docs: Add FSCTR.Manage.All permission and CT owner self-service registration

- Add FileStorageContainerTypeReg.Manage.All to application permissions list
- Document CT owner self-service registration for tenant-local container types
- Document requirements: delegated mode, Manage.All scope, non-guest, tenant toggle
- Note: Depends on SPO.Core PR #2129255 merging

Author: Greg Joseph

docs/embedded/development/auth.md

@@ -36,7 +36,8 @@ SharePoint Embedded operations are exposed via Microsoft Graph. SharePoint Embed
 SharePoint Embedded applications need to request the following Microsoft Graph permissions in their application manifest to work with SharePoint Embedded:
 
 - [FileStorageContainerType.Manage.All](/graph/permissions-reference#filestoragecontainermanageall) to allow an application to create and manage container types on the owning tenant. This permission is only needed on the owning tenant where the container type is created.
-- [FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected) to allow an application to register the container type on consuming tenants.
+- [FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected) to allow an application to register the container type on consuming tenants. This permission is intended for the owning application.
+- [FileStorageContainerTypeReg.Manage.All](/graph/permissions-reference#filestoragecontainertyperegmanageall) to allow an application to manage file storage container type registrations on behalf of the signed-in user. This permission is used by non-owning applications and administrative tools.
 - [FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected) to allow an application to access containers of the given container type on consuming tenants.
 
 #### Access on behalf of a user
@@ -132,6 +133,21 @@ Specific items in a container can be shared with users via the [driveItem invite
 
 [SharePoint Embedded Administrators](/entra/identity/role-based-access-control/permissions-reference#sharepoint-embedded-administrator) can manage all SharePoint Embedded applications created in the **owning** tenant. Additionally, any Microsoft Entra user that isn't an external identity can be assigned as an owner of a [container type](/graph/api/resources/filestoragecontainertype). Container type owners can manage that specific container type. To learn more about managing applications created in the owning tenant, see [SharePoint Embedded developer administrator](../administration/developer-admin/dev-admin.md).
 
+##### Container type owner self-service registration
+
+Container type owners can register their container types in tenants where the container type is local (owning tenant equals consuming tenant). This requires:
+
+- The application has `FileStorageContainerTypeReg.Manage.All` delegated permission
+- The calling user is a container type owner (appears in the permissions collection on the container type)
+- The call is delegated (not app-only)
+- The calling user is not a guest user
+- The tenant administrator has not disabled self-service container type registration
+
+This enables developers to register their own container types without requiring a SharePoint Embedded Administrator to perform the registration on their behalf.
+
+> [!NOTE]
+> Self-service registration is only available for tenant-local container types. Container type owners exist only in the owning tenant and are not propagated to consuming tenants. For cross-tenant registration scenarios, use `FileStorageContainerTypeReg.Selected` with the owning application.
+
 ### Exceptional access patterns
 
 Currently, there are two types of operations with exceptional access patterns: