Currently, the “google oauth2 hd” login setting can either be left blank (allowing login from any Gmail or GSuite/hosted domain account), can be set to * (allowing login from any GSuite/hosted domain account), or can be set to a single GSuite domain name (allowing login from accounts in one GSuite/hosted domain.) A fourth option – already supported by the underlying omniauth-google-oauth2 gem but not currently supported by Discourse – is to specify a list of hosted/GSuite domains (allowing logins from accounts in any one of the specified GSuite domains.)
In other systems, I’ve seen this done by allowing multiple domain names to be comma-delimited or space-delimited in the corresponding setting (google oauth2 hd at <discourse>/admin/site_settings/category/login.) An incomplete PR along these lines can be found at FEATURE: Allow Google Login to be enabled for multiple hosted domains. by aribn · Pull Request #6067 · discourse/discourse · GitHub