Cannot add verified publisher MPN ID to Azure multi-tenant app

To allow the users of our platform to sign in using their Microsoft account, we've created an app in our Azure Active Directory as per the documentation. I configured everything appropriately, until noticing you're required to be a verified publisher to let users from other Azure tenants actually use your app:

Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers.

To comply with this, I've signed up for Microsoft Partner Network as per the documentation, which lists the following requirements:

  • An MPN ID for a valid Microsoft Partner Network account that has completed the verification process. This MPN account must be the Partner global account (PGA) for your organization.
    I have the global MPN ID for our account

  • An app registered in an Azure AD tenant, with a Publisher Domain configured.
    App is configured, has our Azure-AD domain set (company.tld)

  • The domain of the email address used during MPN account verification must either match the publisher domain configured on the app or a DNS-verified custom domain added to the Azure AD tenant.
    I used my company email address ([email protected]), the custom domain is DNS-verified too

  • The user performing verification must be authorized to make changes to both the app registration in Azure AD and the MPN account in Partner Center.
    I am a global administrator to both

  • The user performing verification must sign in using multi-factor authentication.
    I am signed in using MFA

  • The publisher agrees to the Microsoft identity platform for developers Terms of Use.
    Yes, I've sold my soul to Microsoft

Regardless, upon entering our MPN ID into the appropriate field, the following error message appears:

A verified publisher cannot be added to this application. Please contact your administrator for assistance. [AOXM7kbHnu1OFc9wRGbqMN]

I have copied the ID verbatim, and entering a malformed ID triggers another error, so I'm fairly confident it's the right one.
I've researched and found several reports of this problem, which seem to have resolved after waiting 48 hours:

  • Relevant Microsoft Q&A
  • Relevant GitHub issue 1
  • Relevant GitHub issue 2

I've thoroughly waited for three days now, but the issue did not resolve by itself. Is there anything I've missed, any requirement not listed on the docs page, or a debugging step I can do to fix this? After all, I just wanted to have a "Sign in with Microsoft" button, which took approximately 5 minutes to set up with every other provider out there.

Update: A week after trying to set the MPN ID for the first time, it has been accepted now. I didn't want to post this as an answer, though, because it isn't one: Nothing in the documentation of the process makes it clear there's a week-long waiting period.
Maybe there is something prolonging the process others could seek to avoid?


Solution 1:

A verified publisher cannot be added to this application. Please contact your administrator for assistance. [VtDMuVrKrDh71B4CpEGuzK]

I got this error multiple times. One time it got accepted! Strange

Solution -- keep trying

Hope someone from Microsoft fix this prorperly

Solution 2:

Having the same problem updating a listing that our team has created to add the MPN ID. We get the following error message:

You are unable to add a verified publisher to this application. Please contact your administrator for assistance. [EDXvPJBk10CpMpIebBB69m]

I've checked that I've meet all the conditions required and I'm the Global Administrator of both partner and azure accounts.

I have found some additional information that might be helpful for debugging this issue. In the Audit Log for my user in the Azure console there is a corresponding "failed" audit entries which contain Correlation and Object Id for each time I've attempted to apply the MPN ID.

Additional Information

After some experimentation I think the problem might be the instructions on this page are incorrect for setting the MPN ID: https://docs.microsoft.com/en-us/azure/active-directory/develop/mark-app-as-publisher-verified#mark-your-app-as-publisher-verified-1

It says as MPN partner user I required the following roles on my Partner centre user:

In Partner Center this user must have of the following roles: MPN Admin, Accounts Admin, or a Global Admin (this is a shared role mastered in Azure AD).

Those roles don't work by themselves; once I added the “Business profiles admin” on my MPN partner user I was able to set the MPN ID in the Azure console.

Solution 3:

I had exactly the same issue and was able to add the ID after I opened a guest session in the browser. Maybe one really needs to login again to the portal after one created the app registration or it just needs some time (about 5 minutes in my case) to "synchronize" something in the background after the app is created.