I choose not to check that in our organization.
We are not federated for ArcGIS Online and assign users an account fnam.lnam_org for ArcGIS online. We want these to be separate since we do not have enough named user slots and have to switch users around as people come/go or users needing the mobile apps change. Much easier to do if these are not associated with your organization myesri account.
If users need access for training, for instant, they usually use an account that is associated with geonet/community or a dev account and send a request, not their AGOL account. These can still be associated with their work email, if needed. For us, that is easier to manage, although because it is not federated, we don't always know when people leave. (down side) Only a couple of us have full access to the (myesri) organization account.
I think, keeping it separate will also be easier for the user. For example, when I separate from service, I will make sure someone else is assigned all the superuser/admin rights on myesri. Then, I can change my email to my (global) geonet/myesri account to a personal email, Then they can take the esri access away from me. I will still have access to any personal accounts and geonet. The AGOL account, they can disable and move items to another account. Should be a clean separation if thought out.
Anyway, my two cents.