How to give API access to entire 'office' corperations? (AWS API Gateway, Outlook VSTO)

I'm searching for a 'design' solution for the following concept:

I have a VSTO plugin for Outlook which needs to make multiple requests to 2 API's which are behind a AWS Api Gateway. These API's are processing certain items based on the corporation that is making the call.

This API needs security to hide certain information for people outside a corporation. Thats also the part where I'm stuck at right now.

The ideal situation would look like this:

• A user can get verified based on the logged in user in Outlook.
• A Application/API Administrator can grant & revoke API access to entire corporations.

So what prevents me from finding a solution:

• I don't know how and if it is possible to verify a logged in Outlook user at the AWS Api Gateway auth.
• I have looked at different solutions like JWT Tokens + Refresh Tokens, however the issue of granting access to entire corporations still exists. This also goes back to the first issue where I have to get a JWT Token for a logged in user.

So...

1. What information can I pull out of Outlook to get a user verified at my API Auth (and maybe return JWT tokens)?
2. Is it possible to grant a entire corporation access to your API? (So 'verified/loggged in' outlook users like bodeeh@fakecorpA.com is granted access because he is in the Office Corperation of company 'fakecorpA' but bodeeh@fakecorpB.com is not granted access because 'fakecorpB' is not granted as a Office corperation)