Hello @Pawlik Michael · Thank you for reaching out.
In order to achieve your requirement, you need to use knownClientApplications attribute in app manifest. I have worked on a POC, where I combined permissions of a custom api and graph api in a single consent prompt. Below are the steps that I performed:
Tenant1:
App2 (Web App) and Exposed as API with App ID URI: https://verified_domain/api2/
Added below scopes:
- https://verified_domain/api2/user_impersonation
- https://verified_domain/api2/read
App1 (Web App) and configured with below permissions:
- App2 - https://verified_domain/api2/read and https://verified_domain/api2/user_impersonation
- Microsoft Graph - Files.read and Mail.read
- Added Client ID of App 2 to knownClientApplications parameter within Manifest of App1.
Tenant 2:
Tried to access the application using below link and supplied credentials of Tenant 2’s admin. Confirmed that all permissions are present in the consent prompt:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code
After accepting the consent, confirmed that service principal for both applications is created in tenant 2.
Hope this includes all the information that you were looking for.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.