Assuming they wouldn't want to take on server maintenance workload, wouldn't something like NetBird be a better fit? The free version has ACL already, the $5/user/month has OIDC integration, and the business version (MDM integration and auditing) is $12. Then the server is still open source so if they wanted to transition to doing it themselves they still would have that option down the road.
Never tried it myself, I only manage small tailnets so the free tier is fine