Run a command on a server on a different tenant

I have a function to connect the VPN on a computer to the clients network, so that we can complete the AAD Hybrid Join remotely. I’m sure this was working previously but it’s not now because of the Constrained Language mode restrictions (has this changed? or did I only imagine it working?)

The function is Get-Otp and the idea is that the key material doesn’t get passed to the endpoint - the Otp calculation is performed in the cloud and only the MFA code gets passed to the endpoint, so even if something grabbed the OpenVPN config file on the endpoint we’d still have the MFA as a security layer.

So my next step is to execute the code on a server owned by us (the MSP) created specifically for this purpose, but it seems that Get-ImmyComputer only returns devices for the current tenant (and I understand exactly why that would be the case by default).

Is there a way to say that “this function can access MSP tenant servers”?