App Registrations: Publisher verification in secondary Entra ID tenant
The setup
You have your primary MPN tenant sorted. Publisher verification is in place, admin consent works, all good. Then a customer wants you to deploy your app in their tenant, or you need to register it directly in a secondary tenant you manage on their behalf.
The “Verified publisher” badge disappears. Users see an unverified warning on the consent screen. And the Microsoft docs don’t make it obvious why, or what to do next.
Here’s what’s actually going on and how to fix it.
What publisher verification does under the hood
Marking an app as a verified publisher links the Entra ID app registration to your MPN account. Three things need to be true before it works:
- Your MPN account is active and has been through vetting.
- The Entra ID tenant where you’re claiming verification is associated with that MPN ID in Partner Center.
- The app registration has a verified publisher domain set, pointing at a domain that’s confirmed in that tenant.
All three have to be in place. The tenant association and the publisher domain are separate checks and both will block you if missing. That’s the part that trips people up when crossing tenants.
Primary vs associated tenants
Your MPN account in Partner Center is tied to one specific Entra ID tenant, your primary tenant. If you want to verify apps registered in a different tenant, that tenant has to be added as an associated tenant in Partner Center first.
| Relationship | What it means |
|---|---|
| Primary tenant | The tenant linked to your MPN/PartnerID when you enrolled |
| Associated tenant | Any additional tenant you’ve explicitly connected to the same MPN account |
Without that association, the publisher verification flow fails regardless of what admin roles you hold in either tenant.
If the secondary tenant is one you already manage as a CSP partner, the association may already exist. Check in Partner Center before going through the steps below.
How to verify an app in a secondary tenant
Step 1: Associate the secondary tenant in Partner Center
- Sign in to Partner Center as a Global Admin from your primary tenant.
- Go to Account settings > Tenants.
- Click Associate Azure AD tenant (yes, it still says Azure AD in the UI).
- Enter the domain or tenant ID of the secondary tenant.
- You’ll be redirected to sign in as a Global Admin of the secondary tenant to confirm.
- Once confirmed, it shows up as an associated tenant.
One thing that catches people out: the account you use in the secondary tenant to confirm the association has to be a member account with Global Admin, not a guest. Guest accounts with the Global Admin role assigned won’t work here.
Step 2: Check which MPN ID you’re using
Partners often have multiple MPN Location IDs under one global account. For publisher verification you need the global MPN ID (the Partner Global Account ID), not a location-specific one.
Find it in Partner Center under Account settings > Organization profile > Identifiers.
Step 3: Set up the app registration
In the Azure portal, switch to the secondary tenant and open the app registration you want to verify. Before attempting verification, make sure it has:
- A sign-in audience configured (single or multi-tenant)
- At least one redirect URI (the verification flow won’t complete without one)
Step 4: Set the publisher domain on the app registration
Before you can add a verified publisher, the app needs a publisher domain set, and it has to be a domain that’s verified in the secondary tenant.
- In the Azure portal (secondary tenant), go to Microsoft Entra ID > Custom domain names and confirm the domain you want to use is verified there. If it isn’t, add and verify it first.
- Go back to your app registration and open Branding & properties.
- Under Publisher domain, click Set a publisher domain and select the verified domain.
- Save the change.
If you skip this step, the “Add a verified publisher” option either won’t appear or will fail immediately.
Step 5: Add the verified publisher
- In the Azure portal, go to Microsoft Entra ID > App registrations.
- Open your app, then go to Branding & properties.
- Click Add Partner ID to verify publisher (the UI label varies slightly depending on when you’re reading this).
- Enter your global MPN ID, also called Partner One ID in newer Partner Center UI.
- Click Verify and save.
If the tenant association is in place, Microsoft validates the MPN ID and marks the app as verified. You’ll see the blue “Verified” badge with your org name on the consent screen.
Error messages and what they actually mean
MPNAccountNotFound
The MPN ID you entered doesn’t match anything. Make sure you’re using the global account ID, not a location ID.
MPNGlobalAccountNotAssociated
The secondary tenant isn’t associated with your MPN account in Partner Center. Go back to Step 1.
MPNAccountInvalid or MPNAccountNotPCI
Your MPN account has a problem: lapsed membership, a failed review, incomplete identity verification. Check Partner Center for any alerts on the account.
TenantNotRegisteredInPartnerCenter
The association isn’t being recognised. If you just added it, give it up to 24 hours to propagate and try again.
VerifiedPublisherUpdateFailed
Usually a permissions issue. The account running the verification needs Application Administrator or Global Administrator in the secondary tenant.
Multi-tenant apps are different
If your app targets multiple orgs (AzureADMultipleOrgs or AzureADandPersonalMicrosoftAccount), the registration lives in your own tenant and gets consented to in customer tenants. In that case you only need to verify it once in your own tenant. The badge carries over everywhere the app is consented.
The cross-tenant headache described above is specific to single-tenant apps registered directly inside a customer or secondary tenant.
Keeping track of associated tenants
If you manage several customers and register apps in their tenants, it’s easy for the associations to drift. A simple spreadsheet helps:
Customer | Tenant ID | Associated in PC? | Last verified app
------------|------------------------|-------------------|------------------
Contoso | abc123.onmicrosoft.com | Yes | 2026-03-15
Fabrikam | def456.onmicrosoft.com | Yes | 2026-01-08
Northwind | ghi789.onmicrosoft.com | No | n/a
Worth reviewing after MPN renewals. In rare cases renewals can affect association states.
Quick reference
| Task | Where |
|---|---|
| Associate secondary tenant | Partner Center > Account settings > Tenants |
| Find global MPN ID | Partner Center > Account settings > Organization profile > Identifiers |
| Register the app | Azure portal (secondary tenant) > App registrations |
| Verify a domain in the tenant | Microsoft Entra ID > Custom domain names |
| Set publisher domain on app | App > Branding & properties > Publisher domain |
| Start verification | App > Branding & properties > Add verified publisher |
Note on naming: Microsoft has rebranded MPN as the Microsoft AI Cloud Partner Program (CPP). The MPN ID is now referred to as “Partner One ID” in some parts of the Partner Center UI. The concepts are the same.
Sources
- Publisher verification overview - Microsoft Learn
- Mark an app as publisher verified - Microsoft Learn
- Troubleshoot publisher verification - Microsoft Learn
- Publisher verification: domain mismatch Q&A - Microsoft Q&A
- Publisher verification for app in a different Entra tenant than Partner Center PGA - Microsoft Q&A