- Article
- 7 minutes to read
Note
Azure Active Directory Verifiable Credentials is now Microsoft Entra Verified ID and part of the Microsoft Entra family of products. Learn more about the Microsoft Entra family of identity solutions and get started in the unified Microsoft Entra admin center.
Prerequisites
To link your DID to your domain, you need to have completed the following.
- Complete the Getting Started and subsequent tutorial set.
Why do we need to link our DID to our domain?
A DID starts out as an identifier that isn't anchored to existing systems. A DID is useful because a user or organization can own it and control it. If an entity interacting with the organization doesn't know 'who' the DID belongs to, then the DID isn't as useful.
Linking a DID to a domain solves the initial trust problem by allowing any entity to cryptographically verify the relationship between a DID and a Domain.
When do you need to update the domain in your DID?
In the event where the domain associated with your company changes, you would also need to change the domain in your DID document. You can update the domain in your DID directly from the Microsoft Entra Verified ID blade in the Azure portal.
How do we link DIDs and domains?
We follow the Well-Known DID configuration specification when creating the link. The verifiable credentials service links your DID and domain. The service includes the domain information that you provided in your DID, and generates the well-known config file:
Azure AD uses the domain information you provide during organization setup to write a Service Endpoint within the DID Document. All parties who interact with your DID can see the domain your DID proclaims to be associated with.
"service": [ { "id": "#linkeddomains", "type": "LinkedDomains", "serviceEndpoint": { "origins": [ "https://www.contoso.com/" ] } }]The verifiable credential service in Azure AD generates a compliant well-known configuration resource that you can host on your domain. The configuration file includes a self-issued verifiable credential of credentialType 'DomainLinkageCredential' signed with your DID that has an origin of your domain. Here's an example of the config doc that is stored at the root domain URL.
{ "@context": "https://identity.foundation/.well-known/contexts/did-configuration-v0.0.jsonld", "linked_dids": [ "jwt..." ]}
After you have the well-known configuration file, you need to make the file available using the domain name you specified when you enabled your Azure AD for verifiable credentials.
- Host the well-known DID configuration file at the root of the domain.
- Don't use redirects.
- Use https to distribute the configuration file.
Important
Microsoft Authenticator does not honor redirects, the URL specified must be the final destination URL.
User experience in the wallet
When a user is going through an issuance flow or presenting a verifiable credential, they should know something about the organization and its DID. Microsoft Authenticator, validates a DID's relationship with the domain in the DID document and presents users with two different experiences depending on the outcome.
Verified domain
Before Microsoft Authenticator displays a Verified icon, a few things need to be true:
- The DID signing the self-issued open ID (SIOP) request must have a Service endpoint for Linked Domain.
- The root domain doesn't use a redirect and uses https.
- The domain listed in the DID Document has a resolvable well-known resource.
- The well-known resource's verifiable credential is signed with the same DID that was used to sign the SIOP that Microsoft Authenticator used to kick start the flow.
If all of the previously mentioned are true, then Microsoft Authenticator displays a verified page and includes the domain that was validated.
Unverified domain
If any of the above aren't true, Microsoft Authenticator displays a full page warning to the user indicating that the domain is unverified. The user is warned that they are in the middle of a potential risky transaction and they should proceed with caution. We have chosen to take this route because:
- The DID is either not anchored to a domain.
- The configuration wasn't set up properly.
- The DID that the user is interacting with could be malicious and actually can't prove that they own the domain linked.
It is of high importance that you link your DID to a domain recognizable to the user.
How do you update the linked domain on your DID?
- Navigate to the Verified ID in the Azure portal.
- On the left side of the page, select Registration.
- In the Domain box, enter your new domain name.
- Select Publish.
If the trust system is ION, it might take up to two hours for your DID document to be updated in the ION network with the new domain information. No other changes to the domain are possible before the changes are published. If the trust system is Web, the changes are public as soon as you replace the did-configuration.json file on your web server.
Note
If your changes are successful you will need to verify your newly added domain.
Do I need to wait for my DID Doc to be updated to verify my newly added domains?
Yes. You need to wait until the config.json file gets updated before you publish it using your domain's hosting location.
How do I know when the linked domain update has successfully completed?
If the trust system is ION, once the domain changes are published to ION, the domain section inside the Microsoft Entra Verified ID service will display Published as the status and you should be able to make new changes to the domain. If the trust system is Web, the changes are public as soon as you replace the did-configuration.json file on your web server.
Important
No changes to your domain are possible while publishing is in progress.
Distribute well-known config
From the Azure portal, navigate to the Verified ID page. Select Registration and choose Verify for the domain
Download the did-configuration.json file shown in the image below.
Copy the linked_did value (JWT), open https://jwt.ms/, paste the JWT, and validate the domain is correct.
Copy your DID and open the ION Network Explorer to verify the same domain is included in the DID Document.
Host the well-known config resource at the location specified. Example:
https://www.example.com/.well-known/did-configuration.json(Video) Decentralized identity explainedTest out issuing or presenting with Microsoft Authenticator to validate. Make sure the setting in Authenticator 'Warn about unsafe apps' is toggled on.
Note
By default, 'Warn about unsafe apps' is turned on.
Congratulations, you now have bootstrapped the web of trust with your DID!
How can I verify that the verification is working?
The portal verifies that the did-configuration.json is reachable and correct when you click the Refresh verification status button. You should also consider verifying that you can request that URL in a browser to avoid errors like not using https, a bad SSL certificate or the URL not being public. If the did-configuration.json file cannot be requested anonymously in a browser or via tools such as curl, without warnings or errors, the portal will not be able to complete the Refresh verification status step either.
Note
If you are experiencing problems refreshing your verification status, you can troubleshoot it via running curl -Iv https://yourdomain.com/.well-known/did-configuration.json on an machine with Ubuntu OS. Windows Subsystem for Linux with Ubuntu will work too. If curl fails, refreshing the verification status will not work.
Linked Domain domain made easy for developers
The easiest way for a developer to get a domain to use for linked domain is to use Azure Storage's static website feature. You can't control what the domain name will be, other than it will contain your storage account name as part of it's hostname.
Follow these steps to quickly set up a domain to use for Linked Domain:
- Create an Azure Storage account. During storage account creation, choose StorageV2 (general-purpose v2 account) and Locally redundant storage (LRS).
- Go to that Storage Account and select Static website in the left hand menu and enable static website. If you can't see the Static website menu item, you didn't create a V2 storage account.
- Copy the primary endpoint name that appears after saving. This value is your domain name. It looks something like
https://<your-storageaccountname>.z6.web.core.windows.net/.
When it comes time to upload the did-configuration.json file, take the following steps:
- Go to that Storage Account and select Containers in the left hand menu. Then select the container named
$web. - Select Upload and select on the folder icon to find your file
- Before uploaded, open the Advanced section and specify
.well-knownin the Upload to folder textbox. - Upload the file.
You now have your file publicly available at a URL that looks something like https://<your-storageaccountname>.z6.web.core.windows.net/.well-known/did-configuration.json.
Next steps
- How to customize your Microsoft Entra Verified ID
FAQs
What is Microsoft Entra verified ID? ›
Microsoft Entra Verified ID is a decentralized identity solution that helps you safeguard your organization. The service allows you to issue and verify credentials. Issuers can use the Verified ID service to issue their own customized verifiable credentials.
What is verifiable credentials in Azure AD? ›Azure AD customers can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim, so that the holder of such a credential can decide when, and with whom, to share their credentials.
How do you implement verifiable credentials? ›Verifiable credentials may be presented to a verifier by using a verifiable presentation. A verifiable presentation can be targeted to a specific verifier by using a Linked Data Proof that includes a domain and challenge . This also helps prevent a verifier from reusing a verifiable presentation as their own.
How do I configure Microsoft identity platform? ›- In the Azure portal, in App registrations, select your application.
- Under Manage, select Authentication.
- Under Platform configurations, select Add a platform.
- Select Configure to complete the platform configuration.
If you're receiving unsolicited verification codes, this means that someone is trying to login your account and unable to pass the verification process.
Why is Microsoft making me verify my account? ›If you're prompted to verify your account when you try to send an email message from Outlook.com, it is because we are trying to protect your account. Outlook.com will occasionally prompt you to verify your account, just to make sure you're still you and your account hasn't been compromised by spammers.
How do I verify my Microsoft credentials? ›To open Credential Manager, type credential manager in the search box on the taskbar and select Credential Manager Control panel. Select Web Credentials or Windows Credentials to access the credentials you want to manage.
Who uses verifiable credentials? ›There are four roles supported by verifiable credentials: Issuer, Verifier, Subject, and Holder. The entity that creates a claim and associates it with a particular subject. The entity verifying a claim about a given subject. The entity about whom a claim is issued.
Why do we need verifiable credentials? ›Verifiable Credentials enable people to verify their identity, only provide information that is relevant to the context, and prove their documents weren't modified. With a digital credential that could be in a PDF or XML document, for example, verifying the origin and authenticity of documents is complex.
How do I create a credential account? ›To create a credential
Right-click the Credentials folder and select New Credential.... In the New Credential dialog box, in the Credential Name box, type a name for the credential. In the Identity box, type the name of the account used for outgoing connections (when leaving the context of SQL Server).
How are verifiable credentials verified? ›
In short, verifiable credentials are data objects consisting of claims made by the issuer attesting information about a subject. These claims are identified by schema and include the DID issuer and subject. The issuer's DID creates a digital signature as proof that they attest to this information.
What is credential identifier? ›Identification credential means a government-issued record evidencing an individual's identity.
How do I get Microsoft identity platform access token? ›- Register your app with Azure AD.
- Get authorization.
- Get an access token.
- Call Microsoft Graph with the access token.
- Use a refresh token to get a new access token.
Register your app with Microsoft Account
Go to App registrations in the Azure portal. If needed, sign in with your Microsoft account. Select New registration, then enter an application name. In Redirect URIs, select Web, and then enter https://<app-domain-name>/.auth/login/aad/callback .
In some cases, people even use both terms interchangeably. But, App registration is simply the actual application object where you configure application settings. Whereas Enterprise Application is a representation of the application within a directory.
Why did Microsoft send me an access code? ›If you forget your password, or if someone else is trying to take over your account, we send a verification code to that alternate email or phone number. When you give the code back to us, we know that you're really you so we can help get you back into your Microsoft account.
How do I stop Microsoft from verifying my identity? ›Go to Security settings and sign in with your Microsoft account. Under the Two-step verification section, choose Set up two-step verification to turn it on, or choose Turn off two-step verification to turn it off.
Why do I keep getting random verification codes? ›In general, take it as a sign to be more vigilant. An unrequested verification code is a giant neon sign saying, “Someone is trying to sign in to your account!” That means your username and password could be compromised. Thus, it's time to log into your account and change your password.
What happens if you don't verify Windows? ›What Happens if You Don't Activate Windows 10/11? If you wish to not activate Windows on your personal computer at all, you can still access it for as long as you want. In other words, you will not be stopped from using Windows even if you choose to never activate the software.
Is Microsoft sending out emails to verify account? ›When you sign up for a Microsoft account or add an email address to your account, we automatically send a request to that email for you to verify that we have the right address. To finish the process, just follow the verification link in the email.
What is Microsoft verification used for? ›
That's what makes Microsoft Certification so valuable. It demonstrates that you're proficient in the specific, real-world skills associated with recognized industry roles. It verifies that you know how to apply technical knowledge to solve today's business challenges.
Why is my email suddenly asking for credentials? ›This can happen for any of the following reasons: your password has been entered incorrectly multiple times. your mail client is configured to check for emails too often (Google recommends only once every 10 minutes)
How long does it take for Microsoft to verify your account? ›Verification usually takes 3-5 business days. If more than five days have passed, you can contact support for assistance.
Why won t Microsoft verify my account? ›Are all of your security information up to date? To check go to account.microsoft.com/security > Advanced security options. Check if all are up to date. If you do not have additional email address or phone number added to your Security information click the Add a new way to sign in or verify.
What are the three different types of credentials? ›The remainder of this section focuses on important issues related to three of the most common types of credentials used in foundational ID systems: ID numbers, cards, and mobile IDs.
What is decentralized digital identity? ›It's like having a digital passport that you can use on the internet, and it's not controlled by any one company or organization. It's simple to understand like a phone number you own and control. You can create as many decentralized identifiers (DIDs) as you want and manage them in your digital identity wallet.
What are the two types of credentials? ›Licenses and certifications are the two primary types of credentials. Credentials can also be earned via apprenticeships. Some state licensures may be earned by passing national exams.
What happens if I disable trusted credentials? ›This setting removes all user-installed trusted credentials from the device, but does not modify or remove any of the pre-installed credentials that came with the device. You should not normally have reason to do this. Most users will not have any user-installed trusted credentials on their device.
Why is verifying an account important? ›This verification method helps prevent identity fraud by requiring “knowledge” factors to identify the person making the purchase. In addition, this method also allows companies to verify the information provided by their customers, in order to prevent customer mistakes and erroneous deliveries of products or services.
How do mobile credentials work? ›In the world of access control, a mobile credential allows you to authenticate with your smartphone and use it as your key to access the office. This is similar to how ApplePay or AndroidPay allows your phone to act as a payment device.
How do I create a credential URL? ›
- Click the "Me" icon at the top of your LinkedIn homepage and Click View profile.
- If you've previously added a certificate, scroll down to the Accomplishments section and click "Add". ...
- Select Certification from the dropdown.
- Type in your certification information. ...
- Once completed, click Save.
Examples of credentials include academic diplomas, academic degrees, certifications, security clearances, identification documents, badges, passwords, user names, keys, powers of attorney, and so on.
What is the difference between a login and a credential? ›Login: A login is any principal that is granted access to a SQL Server instance. The access can be granted to domain users, domain group, or SQL Server authenticated accounts. Credential: A credential provides a mechanism to store login information for a domain account within SQL Server.
How do I check if my credentials are Accredible? ›- View the Credential. Clicking on a link to an Accredible credential brings up the current credential. ...
- Verify a Credential with a QR Code. Use a QR reader on a smartphone to scan the QR code on the certificate. ...
- Blockchain.
How long will it take to complete my background check? Most background checks are completed within 2 to 3 business days. However, certain background checks may be subject to lengthy delays beyond our control.
What is credential username and password? ›A user credential is a user name and password authentication token that is bound to a particular user. You can create user credentials for a user.
What is a credentials number? ›information that identifies an account and keeps it secure, as username and password: The IT department assigns temporary system credentials to new employees.
What is credential storage on my phone? ›This setting lists the certificate authority (CA) companies that this device regards as "trusted" for purposes of verifying the identity of a server, and allows you to mark one or more authorities as not trusted.
What do I do with my personal access token? ›Once you have a token, you can enter it instead of your password when performing Git operations over HTTPS. Personal access tokens can only be used for HTTPS Git operations. If your repository uses an SSH remote URL, you will need to switch the remote from SSH to HTTPS.
What is the difference between ID token and access token? ›ID tokens are JSON Web Tokens (JWTs) that conform to the OpenID Connect (OIDC) specification. They are composed of a set of key-value pairs called claims. Unlike access tokens, which are opaque objects that cannot be inspected by the application, ID tokens are meant to be inspected and used by the application.
What is a Microsoft authentication token? ›
The Microsoft identity platform authenticates users and provides security tokens, such as access tokens, refresh tokens, and ID tokens. Security tokens allow a client application to access protected resources on a resource server.
How do I activate Microsoft authentication? ›...
Choose the mobile app
- Click Set it up now.
- Choose Mobile app from the dropdown.
- Make sure "Receive notifications for verifications" is selected. Click Set up.
On your computer, note the Code and Url information on the Configure mobile app page. Keep this page open so you can see the code and URL. Open the Authenticator app, select Add account from the Customize and control icon in the upper-right, and then select Work or school account. Select OR ENTER CODE MANUALLY.
How do I authenticate a domain in Office 365? ›In Microsoft 365, click Admin in the header. Under Management, click on Domains. In the list of Domains, locate the domain you are verifying and click on Pending Verification. On the Verify Domain page, click on Verify.
Do I need to register a company to launch an app? ›It's important to protect your Intellectual Property, whether you're simply a business owner or developing an App. You can do this by registering a Trademark for your brand assets, including your logo, App name and slogan. Applying for a Patent is also a good option if your App is eligible.
How much does it cost to build an enterprise app? ›The cost of building an app ranges from $40,000 to $150,000 and depends on app complexity. The answer to how much it costs to develop an app can quickly go overboard due to the app features. There are several options to get the estimation of your app project.
What is an example of an enterprise application? ›10 Enterprise Application Examples
Salesforce — Customer relationship management platform that connects sales, marketing, commerce, and service teams. Microsoft Office 365 — Productivity cloud with the traditional Microsoft Office apps like Word and Excel, as well as apps handling device management, security, and more.
Employment and income verification will only be provided via The Work Number. You can reach The Work Number employee services line at: (800) 367-2884, available 24 hours a day, 7 days a week or visit their website: http://www.theworknumber.com for automated employment verifications.
How do I know if my Microsoft account is verified? ›Type settings in search bar and click on Accounts. Click on Your account on the left side, and click on the Verify link under "You need to verify your identity." on the right side. Type your Microsoft account password, and click on OK.
Why would I get a text with a Microsoft verification code? ›During the Windows phone sign-in process, we use the phone number associated with your Microsoft account to text you. We use the security code in this message to automatically verify that the account is yours.
How do I get rid of Microsoft verified? ›
Tap Start, then Settings, then select Apps. On the Apps & Features settings panel, find Choose where to get apps and change the setting to something other than The Microsoft Store only, since this option is the most restrictive.
Does Microsoft track employee activity? ›Employee Monitoring Using Microsoft Teams
Microsoft Teams enables managers to track the workforce's video and voice calls, chats, and meetings, along with the durations of each. The platform has an admin center from which managers are able to pull up information regarding the individual activities of all team members.
- Make sure you're well-prepared for these checks. ...
- Check your credit. ...
- Review your driving record. ...
- Be informed about banned substances. ...
- Contact former employers and ask for copies of your employment records. ...
- Research local employment laws. ...
- Beat employers to it.
This makes it a difficult task to get a job at Microsoft, especially if you're light on education and experience. Due to this high competition, the Microsoft hiring process involves 4 to 5 rounds of interviews before you'll land an offer.
How do I know if an email from Microsoft is legit? ›If you aren't sure about the source of an email, check the sender. You'll know it's legitimate if it's from the Microsoft account team at account-security-noreply@accountprotection.microsoft.com.
Why would someone want me to send them a verification code? ›The scammer tricks the victim into sharing the verification code, then uses this to “prove” they have access to the victim's U.S. number. Once the verification process is complete, they can use the Google Voice number to scam others.
Why would someone want to send me a verification code? ›After requesting your cell phone number, the scammer sends a verification code by text message and asks that you send them the code to prove your identity. Once the code is provided, the scammer goes on to create a Google Voice number linked to your cell phone number, often to be used for additional scams.
Why did I get a text message from an email with a link? ›These messages are spam texts, also known as robotexts. The fact is, most spam texts don't come from another mobile phone. They usually come from a scammer who is sitting behind a computer sending a massive amount of texts from an email address or other messaging account.
How do I get around Microsoft verified app? ›In Windows, Tap “Start”, then “Settings”, then select “Apps” On the Apps & Features settings panel, find “Choose where to get apps” and change the setting to something other than “The Microsoft Store only”, since this option is the most restrictive. Rating: 1.0/5. From 1 vote.
How do I remove Microsoft verification email? ›You'll see your security info under Security settings. Choose Remove for any you want to remove. You may be asked to add new security info before you can remove the old info.
How do I remove my real name from my Microsoft account? ›
Click the Manage my Microsoft account option. Under the current account name, click the More actions menu. Under the current account name, click the Edit name option. Change your name and last name as needed.