I am setting up an enterprise application where third-party applications should be able to authenticate into it using our institutional SSO. The enterprise application has a GUID Client ID provided (e.g., 12345678-1234-1234-1234-1234567890ab) and I am indeed able to log into the application both through the public URL (e.g., https://myapp.myinstitution.edu) and using applications under my control that are aware of the Client ID.
The issue comes when I try to log into it with a third-party application like PowerBI. PowerBI, being outside my control, does not know the Client ID and attempts to log in using the public URL as the resource principal (https://myapp.myinstitution.edu).
My assumption is that somewhere I need to inform Azure Active Directory that the resource principal known to third-party apps (e.g., https://myapp.myinstitution.edu) is one and the same as my client ID (e.g., 12345678-1234-1234-1234-1234567890ab). My belief was that the correct way to do this would be to configure a Publisher Domain under the Branding section under App Registrations, but this did not resolve the issue.
How do I inform Active Directory that certain resource principals are synonymous with my application's Client ID?