
...