Hello @James Morton,
Thank you for your patience and allowed me time to look into your issue.
I understand that you are trying to preauthorize another service principal to your app without requiring tenant administrator consent, and you are curious about whether appRoleIds are allowed in preAuthorizedApplications and if there is any internal feature available for preauthorizing app roles.
After checking with my internal, I can confirm you that appRoleIds are not currently allowed in preAuthorizedApplications.
According to https://video2.skills-academy.com/en-us/graph/api/resources/preauthorizedapplication?view=graph-rest-beta, "In some rare cases, an identifier listed in the permissionIds property may refer to an app role (from the service principal's appRoles property), indicating that the client application identified by the appId property has been preauthorized for that app role."
Earlier they made it for some customers, but it's not working now. Thanks for pointing this and we are working internally with authors to update the documentation.
Hope this includes all the information that you were looking for.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks,
Raja Pothuraju