Would like to have a way to at least prevent some users from accessing an internal/MSP tenant, but ideally permissions around who can get to tenants at all. Based on AzureaD Group membership would be a bonus 
But I’d be fine with just an “internal tenant explicitly denied to all but explicit set of users.”
NinjaRMM’s role-based permissions with custom organization (their tenant name) system is similar to what I’m suggesting, by way of example.