Configure Verified ID settings for an access package in entitlement management

When setting up an access package policy, admins can specify whether it’s for users in the directory, connected organizations, or any external user. Entitlement Management determines if the person requesting the access package is within the scope of the policy.

Sometimes you might want users to present additional identity proofs during the request process such as a training certification, work authorization, or citizenship status. As an access package manager, you can require that requestors present a verified ID containing those credentials from a trusted issuer. Approvers can then quickly view if a user’s verifiable credentials were validated at the time that the user presented their credentials and submitted the access package request.

As an access package manager, you can include verified ID requirements for an access package at any time by editing an existing policy or adding a new policy for requesting access.

This article describes how to configure the verified ID requirement settings for an access package.

Prerequisites

Before you begin, you must set up your tenant to use the Microsoft Entra Verified ID service. You can find detailed instructions on how to do that here: Configure your tenant for Microsoft Entra Verified ID.

License requirements

Using this feature requires Microsoft Entra ID Governance licenses. To find the right license for your requirements, see Microsoft Entra ID Governance licensing fundamentals.

Create an access package with verified ID requirements

Tip

Steps in this article may vary slightly based on the portal you start from.

To add a verified ID requirement to an access package, you must start from the access package’s requests tab. Follow these steps to add a verified ID requirement to a new access package.

Prerequisite role: Global administrator

Note

Identity Governance administrator, User administrator, Catalog owner, or Access package manager will be able to add verified ID requirements to access packages soon.

  1. Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.

  2. Browse to Identity governance > Entitlement management > Access package.

  3. On the Access packages page select + New access package.

  4. On the Requests tab, scroll to the Required Verified Ids section.

  5. Select + Add issuer and choose an issuer from the Microsoft Entra Verified ID network. If you want to issue your own credentials to users, see: Issue Microsoft Entra Verified ID credentials from an application. Select issuer for Microsoft Entra Verified I D.

  6. Select the credential type(s) you want users to present during the request process. Screenshot of credential types for Microsoft Entra Verified I D.

    Note

    If you select multiple credential types from one issuer, users will be required to present credentials of all selected types. Similarly, if you include multiple issuers, users will be required to present credentials from each of the issuers you include in the policy. To give users the option of presenting different credentials from various issuers, configure separate policies for each issuer/credential type you’ll accept.

  7. Select Add to add the verified ID requirement to the access package policy.

  8. Once you have finished configuring the rest of the settings, you can review your selections on the Review + create tab. You can see all verified ID requirements for this access package policy in the Verified IDs section. Screenshot of a list of verified IDs.

Request an access package with verified ID requirements

Once an access package is configured with a verified ID requirement, end-users who are within the scope of the policy are able to request access using the My Access portal. Similarly, approvers are able to see the claims of the VCs presented by requestors when reviewing requests for approval.

The requestor steps are as follows:

  1. Go to myaccess.microsoft.com and sign in.

  2. Search for the access package you want to request access to (you can browse the listed packages or use the search bar at the top of the page) and select Request.

  3. If the access package requires you to present a verified ID, you should see a grey information banner as shown here: Screenshot of the present verified ID for access package option.

  4. Select Request Access. You should now see a QR code. Use your phone to scan the QR code. This launches Microsoft Authenticator, where you'll be prompted to share your credentials. Screenshot of use QR code for verified IDs.

  5. After you share your credentials, My Access will automatically take you to the next step of the request process.

Next steps

Delegate access governance to access package managers