设置应用的已验证发布者 (Azure AD B2C)，使其在用户同意提示中显示为已验证

Question

I set up sign-up and sign-in through a custom policy in Azure Active Directory B2C.

I have 2 app registrations in the Azure AD B2C tenant:

1. a web application, which exposes an API
2. a Single-page application (SPA), which has been granted access to the API described above

I don't have any app registration in my corp tenant, only in my B2C tenant.

Everything works fine, but the application shows up as unverified in the user consent prompt: https://1drv.ms/u/s!AhEACHgzzcWq4jH6dbds5TaW6ylH?e=Y5aTvM and https://1drv.ms/u/s!AhEACHgzzcWq4jKH95a3JzBoojpU?e=kFLvPR

To show it as verified, I:

(from: https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-microsoft-account?pivots=b2c-custom-policy#verify-the-applications-publisher-domain )

1. verified my company's identity with Microsoft Partner Network (MPN)
2. am trying to complete the publisher verification process to associate my MPN account with my app registration

The publisher domain of both apps is set to the primary verified custom domain of the tenant.

I am using Microsoft Graph to set my app's verified publisher:

POST /applications/<app-object-id>/setVerifiedPublisher
{
"verifiedPublisherId": "<my-MPN-id>"
}

But I get the following error message: “The MPN ID you provided does not exist, or you do not have access to it. Please provide a valid MPN ID and try again.”. The MPN id I am using is the Global MPN ID.

This error is listed in the common issues in the documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/troubleshoot-publisher-verification#common-issues . Following the documentation, when I open the MPN tenant management page, the tenant where the app is registered in (the B2C tenant) is not on the list of the associated tenants. Only my corp tenant is on the list. However, even following the instructions in the documentation to associate a new tenant to the MPN account, I am not able to associate the B2C tenant. That process seems to be intended to associate Azure AD tenants to the MPN account, not Azure AD B2C tenants.

How can I set my app's verified publisher so that it shows up as verified in the user consent prompt?

Answer 1

Azure AD B2C tenants can be associated. Click the associate button and use your B2C (not your corp tenant) Global Admin credentials.

Enjoy!

Answer 2

• You might be facing this issue because the publisher domain might not be correctly verified as it should be like the custom domain whose DNS records have been verified in normal Azure AD tenant . Thus, would suggest you to please check the custom domain verification in corresponding Azure AD tenant and similarly ensure that the domain is verified for your application in Azure AD B2C tenant according to the below documentation link: -

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-configure-publisher-domain#configure-publisher-domain-using-the-azure-portal

• Also, do ensure that you have global administrator privileges on the tenant in which your application is registered, and your user account is a global administrator in that tenant in which your application is registered. You should be an 'MPN Admin' or 'Accounts Admin' for your tenant. You can verify that by signing on the below MPN management page : -

https://partner.microsoft.com/dashboard/account/v3/tenantmanagement

• And finally, when the above conditions are met, then using the graph API, mark the app as publisher verified by executing the below command with the verified MPN ID . Ensure that you are logging into the Microsoft Graph API with the Global Administrator credentials and executing the command. Also do refer the below documentation for this purpose: -

https://docs.microsoft.com/en-us/azure/active-directory/develop/troubleshoot-publisher-verification#making-microsoft-graph-api-calls

   POST /applications/0cd04273-0d11-4e62-9eb3-5c3971a7cbec/setVerifiedPublisher 

  { 

    "verifiedPublisherId": "12345678" 

  }