Microsoft Entra Verified ID is a decentralized identity solution that allows your users to easily verify their identity online. It can be used with online services and applications that need to verify the identity of your users before providing access, like HR or Helpdesk systems for example.
Verified ID also allows you to securely onboard remote working users by using an IDV partner for the identity verification and proofing service.
In this article
In this article, we are going to configure Microsoft Entra Verified ID, learn how to issue a verifiable credential and I will show some examples of how to use it.
Requirements
Microsoft Entra Verified ID can be used with all Microsoft Entra plans, including the free plan. To configure it, you will need to have global administrator or authentication policy administrator permission.
Also, you will need to have a custom domain registered in Microsoft Entra to use the quick setup method. Otherwise, you will need to use the advanced setup method.
Setting up Microsoft Entra Verified ID
To set up Verified ID we are going to use the Quick Setup. The advantage of the quick setup method is that you don’t need to deploy an Azure Key Vault. Instead, we will be using a shared signing key that is managed by Microsoft.
If you have a custom domain registered in Microsoft Entra, then you will see the option Get Started under Verified ID
- Open Microsoft Entra and click on Get Started under Verified ID
- Click again on Get Started
- Select the domain that you want to use
It takes a moment to set up your verified ID account. Once the process is completed you will see the default workspace credential.
If you have configured branding for your Microsoft 365 tenant, then the style will automatically be applied to your credentials card. You can change the style, by simply clicking on Edit Style below the Card.
You can’t change much about the style, only the background color, logo, and text color.
Configure Users or Groups
By default, the verified employee card can be used by all employees in your tenant. You can change to a selected group of users only if you want.
- Click on Credentials
- Choose the Verified Employee credential
- Go to Issue a credential
- Change who can retrieve a credential to Allow users from selected groups only
- Select the group(s) that you want to give access.
Revoke an issued Verifiable Credential
In some cases, you will need to revoke an issued verified ID, for example when an employee is no longer active, or when a student leaves the university.
To revoke a verified ID, you will need to go to the verified credential and choose Revoke a credential. Here you can search for the credential that you want to revoke. Important to note here is that you will need to search on the exact identity.
The reason for this is that only the hash of the indexed claim is stored, what you enter in the search box is also hashed using the same algorithm.
Testing the Verified Employee Credential
With the credentials created for verified employees, we can now create your own verified credentials and test out the implementation on a demo site from Microsoft.
The first step is to get your own Verified ID. We can do this on the MyAccount page. Your users will also be able to use the method below to get their Verified ID. You will need to have the Microsoft Authenticator app installed on your mobile phone.
- Open myaccount.microsoft.com
- Click on Get my Verified ID
- Scan the QR Code with the Microsoft Authenticator app (choose Work or School account)
After you have scanned the QR code in the authenticator app, you will see the Verified Id in your app. When you click on the ID, you can see all the details and all activities related to the ID.
Testing your Verified ID
Microsoft has created a couple of example applications that you can use to test out the verified ID or as an example of how to implement it in your own business applications. You can also use this demo vendor website from Microsoft to authenticate with your Verified ID.
There is also an online example available where you start with onboarding at a company and once authenticated can “order” your device at a demo vendor website. This example shows how a remote worker can be onboarded at your company without going into the office.
For the verification process, an IDV partner is used. These partners can do the identity verification, often based on a selfie and a copy of a government-issued ID. The verified ID of the IDV Partner can then be used to create a verified ID in your own tenant (in the Woodgrove example tenant in this case)
You can try out all the steps in the process yourself. The True Identity provider is also a demo provider, just click next, you don’t need to upload an actual passport or driver’s license to continue.
Using Face Check
Microsoft recently added Face Check to the Verified ID platform. Face Check allows companies to add an extra security layer in the verification process, by matching a selfie of the user with a profile picture.
Azure AI services are used for the facial matching process, and important to note here is that only the match result is shared and not the actual selfie. This way the privacy of the user is protected.
To use Face Check, you will need to make sure that a profile picture of the user is uploaded of the user. The user can do that themself on the MyAccount page, or the administrator can also add the profile picture in the Microsoft 365 admin Center.
The requirement to use the Face Check needs to be configured in the app that is requesting the verified ID. Check the documentation for more information on how to configure it.
LinkedIn Employee Verification
Verified ID can also be used to verify your place of work on LinkedIn. The verification allows members and organizations to easily check that the people they collaborate with are authentic and actually their work affiliations on their profiles are accurate.
Place of work verification on LinkedIn is currently in public review and only available for organizations with more than 10.000 employees.
You can read more about LinkedIn Employee Verification in this article.
Wrapping Up
Microsoft Entra Verified ID is a great solution when you need to verify the identity of your employees in third-party applications that support decentralized identity. You can use a REST API to issue and verify credentials which makes it easy to implement in your application.
Make sure that you try out the end-to-end demo that Microsoft has created to see the full potential of Verified ID.
I hope you liked this article, if you have any questions, just drop a comment below!
