SSO capabilities in Multi Tenant setup

As of my understanding, Auth0 sessions are managed on the tenant level.
So if a user authenticates to App1 and then tries to access App2 within the same tenant he should not be prompted to authenticate again.
How can we achieve something like this in multi-tenant setup?

We have App1 and App2 which share some common users (but not all of them).
We prefer to have an isolation between App1 and App2 users and maybe different configurations hence the multi-tenant approach we try to pursue.
But we also need the option for Dual-Access users to seamlessly navigate between App1 and App2 without re-authenticating.
What would be the best option for this?