Allow configuration option for additional check. Currently, the token is validated and the claimed username is tested against the actual username.
An additional option could be set, forcing the IP addresses of the user logging in to match the IP address on the token. I know that the IP of the user logging in is logged, but I'm not certain how to access it programmatically.
Source: https://github.com/CyberNinjas/pam_aad/issues/3