it would make more sense to have a proxy app that called all the other services. then your tenants would only need to authorize this app for each of their users.
the proxy app would authenticate to the other apps with its own device account, but would include the verified user token in the requests as a parameter or additional header.