I'm trying to apply the "publisher verification" for an Azure AAD app following https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview, but it fails with a MPNAccountNotFoundOrNoAccess when the app is not located in the same directory as the MPN. The setup is that we have two independent AAD tenants, contoso.com (contoso.onmicrosoft.com) and adatum.onmicrosoft.com. For the contoso.com tenant we are enrolled and verified in the MPN (using the contoso.com domain).
If I login as the global admin ga@contoso.com in the contoso.com tenant, I'm able to create a multi-tenant app and apply the publisher verification for our MPNID 1234567 - it works as expected (although it seem to fail sometimes as described in https://github.com/MicrosoftDocs/azure-docs/issues/62877).
But if I login as ga@contoso.com in the adatum.onmicrosoft.com (as a guest account with GlobalAdmin privileges), create an app, verify the publisher domain and try to do the publisher verification for MPNID 1234567, I'm getting
"The MPN ID you provided (1234567) does not exist, or you do not have access to it. Please provide a valid MPN ID and try again." (MPNAccountNotFoundOrNoAccess)
Exactly what I have done in the adatum.onmicrosoft.com organisation:
Created an multi-tenant app
Set the publisher domain to contoso.com (verified using the "/.well-known/microsoft-identity-association.json" file)
Enabled security defaults, such that ga@contoso.com account is prompted for MFA on login
ga@contoso.com is both GA in contoso.com and adatum.onmicrosoft.com as well as MPN admin.
Questions:
- Is what I'm doing supposed to work - or not?
- Do I need to add adatum.onmicrosoft.com as a tenant in our MPN account (https://docs.microsoft.com/en-us/partner-center/multi-tenant-account)?