Thanks @lemon-agent-27707. fyi that Nick from Pulumi did get back to me (with options for pulumi service rest api etc. and ideas on the use of teams with in an org). On the access to the end user tenants, we preferably do want to give them access and are exploring options. i wanted to understand all the available options. It seems like either a dedicated account (which will be problematic for us as we use Automation API and will have to provision a dedicated instance for AAPI for each account) OR a single account, an org and multiple TEAMS. We are discussing it internally to see what's viable.