User management for multi-tenant applications is an annoying issue in Mendix. My best solution is to never manage Users (or Accounts) directly. I usually model that a Tenant has multiple Persons, and a Person has one Account. Accounts are only managed through microflows. Everything an administrator can do is retricted to Persons. Persons do behave nicely with Entity Access rules.
In such a scenario, if you still want to manage the user roles of a person, you can add a many to many association between Person and UserRole, and then copy those user roles to the Account by using a microflow.