I would enable oauth_allow_insecure_email_lookup during migration (but test it properly, it can create mess) . Then I would wait/force all users to use new IDP. I will disable insecure email lookup and old IDP, when all users have Grafana identities created/migrated with new IDP.
