You should use Rules instead of Hooks. Rules are a way to intercept the authentication flow, while Hooks happen at other times (i.e. user signup). See Auth0 Rules
In such rules, you can modify ID and access tokens, you can also set the scope in a rule.
See Rule Examples
The context object would be the right place to check for a parameter to distinguish between the different organizations somehow. How does the application distinguish? Different subdomains, url path, or a selector/drop down list where the user selects from?
Depending on the criteria to distinguish between organisations, you might use this approach mentioned here config for hosted login page as one option.
Especially for Client Credentials Token Exchange, this docs page might also be of interest: Client Credentials Exchange