Verifiable Credentials Overview
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: Microsoft Entra Verified ID - A Comprehensive Guide
Introduction: The Evolution of Digital Identity
In the traditional digital landscape, verifying who someone is often involves cumbersome processes. We rely on centralized databases, password resets, and third-party identity providers to prove our credentials. Whether it is an employee proving their job title to access a payroll system, or a customer proving their age to access restricted content, the current model is fragmented and often insecure. Microsoft Entra Verified ID represents a fundamental shift in how we handle identity, moving toward a decentralized model where the individual—not a central authority—controls their own identity data.
Microsoft Entra Verified ID is a managed service that allows organizations to issue and verify digital credentials. Instead of relying on a static database entry that can be breached or manipulated, a verified credential is a cryptographically signed document that confirms a specific attribute about a user. Because these credentials use open standards, they can be shared securely across different systems, organizations, and platforms without requiring the verifier to store sensitive PII (Personally Identifiable Information) in their own local databases.
Understanding this technology is vital for IT professionals and developers because it addresses the core tension between privacy and security. By implementing Verified ID, organizations can reduce the burden of identity verification, minimize the risk associated with storing vast amounts of user data, and improve the user experience by allowing individuals to carry their "digital wallet" with them. This lesson will walk you through the architecture, implementation, and best practices of the Microsoft Entra Verified ID ecosystem.
The Core Components of the Trust Triangle
To understand how Microsoft Entra Verified ID works, you must first understand the "Trust Triangle." This model describes the interaction between three distinct roles that participate in the issuance and verification of credentials. If you miss one of these components, the ecosystem cannot function, as each role relies on the cryptographic proof provided by the others.
1. The Issuer
The Issuer is the organization that creates and signs the digital credential. This could be a university issuing a diploma, a government issuing a driver's license, or an HR department issuing an "Employee Badge." The Issuer uses their private key to sign the credential, ensuring that any third party can verify that the document is authentic and has not been tampered with since the moment of issuance.
2. The Holder (The User)
The Holder is the individual who receives the credential and stores it in a digital wallet. In the Microsoft ecosystem, this is typically the Microsoft Authenticator app. The user has complete control over when to present this credential. Because the credential is stored on the user's device, they are not reliant on a central server to "unlock" their identity every time they need to prove a claim.
3. The Verifier
The Verifier is the entity that requests the credential to confirm a specific claim. For example, a building access system might ask for an "Employee Badge" to unlock a door. The Verifier does not need to contact the Issuer's database; instead, they check the cryptographic signature of the credential against a public registry to confirm that it was indeed signed by the trusted Issuer.
Callout: Decentralized vs. Centralized Identity In a centralized system, the Verifier must establish a direct connection to the Issuer's database to query information. This creates a bottleneck and a privacy risk, as the Issuer knows exactly when and where the Verifier checked the user. In the decentralized model provided by Entra Verified ID, the Issuer does not know when the Verifier checks the credential, preserving the user's privacy and reducing the infrastructure requirements for the Issuer.
How Verified ID Works: The Technical Workflow
The workflow of a verifiable credential involves several distinct steps, ranging from the initial setup to the final verification of a claim. It is helpful to view this process as a lifecycle.
Step 1: Configuration and Issuance
Before any credentials can be issued, the organization must set up the Entra Verified ID service within the Azure portal. This involves defining the "Credential Type" and the schema. The schema defines the attributes that will be included in the credential, such as givenName, surname, or employeeId.
Once the service is configured, the Issuer creates a "Rules" file and a "Display" file. The Rules file defines the logic of the issuance, while the Display file defines how the credential looks inside the Microsoft Authenticator app (colors, logos, and labels). When a user initiates the process, they authenticate with the Issuer (often using OpenID Connect), and the Issuer generates the signed JSON Web Token (JWT) that represents the credential.
Step 2: Storage in the Wallet
The user receives a notification in their Microsoft Authenticator app. The app verifies the signature of the credential and stores it locally. At this point, the user "possesses" the credential. They can view the details of the credential, such as the expiration date and the specific attributes contained within, through the app interface.
Step 3: Presentation and Verification
When the user arrives at a service that requires verification, they are presented with a QR code or a deep link. The user scans this code with their Authenticator app. The app then sends a presentation request to the Verifier. The Verifier confirms the cryptographic signature and ensures the credential is not expired. If everything matches, the Verifier grants the user access to the requested resource.
Practical Example: Issuing an Employee Badge
Let’s look at how an organization might implement an "Employee Badge" for internal access to a secure website.
Prerequisites
- An Azure tenant with Microsoft Entra ID.
- The Verified ID service enabled in the portal.
- A Key Vault to store the signing keys.
- A web application to act as the Issuance portal.
The Code: Issuance Request
When an employee logs into your internal portal to request their badge, your backend application must call the Verified ID Request Service API. Here is a simplified example of the payload required to start the issuance process:
{
"authority": "did:web:your-domain.com",
"type": "EmployeeBadge",
"registration": {
"clientName": "Contoso HR Portal"
},
"issuance": {
"manifest": "https://verifiedid.microsoft.com/v1.0/tenants/...",
"pin": {
"value": "1234",
"length": 4
},
"claims": {
"givenName": "Jane",
"surname": "Doe",
"jobTitle": "Engineer"
}
}
}
Explanation of the Payload:
- authority: This is your Decentralized Identifier (DID). It acts as your digital "return address" so the Authenticator app knows who issued the credential.
- type: This matches the schema created in the Azure portal.
- pin: Adding a PIN provides an extra layer of security, ensuring that the person claiming the credential is the one who initiated the request.
- claims: These are the actual data points that the user will carry.
Note: Always ensure that your Key Vault permissions are correctly configured. The Verified ID service must have the "Get," "Sign," and "Verify" permissions to use the keys stored in your Key Vault. If these permissions are missing, the issuance process will fail at the final step of signing the credential.
Comparison Table: Standard Authentication vs. Verified ID
| Feature | Standard OAuth/OIDC | Entra Verified ID |
|---|---|---|
| Data Storage | Centralized database | Local device wallet |
| Verification | Back-channel API call to Issuer | Cryptographic signature validation |
| Privacy | Issuer tracks all verifications | Issuer is unaware of verification events |
| User Control | Limited (App-specific) | High (User carries the credential) |
| Connectivity | Requires online connection to IDP | Can be verified offline (in specific scenarios) |
Implementing the Verifier Side
The Verifier side is arguably more critical because this is where you enforce your security policy. When your application receives a verification request, it must perform a series of checks to ensure the credential is valid.
Step-by-Step Verification Logic
- Request Initiation: The application displays a QR code to the user.
- Request Handling: The user scans the QR code, which triggers the Authenticator app to send a response payload to your application.
- Signature Validation: Your backend code must use the Microsoft Verified ID SDK to validate the JWT signature.
- Policy Enforcement: Check the claims. For example, verify that the
jobTitleis "Engineer" or that theexpirationDatehas not passed. - Access Grant: If the validation and policy checks pass, the application grants the user access.
Warning: Never trust the claims in a JWT without validating the signature first. If you skip the signature validation step, an attacker could easily craft a fake JWT and present it as a valid credential. Always use the official Microsoft SDKs to perform this validation, as they handle the complex cryptographic checks for you.
Best Practices for Enterprise Deployment
Implementing Verified ID is not just a technical task; it is an organizational one. You need to consider how these credentials fit into your existing identity governance strategy.
1. Minimal Data Disclosure
Only include the data that is absolutely necessary in the credential. If an application only needs to know that a user is over 18, do not include their full date of birth or home address in the credential. This minimizes the risk in the event that the credential is intercepted or misused.
2. Revocation Strategies
Unlike a standard password, a credential can be revoked. If an employee leaves the company, you must ensure their "Employee Badge" is no longer accepted. Implement a status check mechanism where the Verifier queries an "Issuance Status" endpoint to confirm the credential has not been revoked by the Issuer.
3. User Education
Because this technology is new to many users, provide clear instructions on how to set up the Microsoft Authenticator app and what the "Verified ID" tab represents. Users should be trained to only present their credentials to verified and trusted requestors.
4. Key Management
Your DID is anchored by a cryptographic key. If you lose access to this key (or the Key Vault where it resides), you will be unable to issue new credentials or sign existing ones. Implement strict access controls and regular backups for your Key Vault configurations.
5. Use of Open Standards
Microsoft Entra Verified ID is built on W3C Verifiable Credentials standards. This means that, in theory, your credentials should be interoperable with other wallets and systems that support these standards. When designing your implementation, avoid proprietary extensions that might lock you into a specific ecosystem if you have requirements for cross-platform support.
Common Pitfalls and How to Avoid Them
Even for experienced developers, the decentralized identity space can be confusing. Here are some of the most common mistakes:
- Hardcoding DIDs: Do not hardcode your DID in your application configuration. Use environment variables or Key Vault references so you can easily rotate keys or change your infrastructure without redeploying code.
- Ignoring Expiration: Developers often focus on the signature validation but forget to check the
exp(expiration) claim in the JWT. A credential might be cryptographically sound but functionally expired. - Over-reliance on the Wallet: Always have a fallback mechanism. If a user loses their phone or deletes the Authenticator app, they will lose access to their credentials. Ensure you have a process to re-issue credentials to users who have lost their digital wallet.
- Ignoring Privacy Regulations: Even though the user holds the credential, the act of verifying it might still be subject to GDPR or CCPA. Be transparent with your users about what data you are verifying and why.
The Future of Identity: Why This Matters
We are moving away from a world where we provide our personal information to every website we visit. Instead, we are entering an era of "Self-Sovereign Identity" (SSI). In this future, you will have a digital wallet containing your professional certifications, your educational degrees, and your government-issued identity cards. When you need to interact with a service, you will provide a "proof" of these attributes rather than a copy of the document itself.
Microsoft Entra Verified ID is the bridge to this future. By using the same standards that govern the web, it allows for a scalable, secure, and private way to manage identity. For an organization, this means less liability, fewer helpdesk tickets for password resets, and a more streamlined onboarding experience for new employees and partners.
Quick Reference: Key Concepts
- DID (Decentralized Identifier): A unique, permanent identifier that is not reliant on a central registry. It is the core of your "digital identity."
- JWT (JSON Web Token): The standard format used for the credential. It contains the claims and the cryptographic signature.
- Manifest: A JSON file that describes the credential, including its display properties and the rules for issuing it.
- Wallet: The software (e.g., Microsoft Authenticator) that stores and manages the user's verifiable credentials.
- Trust Anchor: The system or registry used to verify that a DID belongs to a specific entity.
FAQ: Common Questions
Q: Can I use Verified ID for external users? A: Yes, absolutely. It is often used for guest access, where an external partner can present a credential issued by their own organization to gain access to your resources.
Q: Is the Microsoft Authenticator app the only way to store these credentials? A: While it is the primary way for Microsoft Entra, the standards are open. Other wallets that support the W3C Verifiable Credentials data model can technically work, though Microsoft provides the most seamless integration for Entra users.
Q: Does it cost money to use Verified ID? A: Microsoft Entra Verified ID is currently included as part of the Microsoft Entra ID suite. You should check the latest licensing documentation to see if there are specific usage tiers or costs associated with high-volume issuance.
Q: What happens if the internet goes down? A: Verification generally requires an online connection to validate the signature against the public registry. However, the user's wallet is local, meaning they can always view their credentials even when offline.
Q: How do I handle users who don't have a smartphone? A: This is a significant challenge in identity management. Currently, Verified ID is mobile-first. If your user base does not have access to smartphones, you may need to provide alternative authentication methods alongside your Verified ID implementation.
Key Takeaways
- Decentralization is Key: Microsoft Entra Verified ID shifts the burden of identity management from a central authority to the user, enhancing privacy and reducing organizational data storage risks.
- The Trust Triangle: Every interaction involves an Issuer, a Holder, and a Verifier. Understanding the role of each is essential for designing a secure identity system.
- Cryptographic Integrity: The security of the system relies entirely on cryptographic signatures. Always validate signatures using the official SDKs and never trust claims blindly.
- Privacy by Design: Use the principle of "minimal data disclosure." Only request the specific claims you need to perform an authorization, rather than collecting entire user profiles.
- Lifecycle Management: Credentials are not "set and forget." You must have a robust plan for issuance, revocation, and re-issuance to handle the full lifecycle of a digital identity.
- Interoperability: Because the system is built on open standards, it is designed for the long term. Adhering to these standards ensures your implementation remains compatible with the broader identity ecosystem.
- User Experience: While the backend is complex, the user experience should be simple. Use the Microsoft Authenticator app to provide a familiar and intuitive interface for users to manage their digital credentials.
By mastering the concepts covered in this lesson, you are positioning yourself at the forefront of the next generation of identity management. As organizations continue to move toward zero-trust architectures, the ability to verify identity without exposing sensitive data will become a cornerstone of secure and efficient IT operations. Start small by implementing a simple "Employee Badge" for a non-critical application, and gradually expand your usage as you become more comfortable with the API and the trust requirements of your organization.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons