SSO Multi Tenant vs. Single Tenant

Hi, all. I am not too firm on all the SSO stuff, but best of my understanding, the multi-tenant installation basically allows anybody in the world with an Azure tenant to login in on our CRM. UNLESS: Twenty checks the token received after a login and refuses access, if that does not belong to our tenant. Am I right in this and does Twenty actually do this?