Microsoft Entra ID Verified ID

Microsoft Entra ID Verified ID (formerly known as Azure AD Verifiable Credentials) is a decentralized identity solution that enables organizations to issue, verify, and manage digital credentials for users. These credentials, often called “Verified IDs,” allow users to prove their identity or certain claims (such as employment or qualifications) in a secure, privacy-respecting manner.

This solution provides a powerful way for users to verify their identity to access resources or services without needing to repeatedly share sensitive information. It’s based on open standards and offers a self-sovereign, decentralized identity model where users maintain control over their credentials.

---

Key Concepts of Entra ID Verified ID

1. Decentralized Identity: Unlike traditional systems where identity data is stored and controlled centrally, Entra ID Verified ID follows a decentralized model. Users have control over their digital credentials, which they can store on their device (e.g., a digital wallet) and share selectively.
2. Verified IDs (Verifiable Credentials): These are digital credentials that include specific claims about an individual or organization, such as proof of employment, a qualification, or age. These claims are cryptographically signed by the issuing organization and can be trusted by other entities.
3. Issuers, Holders, and Verifiers:

• Issuer: An entity (e.g., a company, university, or government) that creates and issues the credential.
• Holder: The individual who receives the credential and can store it securely, usually on a mobile device in a digital wallet.
• Verifier: An entity that needs to verify the authenticity of a credential, like an employer or service provider.

1. Digital Wallet: Users typically store their Verified ID in a digital wallet app on their mobile device. Microsoft Authenticator serves as one such digital wallet for holding and managing Verified IDs.
2. Self-Sovereign Identity (SSI): Entra ID Verified ID aligns with SSI principles, allowing users to own and control their identity data, selectively sharing it with verifiers without going through a central intermediary.

---

Features of Entra ID Verified ID

1. Trustworthy and Privacy-Preserving: Verified ID uses cryptographic signatures to ensure the authenticity of credentials, reducing the need to share sensitive data repeatedly.
2. User-Controlled: Users store and control their Verified ID credentials in a digital wallet, choosing when and with whom to share specific claims.
3. Flexible Use Cases: Verified ID can verify a range of credentials, such as proof of employment, educational qualifications, age, and membership in a particular organization.
4. Interoperability: Verified IDs are built on open standards, allowing interoperability across different identity systems and providers.

---

Prerequisites for Using Entra ID Verified ID

1. Microsoft Entra ID Tenant: The organization must have an Entra ID tenant to configure and manage the Verified ID solution.
2. Verified ID Service Setup: Verified ID must be set up within the Entra ID tenant. This includes configuring issuers and verifiers, setting policies, and defining the attributes in the credentials.
3. Microsoft Authenticator App: End-users need a supported digital wallet to store and manage their Verified ID credentials. Currently, Microsoft Authenticator is compatible with Verified ID.
4. OpenID Connect (OIDC) or Decentralized Identifier (DID) Support: Verified ID uses DID, a standard for decentralized identifiers, or OIDC, a standard protocol for issuing and verifying credentials.
5. Access to the Verified ID SDK or API: Developers can integrate Verified ID into applications by accessing the Verified ID SDK or API provided by Microsoft, allowing for customization of the issuance and verification processes.

---

How Entra ID Verified ID Works (Step-by-Step)

Step 1: Issuing a Verified ID Credential

1. User Requests a Credential: A user requests a credential from the issuer (e.g., an organization like a university or employer).
2. Issuer Validates User Identity: The issuer confirms the user’s identity through authentication (such as logging into a portal).
3. Credential Generation: The issuer generates a Verified ID credential with specific claims (e.g., “Employee of Company X”).
4. Digital Signature: The credential is cryptographically signed by the issuer to ensure its authenticity.
5. Credential Storage: The user receives the credential and stores it in their digital wallet (e.g., Microsoft Authenticator).

Step 2: Presenting a Verified ID Credential

1. Verifier Requests Credential: A verifier, such as a service or application, requests specific information from the user (e.g., proof of employment).
2. User Consent: The user consents to share the credential with the verifier, opening their digital wallet to select the relevant credential.
3. Verification of Credential: The verifier checks the digital signature on the credential, confirming its authenticity without contacting the issuer directly.
4. Access Granted: If the verification is successful, the verifier grants the user access to the service or resource.

Step 3: Managing and Revoking Credentials

1. Updating Credentials: Issuers can update credentials when necessary. For example, if a user’s role changes, the credential can be reissued with updated information.
2. Revoking Credentials: If a credential becomes invalid (e.g., the user leaves the organization), the issuer can revoke it. This revocation status is communicated to verifiers during verification.

---

Usage Scenarios and Working Examples

Example 1: Verifying Employment for Remote Access

Scenario: A consulting firm wants to provide secure remote access to project resources for employees of partner companies.

1. Issuance: The partner company issues Verified ID credentials to their employees, including claims like “Employee of [Partner Company Name]”.
2. Verification: When accessing the consulting firm’s project portal, the employee shares their Verified ID credential proving their employment status.
3. Access Granted: The consulting firm’s system verifies the credential and grants the employee access to project resources without requiring further authentication from the partner.

Example 2: Verifying Student Status for Academic Discounts

Scenario: An online learning platform offers discounts to students.

1. Issuance: Universities issue a “Student ID” credential to their students with claims like “Student Status: Active” and “University: [University Name].”
2. Verification: The student attempts to sign up for a discounted plan on the online platform and shares their student credential.
3. Access Granted: The platform verifies the student credential without contacting the university directly, allowing the student to access the discount.

Example 3: Verifying Age for Restricted Services

Scenario: A gaming company needs to verify that users are over 18 before allowing access to age-restricted games.

1. Issuance: A government agency issues Verified ID credentials with age attributes.
2. Verification: The gaming company requests age verification, and the user shares their age-related Verified ID credential.
3. Access Granted: The gaming company verifies the credential and allows access if the user meets the age requirement.

Example 4: Credential Verification for a Hiring Process

Scenario: A company wants to verify an applicant’s certifications and employment history as part of the hiring process.

1. Issuance: Previous employers and educational institutions issue Verified ID credentials with relevant claims, like job title and degree.
2. Verification: The applicant presents these credentials during the hiring process.
3. Validation: The hiring company verifies each credential without needing to contact past employers or educational institutions, streamlining the hiring process.

---

Benefits of Using Entra ID Verified ID

1. Enhanced Security and Privacy: The use of cryptographically signed credentials reduces the need to repeatedly share sensitive data, protecting users’ privacy and minimizing exposure to security risks.
2. User Control over Data: Users control which credentials to share and when to share them, aligning with the principles of self-sovereign identity (SSI).
3. Reduced Verification Overhead: Verifiers can confirm the authenticity of credentials without directly contacting the issuer, speeding up processes such as background checks and verification.
4. Standardization and Interoperability: Built on open standards (DID and OIDC), Verified ID credentials are interoperable across different systems, allowing for wider adoption and usability across various platforms.

---

Technical Prerequisites and Considerations

1. Entra ID Premium License: Organizations require an Entra ID Premium P1 or P2 license to use Verified ID.
2. Digital Wallet App for End-Users: End-users must have a compatible digital wallet, such as Microsoft Authenticator, to store and manage their Verified ID credentials.
3. Verification Setup: Organizations using Verified ID for verification must configure their applications to accept these credentials, typically using the Verified ID SDK or API.
4. Decentralized Identifier (DID) Compliance: Organizations should support DIDs, which are essential for creating secure, self-sovereign identities.
5. API Integration: Developers may need to integrate Entra ID Verified ID APIs into existing applications to allow for seamless credential issuance and verification.

---

Microsoft Entra ID Verified ID provides a robust framework for issuing and verifying digital credentials in a decentralized, user-controlled manner. This approach promotes privacy and security by enabling users to selectively share only the necessary claims from their digital credentials with various services. With use cases spanning employee verification, age-restricted content access, and student discounts, Verified ID offers a flexible and secure identity verification solution for modern digital interactions.