ssh-jailed access restrict all groups, but allow one group

Requirement =========== + ssh-jailed access restrict all groups, but allow one group.

login to VM-GP324911 for users in GP324911, deny others.
login to VM-GP9e68e for users in GP9e68ea, deny others.
login to VM-GPea7899 for users in GPea7899, deny others.

In some cases, an user can be in Group - GP324911 and GP9e68ea or others, 
access or login should work based on group assigned to that VM.

###### By GPO, Couple of AD groups are allowed ssh logins to multiple RHEL VMs. What we want to restrict further - allow only one AD group and disallow others. ###### But - if a user part of two or multiple groups - allow login to only where the group is allowed. Tried with ssh match group like below -

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

It works above way - user part of GP324911, GP9e68ea-- allows login to VM-GP324911 or VM-GP9e68ea. Two questions - - It stops working, if I move allowing match block below deny match block, like below, then it will stop allowing access in VM-GP324911 for Group GP324911

Match Group GP9e68ea,GPea7899,GP2b4f8d,GP77c148,GPfeag5b,GP2g49g5,GPagd759
  PasswordAuthentication no
  PubkeyAuthentication no

Match Group GP324911
  PasswordAuthentication yes
  PubkeyAuthentication yes

- We tried with deny groups and allow groups, it didn't work. Any other way of doing this.