#1 is on the cards, but I cannot give you a concrete ETA right now, but I'm hoping it'll be available soon. That should give you what you are after.
On #2, this is possible, and it's a feature we call incremental or dynamic consent. It's only available through the new v2 authentication endpoint. As part of the authorize request you can specify the permission scopes you need, - in subsequent requests you can ask for additional scopes. However in your case, the additional scope you want is a scope that you want the admin to consent on behalf of the organization for. This isn't quite possible yet, but is also coming soon. It might be that #1 and #2 land around the same time ;)
We'll update this thread when #1 and #2 are available.
