While there are different ways you may want to go about this based on your particular needs, using a combo of RBAC and silent authentication might suit your use case. Please see the following post for an idea of what that might look like:
Alternatively, you may just want to update a user’s profile data/metadata when you know how to “flag” it with the tenant_id you mentioned and then add this as a custom claim to the token on silent auth. Rules/Actions will run again for the silent auth exchange allowing you to add the new metadata as a custom claim at that point.
I understand there’s a lot going and this is just me thinking out loud but I hope it at least gives you an idea of what’s possible!