What's new in Microsoft Entra Verified ID
This article lists the latest features, improvements, and changes in the Microsoft Entra Verified ID service.
- FAQ section now contains information for network hardening for Request Service API callbacks.
- Support for did:web:path can be enabled for your Microsoft Entra tenant upon request.
- FaceCheck is generally available starting August 12.
- FaceCheck introducing the Face Check Addon as an incremental update to the Face Check public preview. Face Check is a premium feature within Microsoft Entra Verified ID free to use during the public preview period ending on Aug 12.
- Quick setup Generally available, it enables an admin to onboard Microsoft Entra Verified ID in a Microsoft Entra tenant with just one select of a button.
- Starting February 2024, Verified ID supports NIST compliant P-256 curve.
- Wallet Library 1.0.1 supports P-256.
- New concept article on Verified helpdesk on how to identity of callers seeking help using Microsoft Entra Verified ID.
- Override of expirationDate on issuance for idTokenHint attestation flow requires that the contract needs to have the flag allowOverrideValidityOnIssuance set to true.
- FaceCheck is now in public preview. It allows enterprises to perform high-assurance verifications by performing facial matching between a user’s real-time selfie and a photo in the Verified ID credential. FaceCheck is offered free of cost during the Public Preview period and can be used by any Verified ID project.
- Request Service API now supports the issuing application to set the expiry date of the credential during and issuance request when the attestation is using the idTokenHint flow.
- The option of selecting
did:ion
as a trust system is removed. The only trust system available isdid:web
. See the FAQ for help on how move to did:web from did:ion.
Request Service API now supports claims constraints when making presentation requests. Claims constraints can be used to specify constraints on the Verified ID credential that the verifier is asking to be presented. Available constraints are direct match, contains, and startsWith.
- Quick setup introduced as preview which enables an admin to onboard a Microsoft Entra tenant with just one select of a button.
- MyAccount available now to simplify issuance of Workplace Credentials
- Advanced setup still available as an option to
Quick setup
.
Verified ID is retiring old Request Service API endpoints that were available before Verified ID was General Available. These APIs shouldn't have been used since GA in August 2022, but if they are used in your app, you need to migrate. The API endpoints being retired are:
POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/request
GET https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/request/:requestId
POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/present
POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/issuance
The first API was for creating an issuance or presentation request. The second API was for retrieving a request and the last two APIs was for a wallet completing issuance or presentation. The API endpoints to use since preview are:
POST https://verifiedid.did.msidentity.com/v1.0/verifiablecredentials/createPresentationRequest
POST https://verifiedid.did.msidentity.com/v1.0/verifiablecredentials/createIssuanceRequest
GET https://verifiedid.did.msidentity.com/v1.0/verifiablecredentials/presentationRequests/:requestId
POST https://verifiedid.did.msidentity.com/v1.0/verifiablecredentials/completeIssuance
POST https://verifiedid.did.msidentity.com/v1.0/verifiablecredentials/verifyPresentation
The /request
API is split into two depending on if you are creating an issuance or presentation request.
The retired API endpoints don't work since October 2023.
The presentation_verified
callback from the Request Service API now returns when a Verified ID credential was issued and when it expires. Business rules can use these values to see the time window of when the presented Verified ID credential is valid. An example of this is that it expires in an hour while the business required in needs to be valid until the end of the day.
Tutorial for getting started with the Wallet Library demo on Android and iOS available here.
- Wallet Library was announced at Build 2023 in session Reduce fraud and improve engagement using Digital Wallets. The Wallet Library enables customers to add verifiable credentials technology to their own mobile apps. The libraries are available for Android and iOS.
Instructions for setting up place of work verification on LinkedIn available here.
- Admin API now supports application access tokens and in addition to user bearer tokens.
- Introducing the Microsoft Entra Verified ID Services partner gallery listing trusted partners that can help accelerate your Microsoft Entra Verified ID implementation.
- Improvements to our Administrator onboarding experience in the Admin portal based on customer feedback.
- Updates to our samples in GitHub showcasing how to dynamically display VC claims.
Public preview - Entitlement Management customers can now create access packages that use Microsoft Entra Verified ID learn more
The Request Service API can now do revocation check for verifiable credentials presented that was issued with StatusList2021 or the RevocationList2020 status list types.
- Microsoft Authenticator user experience improvements on pin code, verifiable credential overview, and verifiable credentials requirements.
- Microsoft Entra Verified ID now reports events in the audit log. Only management changes made via the Admin API are currently logged. Issuance or presentations of verifiable credentials aren't reported in the audit log. The log entries have a service name of
Verified ID
and the activity will beCreate authority
,Update contract
, etc.
- The Request Service API now has granular app permissions and you can grant VerifiableCredential.Create.IssueRequest and VerifiableCredential.Create.PresentRequest separately to segregate duties of issuance and presentation to separate application.
- IDV Partner Gallery now available in the documentation guiding you how to integrate with Microsoft's Identity Verification partners.
- How-to guide for implementing the presentation attestation flow that requires presenting a verifiable credential during issuance.
Microsoft Entra Verified ID is now generally available (GA) as the new member of the Microsoft Entra portfolio! read more
- Tenants that opt-out without issuing any Verifiable Credential gets a
Specified resource does not exist
error from the Admin API and/or the Microsoft Entra admin center. A fix for this issue should be available by August 20, 2022.
The Request Service APIs have a new hostname
verifiedid.did.msidentity.com
. Thebeta.did.msidentity
and thebeta.eu.did.msidentity
continue to work, but you should change your application and configuration. Also, you no longer need to specify.eu.
for an EU tenant.The Request Service APIs have new endpoints and updated JSON payloads. For issuance, see Issuance API specification and for presentation, see Presentation API specification. The old endpoints and JSON payloads continue to work, but you should change your applications to use the new endpoints and payloads.
Request Service API Error codes have been updated
The Admin API is made public and is documented. The Azure portal is using the Admin API and with this REST API you can automate the onboarding or your tenant and creation of credential contracts.
Find issuers and credentials to verify via the Microsoft Entra Verified ID Network.
For migrating your Azure Storage based credentials to become Managed Credentials there's a PowerShell script in the GitHub samples repo for the task.
We also made the following updates to our Plan and design docs:
- (updated) architecture planning overview.
- (updated) Plan your issuance solution.
- (updated) Plan your verification solution.
- We're adding support for the did:web method. Any new tenant that starts using the Verifiable Credentials Service after June 14, 2022 will have Web as a new, default, trust system when onboarding. VC Administrators can still choose to use ION when setting a tenant. If you want to use did:web instead of ION or viceversa, you need to reconfigure your tenant.
- We're rolling out several features to improve the overall experience of creating verifiable credentials in the Microsoft Entra Verified ID platform:
- Introducing Managed Credentials, which are verifiable credentials that no longer use Azure Storage to store the display & rules JSON definitions. Their display and rule definitions are different from earlier versions.
- Create Managed Credentials using the new quickstart experience.
- Administrators can create a Verified Employee Managed Credential using the new quick start. The Verified Employee is a verifiable credential of type verifiedEmployee that is based on a predefined set of claims from your tenant's directory.
Important
You need to migrate your Azure Storage based credentials to become Managed Credentials. We'll soon provide migration instructions.
- We made the following updates to our docs:
- (new) Current supported open standards for Microsoft Entra Verified ID.
- (new) How to create verifiable credentials for ID token hint.
- (new) How to create verifiable credentials for ID token.
- (new) How to create verifiable credentials for self-asserted claims.
- (new) Rules and Display definition model specification.
- (new) Creating a tenant for development.
We're expanding our service to all Microsoft Entra ID customers! Verifiable credentials are now available to everyone with a Microsoft Entra ID subscription (Free and Premium). Existing tenants that configured the Verifiable Credentials service prior to May 4, 2022 must make a small change to avoid service disruptions.
Starting next month, we're rolling out exciting changes to the subscription requirements for the Verifiable Credentials service. Administrators must perform a small configuration change before May 4, 2022 to avoid service disruptions.
Important
If changes are not applied before May 4, 2022, you will experience errors on issuance and presentation for your application or service using the Microsoft Entra Verified ID Service.
- Microsoft Entra Verified ID customers can now change the domain linked to their DID easily from the Azure portal.
- We made updates to Microsoft Authenticator that change the interaction between the Issuer of a verifiable credential and the user presenting the verifiable credential. This update forces all Verifiable Credentials to be reissued in Microsoft Authenticator for iOS. More information
We're rolling out some breaking changes to our service. These updates require Microsoft Entra Verified ID service reconfiguration. End-users need to have their verifiable credentials reissued.
- The Microsoft Entra Verified ID service can now store and handle data processing in the Azure European region.
- Microsoft Entra Verified ID customers can take advantage of enhancements to credential revocation. These changes add a higher degree of privacy through the implementation of the W3C Status List 2021 standard.
- We made updates to Microsoft Authenticator that change the interaction between the Issuer of a verifiable credential and the user presenting the verifiable credential. This update forces all Verifiable Credentials to be reissued in Microsoft Authenticator for Android. More information
Important
All Azure AD Verifiable Credential customers receiving a banner notice in the Azure portal need to go through a service reconfiguration before March 31st 2022. On March 31st 2022 tenants that have not been reconfigured will lose access to any previous configuration. Administrators will have to set up a new instance of the Azure AD Verifiable Credential service. Learn more about how to reconfigure your tenant.
Since the beginning of the Microsoft Entra Verified ID service public preview, the service has only been available in our Azure North America region. Now, the service is also available in our Azure Europe region.
- New customers with Azure AD European tenants now have their Verifiable Credentials data located and processed in our Azure Europe region.
- Customers with Azure AD tenants setup in Europe who start using the Microsoft Entra Verified ID service after February 15, 2022, have their data automatically processed in Europe. There's no need to take any further actions.
- Customers with Azure AD tenants setup in Europe that started using the Microsoft Entra Verified ID service before February 15, 2022, are required to reconfigure the service on their tenants before March 31, 2022.
Take the following steps to configure the Verifiable Credentials service in Europe:
- Check the location of your Azure Active Directory to make sure is in Europe.
- Reconfigure the Verifiable Credentials service in your tenant.
Important
On March 31st, 2022 European tenants that have not been reconfigured in Europe will lose access to any previous configuration and will require to configure a new instance of the Azure AD Verifiable Credential service.
Applications that use the Microsoft Entra Verified ID service must use the Request API endpoint that corresponds to their Azure AD tenant's region.
Tenant region | Request API endpoint POST |
---|---|
Europe | https://beta.eu.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request |
Non-EU | https://beta.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request |
To confirm which endpoint you should use, we recommend checking your Azure AD tenant's region as described previously. If the Azure AD tenant is in the EU, you should use the Europe endpoint.
We're making protocol updates in Microsoft Authenticator to support Single Long Form DID, thus deprecating the use of pairwise. With this update, your DID in Microsoft Authenticator is used for every issuer and relaying party exchange. Holders of verifiable credentials using Microsoft Authenticator must get their verifiable credentials reissued as any previous credentials aren't going to continue working.
- We added Postman collections to our samples as a quick start to start using the Request Service REST API.
- New sample added that demonstrates the integration of Microsoft Entra Verified ID with Azure AD B2C.
- Sample for setting up the Microsoft Entra Verified ID services using PowerShell and an ARM template.
- Sample Verifiable Credential configuration files to show sample cards for ID Token, IDTokenHit and Self-attested claims.
- We made updates to the Request Service REST API for issuance and presentation. Callback types enforcing rules so that URL endpoints for callbacks are reachable.
- UX updates to the Microsoft Authenticator verifiable credentials experience: Animations on card selection from the wallet.
You can now use Request Service REST API to build applications that can issue and verify credentials from any programming language. This new REST API provides an improved abstraction layer and integration to the Microsoft Entra Verified ID Service.
It's a good idea to start using the API soon, because the NodeJS SDK will be deprecated in the following months. Documentation and samples now use the Request Service REST API. For more information, see Request Service REST API (preview).
You can now issue verifiable credentials in Azure AD. This service is useful when you need to present proof of employment, education, or any other claim. The holder of such a credential can decide when, and with whom, to share their credentials. Each credential is signed by using cryptographic keys associated with the decentralized identity that the user owns and controls.