What's new in Microsoft Entra Verified ID

Note

Azure Active Directory Verifiable Credentials is now Microsoft Entra Verified ID and part of the Microsoft Entra family of products. Learn more about the Microsoft Entra family of identity solutions and get started in the unified Microsoft Entra admin center.

This article lists the latest features, improvements, and changes in the Microsoft Entra Verified ID service.

March 2023

• Admin API now supports application access tokens and in addition to user bearer tokens.
• Introducing the Entra Verified ID Services partner gallery listing trusted partners that can help accelerate your Entra Verified ID implementation.
• Improvements to our Administrator onboarding experience in the Admin portal based on customer feedback.
• Updates to our samples in github showcasing how to dynamically display VC claims.

February 2023

• Public preview - Entitlement Management customers can now create access packages that leverage Entra Verified ID learn more

• The Request Service API can now do revocation check for verifiable credentials presented that was issued with StatusList2021 or the RevocationList2020 status list types.

January 2023

• Microsoft Authenticator user experience improvements on pin code, verifiable credential overview and verifiable credentials requirements.

November 2022

• Entra Verified ID now reports events in the Azure AD Audit Log. Only management changes made via the Admin API are currently logged. Issuance or presentations of verifiable credentials aren't reported in the audit log. The log entries have a service name of Verified ID and the activity will be Create authority, Update contract, etc.

September 2022

• The Request Service API now have granular app permissions and you can grant VerifiableCredential.Create.IssueRequest and VerifiableCredential.Create.PresentRequest separately to segregate duties of issuance and presentation to separate application.
• IDV Partner Gallery now available in the documentation guiding you how to integrate with Microsoft's Identity Verification partners.
• How-to guide for implementing the presentation attestation flow that requires presenting a verifiable credential during issuance.

August 2022

Microsoft Entra Verified ID is now generally available (GA) as the new member of the Microsoft Entra portfolio! read more

Known issues

• Tenants that opt-out without issuing any Verifiable Credential gets a Specified resource does not exist error from the Admin API and/or the Entra portal. A fix for this issue should be available by August 20, 2022.

July 2022

• The Request Service APIs have a new hostname verifiedid.did.msidentity.com. The beta.did.msidentity and the beta.eu.did.msidentity continue to work, but you should change your application and configuration. Also, you no longer need to specify .eu. for an EU tenant.

• The Request Service APIs have new endpoints and updated JSON payloads. For issuance, see Issuance API specification and for presentation, see Presentation API specification. The old endpoints and JSON payloads continue to work, but you should change your applications to use the new endpoints and payloads.

• Request Service API Error codes have been updated

• The Admin API is made public and is documented. The Azure portal is using the Admin API and with this REST API you can automate the onboarding or your tenant and creation of credential contracts.

• Find issuers and credentials to verify via the The Microsoft Entra Verified ID Network.

• For migrating your Azure Storage based credentials to become Managed Credentials there's a PowerShell script in the GitHub samples repo for the task.

• We also made the following updates to our Plan and design docs:

  • (updated) architecture planning overview.
  • (updated) Plan your issuance solution.
  • (updated) Plan your verification solution.

June 2022

• We're adding support for the did:web method. Any new tenant that starts using the Verifiable Credentials Service after June 14, 2022 will have Web as a new, default, trust system when onboarding. VC Administrators can still choose to use ION when setting a tenant. If you want to use did:web instead of ION or viceversa, you'll need to reconfigure your tenant.
• We're rolling out several features to improve the overall experience of creating verifiable credentials in the Entra Verified ID platform:
  • Introducing Managed Credentials, which are verifiable credentials that no longer use Azure Storage to store the display & rules JSON definitions. Their display and rule definitions are different from earlier versions.
  • Create Managed Credentials using the new quickstart experience.
  • Administrators can create a Verified Employee Managed Credential using the new quick start. The Verified Employee is a verifiable credential of type verifiedEmployee that is based on a predefined set of claims from your tenant's Azure Active Directory.

Important

You need to migrate your Azure Storage based credentials to become Managed Credentials. We'll soon provide migration instructions.

• We made the following updates to our docs:
  • (new) Current supported open standards for Microsoft Entra Verified ID.
  • (new) How to create verifiable credentials for ID token hint.
  • (new) How to create verifiable credentials for ID token.
  • (new) How to create verifiable credentials for self-asserted claims.
  • (new) Rules and Display definition model specification.
  • (new) Creating an Azure AD tenant for development.

May 2022

We're expanding our service to all Azure AD customers! Verifiable credentials are now available to everyone with an Azure AD subscription (Free and Premium). Existing tenants that configured the Verifiable Credentials service prior to May 4, 2022 must make a small change to avoid service disruptions.

April 2022

Starting next month, we're rolling out exciting changes to the subscription requirements for the Verifiable Credentials service. Administrators must perform a small configuration change before May 4, 2022 to avoid service disruptions.

Important

If changes are not applied before May 4, 2022, you will experience errors on issuance and presentation for your application or service using the Microsoft Entra Verified ID Service.

March 2022

• Microsoft Entra Verified ID customers can now change the domain linked to their DID easily from the Azure portal.
• We made updates to Microsoft Authenticator that change the interaction between the Issuer of a verifiable credential and the user presenting the verifiable credential. This update forces all Verifiable Credentials to be reissued in Microsoft Authenticator for iOS. More information

February 2022

We're rolling out some breaking changes to our service. These updates require Microsoft Entra Verified ID service reconfiguration. End-users need to have their verifiable credentials reissued.

• The Microsoft Entra Verified ID service can now store and handle data processing in the Azure European region.
• Microsoft Entra Verified ID customers can take advantage of enhancements to credential revocation. These changes add a higher degree of privacy through the implementation of the W3C Status List 2021 standard. More information
• We made updates to Microsoft Authenticator that change the interaction between the Issuer of a verifiable credential and the user presenting the verifiable credential. This update forces all Verifiable Credentials to be reissued in Microsoft Authenticator for Android. More information

Important

All Azure AD Verifiable Credential customers receiving a banner notice in the Azure portal need to go through a service reconfiguration before March 31st 2022. On March 31st 2022 tenants that have not been reconfigured will lose access to any previous configuration. Administrators will have to set up a new instance of the Azure AD Verifiable Credential service. Learn more about how to reconfigure your tenant.

Microsoft Entra Verified ID available in Europe

Since the beginning of the Microsoft Entra Verified ID service public preview, the service has only been available in our Azure North America region. Now, the service is also available in our Azure Europe region.

• New customers with Azure AD European tenants now have their Verifiable Credentials data located and processed in our Azure Europe region.
• Customers with Azure AD tenants setup in Europe who start using the Microsoft Entra Verified ID service after February 15, 2022, have their data automatically processed in Europe. There's no need to take any further actions.
• Customers with Azure AD tenants setup in Europe that started using the Microsoft Entra Verified ID service before February 15, 2022, are required to reconfigure the service on their tenants before March 31, 2022.

Take the following steps to configure the Verifiable Credentials service in Europe:

1. Check the location of your Azure Active Directory to make sure is in Europe.
2. Reconfigure the Verifiable Credentials service in your tenant.

Important

On March 31st, 2022 European tenants that have not been reconfigured in Europe will lose access to any previous configuration and will require to configure a new instance of the Azure AD Verifiable Credential service.

Are there any changes to the way that we use the Request API as a result of this move?

Applications that use the Microsoft Entra Verified ID service must use the Request API endpoint that corresponds to their Azure AD tenant's region.

Tenant region	Request API endpoint POST
Europe	https://beta.eu.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request
Non-EU	https://beta.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request

To confirm which endpoint you should use, we recommend checking your Azure AD tenant's region as described above. If the Azure AD tenant is in the EU, you should use the Europe endpoint.

Credential Revocation with Enhanced Privacy

The Azure AD Verifiable Credential service supports the W3C Status List 2021 standard. Each Issuer tenant now has an Identity Hub endpoint used by verifiers to check on the status of a credential using a privacy-respecting mechanism. The identity hub endpoint for the tenant is also published in the DID document. This feature replaces the current status endpoint.

To uptake this feature, follow the next steps:

1. Check if your tenant has the Hub endpoint.
   1. If so, go to the next step.
   2. If not, reconfigure the Verifiable Credentials service in your tenant and go to the next step.
2. Create new verifiable credentials contracts. In the rules file you must add the "credentialStatusConfiguration": "anonymous" property to start using the new feature in combination with the Hub endpoint for your credentials:

Sample contract file:

{
  "attestations": {
    "idTokens": [
      {
        "id": "https://self-issued.me",
        "mapping": {
          "firstName": { "claim": "$.given_name" },
          "lastName": { "claim": "$.family_name" }
        },
        "configuration": "https://self-issued.me",
        "clientId": "",
        "redirectUri": ""
      }
    ]
  },
  "validityInterval": 2592001,
"credentialStatusConfiguration": "anonymous",
  "vc": {
    "type": [ "VerifiedCredentialExpert" ]
  }
} 

1. You have to issue new verifiable credentials using your new configuration. All verifiable credentials previously issued continue to exist. Your previous DID remains resolvable however, they use the previous status endpoint implementation.

Important

You have to reconfigure your Azure AD Verifiable Credential service instance to create your new Identity hub endpoint. You have until March 31st 2022, to schedule and manage the reconfiguration of your deployment. On March 31st, 2022 deployments that have not been reconfigured will lose access to any previous Microsoft Entra Verified ID service configuration. Administrators will need to set up a new service instance.

Microsoft Authenticator DID Generation Update

We're making protocol updates in Microsoft Authenticator to support Single Long Form DID, thus deprecating the use of pairwise. With this update, your DID in Microsoft Authenticator will be used of every issuer and relaying party exchange. Holders of verifiable credentials using Microsoft Authenticator must get their verifiable credentials reissued as any previous credentials aren't going to continue working.

December 2021

• We added Postman collections to our samples as a quick start to start using the Request Service REST API.
• New sample added that demonstrates the integration of Microsoft Entra Verified ID with Azure AD B2C.
• Sample for setting up the Microsoft Entra Verified ID services using PowerShell and an ARM template.
• Sample Verifiable Credential configuration files to show sample cards for ID Token, IDTokenHit and Self-attested claims.

November 2021

• We made updates to the Request Service REST API for issuance and presentation Callback types enforcing rules so that URL endpoints for callbacks are reachable.
• UX updates to the Microsoft Authenticator verifiable credentials experience: Animations on card selection from the wallet.

October 2021

You can now use Request Service REST API to build applications that can issue and verify credentials from any programming language. This new REST API provides an improved abstraction layer and integration to the Microsoft Entra Verified ID Service.

It's a good idea to start using the API soon, because the NodeJS SDK will be deprecated in the following months. Documentation and samples now use the Request Service REST API. For more information, see Request Service REST API (preview).

April 2021

You can now issue verifiable credentials in Azure AD. This service is useful when you need to present proof of employment, education, or any other claim. The holder of such a credential can decide when, and with whom, to share their credentials. Each credential is signed by using cryptographic keys associated with the decentralized identity that the user owns and controls.