Decentralized Identity Concepts
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Decentralized Identity: The Foundation of Microsoft Entra Verified ID
Introduction: Why Identity is Changing
For decades, the digital world has relied on centralized identity systems. When you want to access a bank account, a government portal, or a corporate application, you typically create an account with that specific service provider. That provider stores your username, your password, and your personal profile in their private database. This model has served us well for the early days of the internet, but it now creates significant challenges regarding privacy, data breaches, and user experience. Every time you register for a new service, you are essentially handing over a copy of your identity to a new silo, increasing the risk that your data will be exposed if that service provider suffers a security breach.
Decentralized identity (often referred to as Self-Sovereign Identity or SSI) flips this model on its head. Instead of a service provider "owning" your identity, you—the user—retain control. You hold your own digital credentials in a digital wallet on your device, and you choose when, where, and with whom to share that information. Microsoft Entra Verified ID is Microsoft’s implementation of this decentralized framework, built upon open standards such as Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). Understanding these concepts is critical because it represents the next evolution of how we manage trust in a digital world. By moving to a decentralized model, organizations can reduce their liability by not storing sensitive PII (Personally Identifiable Information), and users can regain control over their digital footprint.
The Core Pillars of Decentralized Identity
To understand how Microsoft Entra Verified ID functions, we must first break down the three primary roles involved in any decentralized identity transaction. These roles are defined by the W3C Verifiable Credentials Data Model, which ensures that different identity systems can "talk" to each other across the internet.
1. The Issuer
The Issuer is the entity that creates and signs a digital credential. This could be a university issuing a digital degree, a government agency issuing a driver’s license, or a company issuing an employee badge. The issuer does not "give" you the identity; rather, they provide a digitally signed statement that claims something about you. Because the credential is signed with the issuer's private key, anyone who receives it can verify that it truly came from that specific organization without needing to call the organization's database.
2. The Holder
The Holder is the individual (or entity) who receives the credential from the issuer and stores it in a digital wallet. The wallet is an application on your phone or computer that manages your private keys and your collection of credentials. As the holder, you are the only one who decides when to share these credentials. If a website asks for your proof of age, your wallet can present a "Verifiable Credential" that confirms you are over 21 without revealing your actual date of birth or your name.
3. The Verifier
The Verifier is the party that asks for proof of an identity claim. This could be a bank checking your identity to open an account, or a building access system checking your employee badge. The verifier requests a credential, the holder provides it, and the verifier checks the digital signature against the issuer’s public key. This process is immediate, automated, and does not require the verifier to contact the original issuer to confirm the credential is valid.
Callout: Centralized vs. Decentralized Identity In a centralized model, the service provider acts as the gatekeeper, storing all user data and managing the authentication process entirely. In a decentralized model, the "trust" is moved from the service provider's database to the cryptographic verification of the credential itself. This allows for "privacy-preserving" interactions where the verifier receives only the specific data they need, rather than a full user profile.
Understanding the Technical Building Blocks
At the heart of Microsoft Entra Verified ID are two major technical standards: Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). These are not proprietary Microsoft formats; they are open standards developed by the World Wide Web Consortium (W3C) to ensure interoperability.
Decentralized Identifiers (DIDs)
A DID is a new type of identifier that enables verifiable, decentralized digital identity. Unlike a username or email address, a DID is not owned by a central registry like a domain name registrar or a social media company. Instead, it is a URI (Uniform Resource Identifier) that points to a "DID Document." This document contains public keys and service endpoints that allow others to interact with you or verify your identity.
- Persistence: DIDs are designed to be long-lived and independent of any specific service provider.
- Control: The owner of a DID can prove control over it using a private key.
- Privacy: You can create different DIDs for different parts of your life (e.g., one for work, one for social media, one for government services) to prevent correlation.
Verifiable Credentials (VCs)
A Verifiable Credential is a digital representation of a physical credential, like a passport or a diploma. It consists of a set of claims made by an issuer about a subject. For example, a credential might include claims like "Name: Jane Doe" and "Title: Senior Engineer." These claims are bundled into a JSON-LD (JSON for Linked Data) format and signed by the issuer's DID.
When a verifier receives this credential, they check:
- Integrity: Has the information been tampered with since it was signed?
- Authenticity: Was it actually signed by the organization claiming to be the issuer?
- Revocation: Has the issuer marked this credential as no longer valid (e.g., if an employee left the company)?
Note: A common misconception is that the "identity" is stored on a blockchain. In reality, the blockchain (or Distributed Ledger) is only used to store the public keys and DID Documents of the issuers. The actual personal data (the claims) is never stored on a ledger; it remains strictly between the holder and the verifier.
Practical Example: Implementing a Digital Employee Badge
Let’s walk through a real-world scenario: An organization wants to issue a digital employee badge to its staff. This badge will allow them to access physical offices and internal web applications without needing a password.
Step 1: Setting up the Issuer
The organization configures the Microsoft Entra Verified ID service in their Azure portal. They define the "rules" for the credential, such as what claims it should contain (EmployeeID, Department, etc.). The service automatically generates a DID for the organization.
Step 2: Issuance
When a new employee joins, the HR system triggers an issuance request. The employee receives a notification on their mobile wallet app. They scan a QR code, the app talks to the Microsoft Entra service, and the digital badge is cryptographically signed and pushed to the employee's wallet.
Step 3: Verification
When the employee tries to log into an internal portal, the portal asks for a "Verifiable Credential." The employee scans a QR code on the login screen with their wallet. The wallet signs a response using the employee's DID and sends the badge to the portal. The portal checks the signature against the organization’s public DID document and grants access.
Code Snippet: Requesting a Credential
When building a web application that acts as a Verifier, you use the Microsoft Entra Verified ID Request Service API. Below is a simplified example of how a JSON payload looks when requesting a credential from a user:
{
"authority": "did:web:example.com",
"registration": {
"clientName": "Corporate Access Portal"
},
"type": "VerifiedEmployee",
"manifest": "https://verifiedid.microsoft.com/v1.0/tenants/...",
"claims": {
"displayName": "Employee Badge"
}
}
Explanation:
authority: The DID of your organization.type: The specific schema of the credential you are requesting.manifest: The location where the client (wallet) can find the definition of the credential.
Best Practices for Decentralized Identity
Adopting decentralized identity is a shift in mindset. Organizations that move too quickly without planning often run into issues regarding lifecycle management and user experience.
1. Define Trust Frameworks
Before issuing credentials, decide who you trust. If your application accepts credentials from other organizations (e.g., a university diploma), you need to define a "Trust Framework." This is a set of rules that govern which issuers are considered valid for your specific use case. Do not blindly accept every credential presented to you; verify the issuer's DID against your known list of trusted entities.
2. Prioritize User Privacy
Always follow the principle of data minimization. Ask for only the data you absolutely need. If you only need to verify that an employee is in the "Engineering" department, do not request the "EmployeeID" or "DateOfBirth" claims. The beauty of Verified ID is that you can request specific claims, and the user's wallet will only share those specific pieces of information.
3. Handle Revocation Gracefully
Credentials can be revoked. If an employee leaves the company, their digital badge must be invalidated. Ensure that your application checks the "Revocation Status List" (often hosted by the issuer) every time a credential is presented. A credential that is valid today might be invalid tomorrow if the issuer's status list has been updated.
4. Designing for the Wallet Experience
The user experience lives in the wallet. Ensure your issuance and verification flows are optimized for mobile. Use deep linking to open the wallet automatically when a user scans a QR code. If the user has to manually copy-paste codes or navigate through complex menus, they will abandon the process.
Warning: Do not store sensitive PII in the metadata of the DID document. The DID document is meant to be public and discoverable. Keep all private information inside the Verifiable Credential itself, which is only shared peer-to-peer between the holder and the verifier.
Common Mistakes to Avoid
Even with a robust platform like Microsoft Entra, developers and architects often fall into common traps. Avoiding these will save you significant time and security headaches.
- Hardcoding DIDs: Never hardcode your organization's DID directly into your application code. Use environment variables or a configuration service. If you ever need to rotate your keys or re-provision your DID, you do not want to have to redeploy your entire application.
- Ignoring Error Handling: Decentralized identity transactions involve multiple moving parts (the internet, the user's phone, the issuer service). Your application must handle cases where the user denies the request, the wallet app crashes, or the network times out. Provide clear feedback to the user when a transaction fails.
- Assuming 100% Adoption: Not every user will have a digital wallet ready to go. Always provide a fallback authentication method (like standard username/password or MFA) for users who are not yet equipped to use Verifiable Credentials.
- Neglecting Key Security: The private keys associated with your organization's DID are the keys to the kingdom. Store these in a secure hardware security module (HSM) or a managed service like Azure Key Vault. If your private key is compromised, an attacker could potentially issue fraudulent credentials in your name.
Comparison: Traditional Auth vs. Verified ID
| Feature | Traditional Identity (SAML/OIDC) | Decentralized Identity (Verified ID) |
|---|---|---|
| Trust Model | Centralized (Central Authority) | Decentralized (Cryptography) |
| Data Storage | Service Provider Database | User Wallet (Edge) |
| Privacy | High correlation (Provider tracks user) | High privacy (Peer-to-peer) |
| Portability | Low (Account is siloed) | High (Credential moves with user) |
| Interoperability | Requires federation agreements | Standards-based (W3C) |
Implementation Steps for Developers
If you are a developer looking to integrate Microsoft Entra Verified ID, follow these steps:
- Register the Application: In the Azure Portal, register your application as you would for any other Entra ID (formerly Azure AD) app.
- Request Permissions: Assign the "Verified ID" permissions to your application so it can interact with the issuance and verification APIs.
- Define Credential Schemas: Use the Verified ID portal to define the structure of your credentials. This includes the display appearance (colors, logos) and the specific claims (data fields).
- Implement the Backend API: Create an endpoint in your web application that generates "Request Objects." These objects tell the user's wallet what to do (e.g., "Please provide a credential of type X").
- Implement the Frontend: Create a web page that renders a QR code. When the user scans the code, the wallet app uses the information in the QR code to reach out to your API and initiate the exchange.
- Callback Handling: Set up a webhook or callback URL where the Microsoft Entra service can send the result of the transaction (e.g., "User successfully presented the credential").
Tip: Use the Microsoft-provided sample applications available on GitHub to kickstart your development. These samples include pre-configured backend code for Node.js, .NET, and Python, which can help you understand the message flow without writing the networking code from scratch.
Security Considerations and Threat Modeling
When implementing decentralized identity, you must consider the unique threat vectors associated with this technology. While it improves privacy, it introduces new attack surfaces.
The Man-in-the-Middle (MitM) Attack
In a typical flow, the user scans a QR code on their screen. An attacker could potentially replace that QR code with one that points to a malicious service. Always ensure your web application is served over HTTPS and that the QR code is generated dynamically on the server side, tied to a specific, short-lived session.
Replay Attacks
An attacker might capture a valid Verifiable Credential and try to replay it to gain unauthorized access. Ensure your verification process includes a "nonce" (a random number used once) or a timestamp check. The Microsoft Entra Verified ID service handles much of this internally, but when designing your custom verification logic, ensure you are not accepting the same credential payload twice.
Credential Theft
If a user's phone is stolen and the wallet is not protected by biometrics, an attacker could present the credentials. Encourage users to enable strong device-level authentication (FaceID, fingerprint, PIN) for their wallet applications. As an issuer, you can also include expiration dates in your credentials, limiting the window of opportunity for an attacker.
The Future of Decentralized Identity
We are currently in the early stages of a massive shift in how we handle identity. As more organizations adopt Verifiable Credentials, we will see the emergence of "Identity Wallets" that contain credentials from multiple sources—your university, your bank, your employer, and your government. This will lead to a more seamless experience where you no longer need to create new accounts for every service. You will simply "connect" your wallet, prove who you are, and get access.
Microsoft Entra Verified ID is a key part of this ecosystem because it bridges the gap between the legacy corporate world and the new decentralized future. It allows enterprises to continue using their existing identity infrastructure (like Active Directory) while participating in a global, standards-based identity network. By learning these concepts now, you are positioning yourself at the forefront of a fundamental change in internet architecture.
Summary: Key Takeaways
- Decentralized identity shifts control: It moves the power of identity from the service provider to the individual, who stores their credentials in a private, secure digital wallet.
- Standards are paramount: The use of W3C standards like DIDs and Verifiable Credentials ensures that identity systems can interoperate globally without relying on proprietary vendor lock-in.
- Privacy by design: Because the interaction is peer-to-peer and relies on cryptographic verification rather than database lookups, users can share only the specific information required, minimizing the risk of data exposure.
- Roles are distinct: Always distinguish between the Issuer (who signs), the Holder (who owns), and the Verifier (who checks). Understanding these roles is essential for designing secure identity workflows.
- Lifecycle management is critical: Simply issuing a credential is not enough; you must manage the full lifecycle, including revocation, to ensure that trust remains intact over time.
- Security starts with the keys: The security of the entire system rests on the protection of the private keys used to sign credentials. Use dedicated key management services to protect these assets.
- Start small: Begin by implementing simple, low-risk use cases (like internal employee badges) to build internal expertise before expanding to more complex scenarios involving external partners or customers.
By mastering these concepts, you are not just learning about a specific Microsoft product; you are learning the language of the future digital economy. Identity is the new perimeter, and decentralized identity is the most effective way to secure that perimeter while respecting user privacy and enhancing the user experience.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons