Hi,

yes. The organization settings menu gives me another replay url for each organization.

I wonder if you need to create a different EA for each organization and map it that way. I don't know how the interplay for users would work on that, but it might be a requirement, especially if the URLs are different for each org.  

I guess EA means Entra Application? But having an application for each org is kinda clunky and not user friendly.

To my knowledge, it is only possible to give one role per user. So this role needs to be present in all orgs the user should have access to.
This role can have different permissions in different orgs.

BUT it seems completly impossible to "build" user permissions based on different roles.

For each permission-org requirement, you need to create a new role.
This could get complex if you have a lot of orgs and users.

The reply url that needs to be configured points to a specific org. In order to work, the role needs to be defined in this org or the access would be denied. But if the user shouldn't have rights in this org you ether need to have a dummy org, containing all roles, or create a dummy network and give permission to it.

This feels not like a clean solution.