Quick Microsoft Entra Verified ID setup
Quick Verified ID setup removes several configuration steps an admin needs to complete with a single select on a Get started
button. The quick setup takes care of signing keys, registering your decentralized ID and verify your domain ownership. It also creates a Verified Workplace Credential for you.
In this tutorial, you learn how to use the quick setup to configure your Microsoft Entra tenant to use the verifiable credentials service.
Specifically, you learn how to:
- Configure your the Verified ID service using the quick setup.
- Controlling how issuances of Verified Workplace Credentials in MyAccount
Prerequisites
- Ensure that you have the Global Administrator or the authentication policy administrator permission for the directory you want to configure. If you're not the Global Administrator, you need the application administrator permission to complete the app registration including granting admin consent.
- Ensure that you have a custom domain registered for the Microsoft Entra tenant. If you don't have one registered, the setup defaults to the advanced setup experience.
Note
The Quick setup method is currently not supported in EDU Entra tenants.
How Quick Verified ID setup works
- A shared signing key, managed by Microsoft, is used across multiple tenants within a given region. It's no longer required to deploy Azure Key Vault.
- There's a two RPS per tenant limit for issuance and verifications.
- Since it's a shared key, the validityInterval of issued credentials is limited to a maximum of six months.
- The custom domain registered for your Microsoft Entra tenant is used for domain verification. It's no longer required to upload your DID configuration JSON to verify your domain. If you don't have a custom domain registered for your tenant, you can't set up Verified ID using the quick setup method.
- If you have customized your tenant's branding, the VerifiedEmployee default credential picks up logo and background color from there. If you haven't or prefer other values, you can make changes after setup is complete.
- The Decentralized identifier (DID) gets a name like
did:web:verifiedid.entra.microsoft.com:tenantid:authority-id
and the DID document is discoverable following did:web specification.
Note
If the quick setup doesn't meet your requirements, use the Advanced setup.
Set up Verified ID
If you have a custom domain registered for your Microsoft Entra tenant, you see this Get started
option. If you don't have a custom domain registered, either register it before setting up Verified ID or continue using the advanced setup.
To set up Verified ID, follow these steps:
Sign in to the Microsoft Entra admin center as a Global Administrator.
Select Verified ID.
From the left menu, select Setup.
Select the Get started button.
If you have multiple domains registered for your Microsoft Entra tenant, select the one you would like to use for Verified ID.
When the setup process is complete, you see a default workplace credential available to edit and offer to employees of your tenant on their MyAccount page.
MyAccount available now to simplify issuance of Workplace Credentials
Issuing Verified Workplace Credentials is now available via myaccount.microsoft.com. Users can sign in to myaccount using their Microsoft Entra credentials and issue themselves a Verified Workplace Credential via the Get my Verified ID
option.
As an admin, you can either remove the option in MyAccount and create your custom application for issuing Verified Workplace Credentials. You can also select specific groups of users who can use MyAccount to issue credentials for themselves.
Note
When you have made a configuration change for issuing credentials through My Account, expect some minutes of delay before the change takes effect.
Register an application in Microsoft Entra ID
If you're planning to use custom credentials or set up your own application for issuing or verification Verified ID, you need to register an application and grant the appropriate permissions for it. Follow this section in the advanced setup to register an application