Looking for best practice for the following scenario. My application must read user information from Azure AD in many different customers tenants via Microsoft Graph. Is the only way to create an app registration/enterprise app manually in each tenant with the right scope?
Is it possible to create an app registration from admin consent url, or is it only possible from the GUI inside azure portal or via powershell.
Yes. You can use a multi-tenant app and admin consent url.
Create the app registration in your tenant. Assign the Microsoft Graph permissions into it.
Then do the admin consent for customer's tenant using the admin consent endpoint (access the following url in a browser):
https://login.microsoftonline.com/{tenant-id of customer}/adminconsent?client_id={client-id of the multi-tenant app}
Sign in with the admin account from customer's tenant to do the admin consent. This will added an enterprise app to that tenant.
The enterprise app in customer's tenant will have the permissions you added in your tenant and can call Microsoft Graph.
