I have a AAD secured api and I need to grant a client application access to this api (without any user context). I have added a approle with "allowedMemberTypes": ["Application" ] to the manifest of my api. The client has requested permission to my api but from what I am reading online only a tenant admin can grant this permission(being owner on the api is not sufficient).
What is the recommended way of implementing active directory authentication in such a scenario without needing tenant admin intervention? The api simply needs to grant access to a set of client service principals (no user context involved).