Getting Started with Microsoft Entra Verified ID for Secure Identity Management


Getting Started with Microsoft Entra Verified ID for Secure Identity Management

Introduction 

As our digital and physical lives become increasingly connected, identity theft and data breaches have become major concerns. To address these challenges, Microsoft is leading the way with Decentralized Identity, empowering individuals to manage their own digital identities securely. In this blog, we’ll explore why decentralized identity matters, how Microsoft’s Entra Verified ID works, and how to set it up.

Why Decentralized Identity Matters

Today, our digital identities are managed by third parties, often without clear visibility. Users struggle to track their data, and organizations face challenges in sharing information securely. Decentralized identity shifts control back to individuals and organizations, enhancing security, privacy, and trust.

What Are Decentralized Identifiers (DIDs)?

To understand decentralized identity, it’s important to know about Decentralized Identifiers (DIDs).

Unlike traditional identifiers like email addresses or social media accounts , which depend on companies or service providers , DIDs are created and owned by the individual. They are globally unique, tamper-resistant, and independent of any single organization.

Microsoft’s approach uses DIDs to sign verifiable credentials, allowing users to prove their identity without needing to depend on a third-party service.

What Are Verifiable Credentials?

In our daily lives, we rely on credentials like passports, driver’s licenses, and certificates to prove who we are. Verifiable credentials are the digital version of these trusted documents.

They contain information  such as a person’s name, certification, or employee ID  issued by an organization and digitally signed to guarantee authenticity. The credentials are built to respect privacy, giving users control over when and how they share their information.

How Decentralized Identity Works

Microsoft’s decentralized identity solution brings together several key components to make everything work securely and reliably:

Decentralized Identity Workflow

  • Decentralized Identifiers (DIDs):
IDs that users create and control themselves, tied to public key infrastructure information.
  • Trust System (DID:Web):
Microsoft uses the reputation of web domains (through the DID:Web method) to establish trust.
  • DID User Agent / Wallet (Microsoft Authenticator App):
The Authenticator app helps users create DIDs, manage credentials, and back up identities securely.
  • Microsoft Resolver:
A service that retrieves DID documents so applications can verify credentials.

  • Microsoft Entra Verified ID Service:
An Azure service that handles issuing and verifying verifiable credentials to users and apps.

Microsoft Entra Verified ID Setup Options

Microsoft Entra Verified ID can be set up in two ways: Quick Setup and Advanced Setup.

Quick Verified ID Setup

The Quick Setup option simplifies the process by automating several configuration steps. With just a click on the Get Started button, it handles:

  • Creating signing keys
  • Registering your decentralized ID (DID)
  • Verifying domain ownership
  • Generating a Verified Workplace Credential automatically

Prerequisites:

  • You must have Authentication Policy Administrator permissions for your directory.
  • For app registration tasks, Application Administrator permissions are also required.
  • A custom domain must be registered with your Microsoft Entra tenant; otherwise, the process defaults to the advanced setup.
  • Quick Setup is not supported in EDU Entra tenants.

Additional Notes:

  • Microsoft manages a shared signing key across multiple tenants within a region Azure Key Vault deployment is no longer necessary.
  • There's a two requests per second (RPS) limit per tenant for issuing and verifying credentials.
  • Credentials issued via Quick Setup are valid for a maximum of six months.
  • The DID follows the format: did:web:verifiedid.entra.microsoft.com:tenantid:authority-id.
  • If your tenant has custom branding, the VerifiedEmployee credential will automatically use your logo and background color, but you can customize it after setup.

If your environment requires more control or customization, you should consider the Advanced Setup option.

Advanced Verified ID Setup

The Advanced Setup method offers full flexibility, allowing admins to configure every component manually. It’s ideal for organizations needing a tailored Verified ID deployment.

Advanced setup steps include:

  • Configure Azure Key Vault: Store and manage signing keys securely.
  • Register Decentralized ID: Create and register your DID to establish a trusted identity.
  • Verify Domain: Link your verified domain to your DID for trust validation.

Advanced Setup gives you full control to tailor your Verified ID configuration to meet your organization's specific security and operational needs. An Azure subscription is required to set up and manage the Azure Key Vault.

Setting Up Microsoft Entra Verified ID

We’ll use the Quick Setup method to configure Verified ID. The main advantage of Quick Setup is that it eliminates the need to deploy an Azure Key Vault,Microsoft manages a shared signing key for you.

If your Microsoft Entra tenant has a registered custom domain, you’ll see the Get Started option under Verified ID.

Follow these steps: Open Microsoft Entra and navigate to Verified ID.

Click Get Started. Click Get Started again to proceed.
Verified ID Get started
Select the custom domain you want to use.
Select Domain for Verified ID Setup

The setup process takes a few moments. Once completed, you’ll see the default Workplace Credential created for your Verified ID account.
Setting up your Verified ID

If your Microsoft 365 tenant has branding configured, it will automatically apply to your credentials card. To customize it, simply click Edit Style below the card.
Only a few elements can be modified: the background color, logo, and text color.
Verified ID Domain Overview Page

In our case, we will update the logo used in Entra Verified ID by clicking Edit Style and modifying the logo URL.
Entra Verified ID Customize style

You can also update the organization name under Basic Information.
Verified ID Basic Information


Configure Users or Groups

By default, the Verified Employee credential is available to all users in your tenant. If you prefer to restrict access to specific groups, follow these steps:

Go to Credentials.

Select the Verified Employee credential.

Verified Employee credential


Click on Issue a credential.
Under Who can retrieve a credential, select Allow users from selected groups only or
Choose the group(s) you want to grant access to.
Control who can retrieve a credential

Issuing Credentials Through My Account

You can allow eligible users to retrieve their Verified Employee credential directly from their My Account profile at My Account.

If you want to restrict issuing credentials through My Account, you can disable this option.
In that case, you can issue credentials through your own website instead.

Issue credentials through My Account

To issue a Verified Employee credential through your website, use the provided API call and request body in your page or application, enabling users to request their verifiable credentials directly.

Setting Up Face Check with Microsoft Entra Verified ID

Microsoft has introduced Face Check to the Verified ID platform, adding an extra layer of security to the verification process. Face Check matches a user's selfie with their profile picture to confirm their identity.

The facial matching is powered by Azure AI services, and importantly, only the match result not the actual selfie is shared, ensuring user privacy is maintained.

To use Face Check, users must have a profile picture uploaded. They can upload it themselves via the My Account page, or administrators can add it through the Microsoft 365 Admin Center.

Additionally, Face Check must be configured in the application requesting the Verified ID. For detailed setup instructions, refer to the official documentation.

Face Check can be enabled in two ways: through the Microsoft Entra Admin Center or using the Azure Resource Manager (ARM) REST API via CLI.

  • If your tenant has a Microsoft Entra Suite license, Face Check is enabled at the tenant level, applying to all authorities within the tenant.
  • For other license types, Face Check must be enabled individually for each authority using the ARM REST API.

Note:
The ARM REST API for Microsoft Entra Verified ID is currently in public preview.

Billing Information:
If you have a Microsoft Entra Suite license, you are entitled to up to 8 face verifications per month, per license at no additional cost. Beyond that limit, or if you don't have an Entra Suite license, billing will occur through the attached Azure subscription.

How to Enable Face Check from the Admin Center

In the Verified ID overview page, scroll down to the Add-ons section.

Enable the Face Check add-on.

Face Check Addon

In the Link a subscription step, select your Subscription, Resource Group, and then click Validate.

Face Check Addon- Azure Subscription Validation

Once validation is complete, enable the add-on.

After setup, you can start integrating Face Check into your enterprise applications.

Enable Face Check

Getting Your Verified ID from My Account

In the video below, I’ll walk you through how to get your Verified ID from the My Account page.
Before we begin, we’ll quickly set up a profile picture for the account.

The first step is to obtain your own Verified ID, and this can be done easily through the My Account portal. Your users will also follow the same steps to retrieve their Verified ID.
Make sure you have the Microsoft Authenticator app installed on your mobile device.

Here’s how to get started: Go to My Account.

Click Get my Verified ID. Scan the QR code using the Microsoft Authenticator app (select Work or School Account when prompted). After scanning, you’ll find your Verified ID within the Authenticator app. Tap on the Verified ID to view all associated details and activity history.


Demo: Requesting Access Package with Entra Verified ID

In this demo, I’ll show how employees can request an access package using Entra Verified ID with Face Check verification.
The access package, published by the M365 Admin, grants access to SharePoint sites, Entra ID roles, and groups.
Employees must verify their identity using their Verified ID and Face Verification before access is approved.



Conclusion

Decentralized identity represents a major step forward in protecting user privacy and securing digital interactions. Microsoft Entra Verified ID makes it easier for organizations and individuals to control their digital credentials, build trust, and operate securely in an increasingly connected world.

By setting up Verified ID today, you’re laying the foundation for a future where individuals own and manage their digital identities , with better security, stronger privacy, and greater flexibility.

Post a Comment

0 Comments

Add