Per-tenant permissions, especially to deny access to internal

Would like to have a way to at least prevent some users from accessing an internal/MSP tenant, but ideally permissions around who can get to tenants at all. Based on AzureaD Group membership would be a bonus But I’d be fine with just an “internal tenant explicitly denied to all but explicit set of users.”

NinjaRMM’s role-based permissions with custom organization (their tenant name) system is similar to what I’m suggesting, by way of example.

I would like to add that a 3rd tier of read only permissions for MSP would be great as well.

We want our T1 to be able to pull agents and run the onboardings but not change deployments.