I've built a native client application (WPF) that communicates with web api that needs to be multi tenant. The web api and the native client application are all setup. Done deal. The only identity provider I'm going to authenticate against is Azure AD.
Here's where I'm stuck and maybe I'm thinking about things wrong.
Here's how I see the auth flow: users authenticate against their Azure AD and receive a token, user makes a call to the web api passing said token, web api verifies the token is valid, and ...
I'm aware of the consent framework and have it in place for the web api but it doesn't work for native clients: "AADSTS90010: Admin consent for native client applications is not supported".
So do the admins of each tenant need to manually configure the native client application in their Azure ADs? If so how do you handle the multiple client ids that are required for authentication against Azure AD? Or in my consent workflow can I add the native client into there Azure AD for them (btw I've tried that but I don't think the token I'm getting back from the consent framework gives me the permissions I need but I'm not sure)?
Currently my plan is to have Azure AD admins manually configure the native client application in there Azure ADs and then store the domain + client id in a database. Before the user actually authenticates I'll pull information so I can populate the urls correctly? It just seems like I shouldn't have to do all of that but since it's a native client application maybe I do?