Since a user isn't determined to be uniquely part of a tenant (i.e. a user *can* be associated with multiple tenants), then the authentication of a user is a completely independent of it's applicability to the tenant and it's state (enabled/disabled).
There is the potential for a special case that *when* a user is associated with a single tenant, and that tenant is disabled, the auth should fail. Is that what you're suggesting?
Should it?
Since a user isn't determined to be uniquely part of a tenant (i.e. a user *can* be associated with multiple tenants), then the authentication of a user is a completely independent of it's applicability to the tenant and it's state (enabled/disabled).
There is the potential for a special case that *when* a user is associated with a single tenant, and that tenant is disabled, the auth should fail. Is that what you're suggesting?