Introduction
Why Decentralized Identity Matters
Today, our digital identities are managed by third parties, often without clear visibility. Users struggle to track their data, and organizations face challenges in sharing information securely. Decentralized identity shifts control back to individuals and organizations, enhancing security, privacy, and trust.What Are Decentralized Identifiers (DIDs)?
To understand decentralized identity, it’s important to know about Decentralized Identifiers (DIDs).
Unlike traditional identifiers like email addresses or social media accounts , which depend on companies or service providers , DIDs are created and owned by the individual. They are globally unique, tamper-resistant, and independent of any single organization.
Microsoft’s approach uses DIDs to sign verifiable credentials, allowing users to prove their identity without needing to depend on a third-party service.
What Are Verifiable Credentials?
In our daily lives, we rely on credentials like passports, driver’s licenses, and certificates to prove who we are. Verifiable credentials are the digital version of these trusted documents.
They contain information such as a person’s name, certification, or employee ID issued by an organization and digitally signed to guarantee authenticity. The credentials are built to respect privacy, giving users control over when and how they share their information.
How Decentralized Identity Works
Microsoft’s decentralized identity solution brings together several key components to make everything work securely and reliably:
- Decentralized Identifiers (DIDs):
- Trust System (DID:Web):
- DID User Agent / Wallet (Microsoft Authenticator App):
- Microsoft Resolver:
- Microsoft Entra Verified ID Service:
Microsoft Entra Verified ID Setup Options
Microsoft Entra Verified ID can be set up in two ways: Quick Setup and Advanced Setup.
Quick Verified ID Setup
The Quick Setup option simplifies the process by automating several configuration steps. With just a click on the Get Started button, it handles:
- Creating signing keys
- Registering your decentralized ID (DID)
- Verifying domain ownership
- Generating a Verified Workplace Credential automatically
Prerequisites:
- You must have Authentication Policy Administrator permissions for your directory.
- For app registration tasks, Application Administrator permissions are also required.
- A custom domain must be registered with your Microsoft Entra tenant; otherwise, the process defaults to the advanced setup.
- Quick Setup is not supported in EDU Entra tenants.
Additional Notes:
- Microsoft manages a shared signing key across multiple tenants within a region Azure Key Vault deployment is no longer necessary.
- There's a two requests per second (RPS) limit per tenant for issuing and verifying credentials.
- Credentials issued via Quick Setup are valid for a maximum of six months.
- The DID follows the format:
did:web:verifiedid.entra.microsoft.com:tenantid:authority-id
. - If your tenant has custom branding, the VerifiedEmployee credential will automatically use your logo and background color, but you can customize it after setup.
If your environment requires more control or customization, you should consider the Advanced Setup option.
Advanced Verified ID Setup
The Advanced Setup method offers full flexibility, allowing admins to configure every component manually. It’s ideal for organizations needing a tailored Verified ID deployment.
Advanced setup steps include:
- Configure Azure Key Vault: Store and manage signing keys securely.
- Register Decentralized ID: Create and register your DID to establish a trusted identity.
- Verify Domain: Link your verified domain to your DID for trust validation.
Advanced Setup gives you full control to tailor your Verified ID configuration to meet your organization's specific security and operational needs. An Azure subscription is required to set up and manage the Azure Key Vault.
Setting Up Microsoft Entra Verified ID
We’ll use the Quick Setup method to configure Verified ID. The main advantage of Quick Setup is that it eliminates the need to deploy an Azure Key Vault,Microsoft manages a shared signing key for you.
If your Microsoft Entra tenant has a registered custom domain, you’ll see the Get Started option under Verified ID.
Follow these steps: Open Microsoft Entra and navigate to Verified ID.
Click Get Started. Click Get Started again to proceed.Select the custom domain you want to use.Only a few elements can be modified: the background color, logo, and text color.
Configure Users or Groups
By default, the Verified Employee credential is available to all users in your tenant. If you prefer to restrict access to specific groups, follow these steps:
Go to Credentials.
Select the Verified Employee credential.
Under Who can retrieve a credential, select Allow users from selected groups only or
Issuing Credentials Through My Account
You can allow eligible users to retrieve their Verified Employee credential directly from their My Account profile at My Account.
If you want to restrict issuing credentials through My Account, you can disable this option.
In that case, you can issue credentials through your own website instead.
To issue a Verified Employee credential through your website, use the provided API call and request body in your page or application, enabling users to request their verifiable credentials directly.
Setting Up Face Check with Microsoft Entra Verified ID
Microsoft has introduced Face Check to the Verified ID platform, adding an extra layer of security to the verification process. Face Check matches a user's selfie with their profile picture to confirm their identity.
The facial matching is powered by Azure AI services, and importantly, only the match result not the actual selfie is shared, ensuring user privacy is maintained.
To use Face Check, users must have a profile picture uploaded. They can upload it themselves via the My Account page, or administrators can add it through the Microsoft 365 Admin Center.
Additionally, Face Check must be configured in the application requesting the Verified ID. For detailed setup instructions, refer to the official documentation.
Face Check can be enabled in two ways: through the Microsoft Entra Admin Center or using the Azure Resource Manager (ARM) REST API via CLI.
- If your tenant has a Microsoft Entra Suite license, Face Check is enabled at the tenant level, applying to all authorities within the tenant.
- For other license types, Face Check must be enabled individually for each authority using the ARM REST API.
Note:
The ARM REST API for Microsoft Entra Verified ID is currently in public preview.
Billing Information:
If you have a Microsoft Entra Suite license, you are entitled to up to 8 face verifications per month, per license at no additional cost. Beyond that limit, or if you don't have an Entra Suite license, billing will occur through the attached Azure subscription.
How to Enable Face Check from the Admin Center
In the Verified ID overview page, scroll down to the Add-ons section.Enable the Face Check add-on.
In the Link a subscription step, select your Subscription, Resource Group, and then click Validate.
After setup, you can start integrating Face Check into your enterprise applications.
Getting Your Verified ID from My Account
In the video below, I’ll walk you through how to get your Verified ID from the My Account page.
Before we begin, we’ll quickly set up a profile picture for the account.
The first step is to obtain your own Verified ID, and this can be done easily through the My Account portal. Your users will also follow the same steps to retrieve their Verified ID.
Make sure you have the Microsoft Authenticator app installed on your mobile device.
Here’s how to get started: Go to My Account.
Click Get my Verified ID. Scan the QR code using the Microsoft Authenticator app (select Work or School Account when prompted). After scanning, you’ll find your Verified ID within the Authenticator app. Tap on the Verified ID to view all associated details and activity history.
Demo: Requesting Access Package with Entra Verified ID
In this demo, I’ll show how employees can request an access package using Entra Verified ID with Face Check verification.
The access package, published by the M365 Admin, grants access to SharePoint sites, Entra ID roles, and groups.
Employees must verify their identity using their Verified ID and Face Verification before access is approved.
Conclusion
Decentralized identity represents a major step forward in protecting user privacy and securing digital interactions. Microsoft Entra Verified ID makes it easier for organizations and individuals to control their digital credentials, build trust, and operate securely in an increasingly connected world.
By setting up Verified ID today, you’re laying the foundation for a future where individuals own and manage their digital identities , with better security, stronger privacy, and greater flexibility.
0 Comments