How to add an API permission to an enterprise application (service principal) in the secondary tenant of a multi-tenant application?

Question

We have a multi-tenant application registered in primary Tenant A with an enterprise application (service principal) in Tenant B. We would like to add an API permission to our application, however the resource/application providing the API permission is not multi-tenant and is registered only in Tenant B. Therefore, we cannot directly add the API permission to our registered application in Tenant A.

We are the owners of the service principal in Tenant B, and we tried to add the API permission to the service principal as an App role using this Graph API call: https://graph.microsoft.com/v1.0/servicePrincipals/{resourceId}/appRoleAssignedTo.

However, the permissions needed to invoke the Graph API require tenant admin approval. We are not tenant admins and we are unable to acquire the required permissions as one or more of them are listed as critical.

We want to avoid having to register a new app in Tenant B solely for purposes of adding and using the API permission.

Answer 1

Regardless of the app used, application permissions/roles always require admin consent. You will need one to proceed.