We're moving an existing application registration from our corporate tenant (foo-corporate.com) to a new dedicated tenant (bar-app.com).
The process of moving the app registration requires to create a new app registration in the bar-app.com tenant.
According to this article, we need to verify the publisher domain (foo-corporate.com) in the new dedicated tenant (bar-app.com).
This is necessary, as the user will otherwise see unverified as the publisher on the consent screen (see #5 on screenshot) instead of the publisher (foo-corporate).
The process to verify the publisher involves hosting a microsoft-identity-association.json
on https://foo-corporate.com/.well-known/ to verify the publisher.
Questions
- Is there another way to verify the publisher foo-corporate.com for the new app registration in bar-app.com tenant? We're a large enterprise and our development team doesn't have access to the hosting of foo-corporate.com (public website), so we can't put the json file there. I assume this is the case for most larger enterprises.
- In case there is no other option, do we need to host this file permanently or is it only needed for a first verification and can be removed afterward?
Update 1
The question is about publisher domain verification and not custom domain verification as the first answer to this questions assumed.
Sample Consent Screen