- Article
- 7 minutes to read
Note
Azure Active Directory Verifiable Credentials is now Microsoft Entra Verified ID and part of the Microsoft Entra family of products. Learn more about the Microsoft Entra family of identity solutions and get started in the unified Microsoft Entra admin center.
Prerequisites
To link your DID to your domain, you need to have completed the following.
- Complete the Getting Started and subsequent tutorial set.
Why do we need to link our DID to our domain?
A DID starts out as an identifier that isn't anchored to existing systems. A DID is useful because a user or organization can own it and control it. If an entity interacting with the organization doesn't know 'who' the DID belongs to, then the DID isn't as useful.
Linking a DID to a domain solves the initial trust problem by allowing any entity to cryptographically verify the relationship between a DID and a Domain.
When do you need to update the domain in your DID?
In the event where the domain associated with your company changes, you would also need to change the domain in your DID document. You can update the domain in your DID directly from the Microsoft Entra Verified ID blade in the Azure portal.
How do we link DIDs and domains?
We follow the Well-Known DID configuration specification when creating the link. The verifiable credentials service links your DID and domain. The service includes the domain information that you provided in your DID, and generates the well-known config file:
Azure AD uses the domain information you provide during organization setup to write a Service Endpoint within the DID Document. All parties who interact with your DID can see the domain your DID proclaims to be associated with.
"service": [ { "id": "#linkeddomains", "type": "LinkedDomains", "serviceEndpoint": { "origins": [ "https://www.contoso.com/" ] } }]The verifiable credential service in Azure AD generates a compliant well-known configuration resource that you can host on your domain. The configuration file includes a self-issued verifiable credential of credentialType 'DomainLinkageCredential' signed with your DID that has an origin of your domain. Here's an example of the config doc that is stored at the root domain URL.
{ "@context": "https://identity.foundation/.well-known/contexts/did-configuration-v0.0.jsonld", "linked_dids": [ "jwt..." ]}
After you have the well-known configuration file, you need to make the file available using the domain name you specified when you enabled your Azure AD for verifiable credentials.
- Host the well-known DID configuration file at the root of the domain.
- Don't use redirects.
- Use https to distribute the configuration file.
Important
Microsoft Authenticator does not honor redirects, the URL specified must be the final destination URL.
User experience in the wallet
When a user is going through an issuance flow or presenting a verifiable credential, they should know something about the organization and its DID. Microsoft Authenticator, validates a DID's relationship with the domain in the DID document and presents users with two different experiences depending on the outcome.
Verified domain
Before Microsoft Authenticator displays a Verified icon, a few things need to be true:
- The DID signing the self-issued open ID (SIOP) request must have a Service endpoint for Linked Domain.
- The root domain doesn't use a redirect and uses https.
- The domain listed in the DID Document has a resolvable well-known resource.
- The well-known resource's verifiable credential is signed with the same DID that was used to sign the SIOP that Microsoft Authenticator used to kick start the flow.
If all of the previously mentioned are true, then Microsoft Authenticator displays a verified page and includes the domain that was validated.
Unverified domain
If any of the above aren't true, Microsoft Authenticator displays a full page warning to the user indicating that the domain is unverified. The user is warned that they are in the middle of a potential risky transaction and they should proceed with caution. We have chosen to take this route because:
- The DID is either not anchored to a domain.
- The configuration wasn't set up properly.
- The DID that the user is interacting with could be malicious and actually can't prove that they own the domain linked.
It is of high importance that you link your DID to a domain recognizable to the user.
How do you update the linked domain on your DID?
- Navigate to the Verified ID in the Azure portal.
- On the left side of the page, select Registration.
- In the Domain box, enter your new domain name.
- Select Publish.
If the trust system is ION, it might take up to two hours for your DID document to be updated in the ION network with the new domain information. No other changes to the domain are possible before the changes are published. If the trust system is Web, the changes are public as soon as you replace the did-configuration.json file on your web server.
Note
If your changes are successful you will need to verify your newly added domain.
Do I need to wait for my DID Doc to be updated to verify my newly added domains?
Yes. You need to wait until the config.json file gets updated before you publish it using your domain's hosting location.
How do I know when the linked domain update has successfully completed?
If the trust system is ION, once the domain changes are published to ION, the domain section inside the Microsoft Entra Verified ID service will display Published as the status and you should be able to make new changes to the domain. If the trust system is Web, the changes are public as soon as you replace the did-configuration.json file on your web server.
Important
No changes to your domain are possible while publishing is in progress.
Distribute well-known config
From the Azure portal, navigate to the Verified ID page. Select Registration and choose Verify for the domain
Download the did-configuration.json file shown in the image below.
Copy the linked_did value (JWT), open https://jwt.ms/, paste the JWT, and validate the domain is correct.
Copy your DID and open the ION Network Explorer to verify the same domain is included in the DID Document.
Host the well-known config resource at the location specified. Example:
https://www.example.com/.well-known/did-configuration.json(Video) Verifiable Credentials: OverviewTest out issuing or presenting with Microsoft Authenticator to validate. Make sure the setting in Authenticator 'Warn about unsafe apps' is toggled on.
Note
By default, 'Warn about unsafe apps' is turned on.
Congratulations, you now have bootstrapped the web of trust with your DID!
How can I verify that the verification is working?
The portal verifies that the did-configuration.json is reachable and correct when you click the Refresh verification status button. You should also consider verifying that you can request that URL in a browser to avoid errors like not using https, a bad SSL certificate or the URL not being public. If the did-configuration.json file cannot be requested anonymously in a browser or via tools such as curl, without warnings or errors, the portal will not be able to complete the Refresh verification status step either.
Note
If you are experiencing problems refreshing your verification status, you can troubleshoot it via running curl -Iv https://yourdomain.com/.well-known/did-configuration.json on an machine with Ubuntu OS. Windows Subsystem for Linux with Ubuntu will work too. If curl fails, refreshing the verification status will not work.
Linked Domain domain made easy for developers
The easiest way for a developer to get a domain to use for linked domain is to use Azure Storage's static website feature. You can't control what the domain name will be, other than it will contain your storage account name as part of it's hostname.
Follow these steps to quickly set up a domain to use for Linked Domain:
- Create an Azure Storage account. During storage account creation, choose StorageV2 (general-purpose v2 account) and Locally redundant storage (LRS).
- Go to that Storage Account and select Static website in the left hand menu and enable static website. If you can't see the Static website menu item, you didn't create a V2 storage account.
- Copy the primary endpoint name that appears after saving. This value is your domain name. It looks something like
https://<your-storageaccountname>.z6.web.core.windows.net/.
When it comes time to upload the did-configuration.json file, take the following steps:
- Go to that Storage Account and select Containers in the left hand menu. Then select the container named
$web. - Select Upload and select on the folder icon to find your file
- Before uploaded, open the Advanced section and specify
.well-knownin the Upload to folder textbox. - Upload the file.
You now have your file publicly available at a URL that looks something like https://<your-storageaccountname>.z6.web.core.windows.net/.well-known/did-configuration.json.
Next steps
- How to customize your Microsoft Entra Verified ID
FAQs
What is Microsoft Entra verified ID? ›
Microsoft Entra Verified ID is a decentralized identity solution that helps you safeguard your organization. The service allows you to issue and verify credentials. Issuers can use the Verified ID service to issue their own customized verifiable credentials.
How do I verify my domain in Azure portal? ›Verify your custom domain name
Sign in to the Azure portal using a Global administrator account for the directory. Search for and select Azure Active Directory from any page, then select Custom domain names. In Custom domain names, select the custom domain name. In this example, select contoso.com.
Azure AD customers can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim, so that the holder of such a credential can decide when, and with whom, to share their credentials.
How do I configure Microsoft identity platform? ›- In the Azure portal, in App registrations, select your application.
- Under Manage, select Authentication.
- Under Platform configurations, select Add a platform.
- Select Configure to complete the platform configuration.
If you're prompted to verify your account when you try to send an email message from Outlook.com, it is because we are trying to protect your account. Outlook.com will occasionally prompt you to verify your account, just to make sure you're still you and your account hasn't been compromised by spammers.
How do I answer a Microsoft verification call? ›On the Phone page, type the phone number for your mobile device, choose Call me, and then select Next. Answer the verification phone call, sent to the phone number you entered, and follow the instructions.
How do I verify that I own my domain? ›- Go to Google Webmaster Central.
- Click Add a Property.
- Click Continue.
- On the Verifications methods page, click the Alternate methods tab.
- Click Domain name provider and select your provider from the list.
- Follow the directions provided on the Webmaster Central tab, and then click Verify.
- Sign in to Google Domains with the email address used to open your Google Domains account.
- Select the name of your domain.
- Click Menu. .
- Click Registration settings.
- Below “Contact information,” search for the verification status.
- You'll copy a verification code from the setup tool.
- You'll sign in to your domain registrar and paste the verification code in to the DNS records for your domain.
- Once your domain registrar publishes your verification code, we'll know you are the owner of your domain.
Users receive Verifiable Credentials (VC) from credential issuers and store the VCs in their wallets. To create VCs, the issuer needs to verify the identity of the user so that it can issue credentials with the correct claims.
Who uses verifiable credentials? ›
There are four roles supported by verifiable credentials: Issuer, Verifier, Subject, and Holder. The entity that creates a claim and associates it with a particular subject. The entity verifying a claim about a given subject. The entity about whom a claim is issued.
How are verifiable credentials verified? ›In short, verifiable credentials are data objects consisting of claims made by the issuer attesting information about a subject. These claims are identified by schema and include the DID issuer and subject. The issuer's DID creates a digital signature as proof that they attest to this information.
How do I add Microsoft authentication to my website? ›Register your app with Microsoft Account
Go to App registrations in the Azure portal. If needed, sign in with your Microsoft account. Select New registration, then enter an application name. In Redirect URIs, select Web, and then enter https://<app-domain-name>/.auth/login/aad/callback .
- Register your app with Azure AD.
- Get authorization.
- Get an access token.
- Call Microsoft Graph with the access token.
- Use a refresh token to get a new access token.
- Okta Single Sign-On.
- Microsoft Azure Active Directory.
- PingOne Cloud Platform.
- ForgeRock Identity Platform.
- RSA SecurID Access.
- Oracle Access Management Suite.
- SecureAuth Arculix.
- AWS Identity and Access Management (IAM)
When you sign up for a Microsoft account or add an email address to your account, we automatically send a request to that email for you to verify that we have the right address. To finish the process, just follow the verification link in the email.
Why did I get a Microsoft verification code I didn't request? ›If you're receiving unsolicited verification codes, this means that someone is trying to login your account and unable to pass the verification process.
What happens if you don't verify Windows? ›What Happens if You Don't Activate Windows 10/11? If you wish to not activate Windows on your personal computer at all, you can still access it for as long as you want. In other words, you will not be stopped from using Windows even if you choose to never activate the software.
How long does it take for Microsoft to verify your account? ›Verification usually takes 3-5 business days. If more than five days have passed, you can contact support for assistance.
How do I know if a security alert from Microsoft is real? ›If you receive a security alert from Microsoft and are concerned about its source, you'll know it's legitimate if it's from the Microsoft account team and sent from the address account-security-noreply@accountprotection.microsoft.com, like the following example.
Does Microsoft call to verify licenses? ›
These communications are legitimate and customers are encouraged to discuss the details of the License Verification process with the SAM representative that initiated contact. General information about Microsoft Software Asset Management for Small Business can be found at https://www.microsoft.com/en-us/sam/smb.aspx.
Can someone hack my domain? ›Domain hijacking can be done in several ways, generally by unauthorized access to, or exploiting a vulnerability in the domain name registrar's system, through social engineering, or getting into the domain owner's email account that is associated with the domain name registration.
Can you own a domain without paying? ›There are several domain registrars, website hosting providers, and website builders offering free domain names, typically with the purchase of another service or with no cost but some customization limitations.
Who really owns your domain name? ›Who is the domain owner? Domain names are owned by whoever first registered the web address with an accredited registrar, such as Domain.com. In order for that person to maintain ownership, they have to pay registration fees and ensure that all of their contact details are up to date.
Can domain name be faked? ›Domain spoofing is a form of phishing where an attacker impersonates a known business or person with fake website or email domain to fool people into the trusting them.
Why do I need to verify my domain? ›Domain Verification provides a way for you to claim ownership of your domain in Business Manager. This ownership allows you to control editing privileges of your links and other content to prevent misuse of your domain and to keep bad actors from spreading misinformation.
How do I check if a domain is free? ›There are a couple of ways to see if the website name you want is available. The easiest method is to type the domain name you're interested in into our search box and we'll tell you if the domain is available for registration. You can also search for the domain in Whois Lookup.
What should I put in my credentials? ›"Credentials" often refer to academic or educational qualifications, such as degrees or diplomas that you have completed or partially-completed. "Credentials" can also refer to occupational qualifications, such as professional certificates or work experience.
Can I turn off trusted credentials? ›You can also install, remove, or disable trusted certificates from the “Encryption & credentials” page.
How do I create a credential account? ›To create a credential
Right-click the Credentials folder and select New Credential.... In the New Credential dialog box, in the Credential Name box, type a name for the credential. In the Identity box, type the name of the account used for outgoing connections (when leaving the context of SQL Server).
What is it called when you let someone else use your credentials? ›
Credential sharing is the practice of using someone else's digital identity to gain access to a platform. One example of credential sharing is providing another person with one's credentials in exchange for payment, and then signing in using their credentials.
Why do we need verifiable credentials? ›Verifiable Credentials enable people to verify their identity, only provide information that is relevant to the context, and prove their documents weren't modified. With a digital credential that could be in a PDF or XML document, for example, verifying the origin and authenticity of documents is complex.
What is decentralized digital identity? ›Centralized Identity Management. Decentralized identity management is a way of managing your online identity where you, the user, have control over your own personal information, rather than having it controlled by a central organization or company.
What is credential identifier? ›Identification credential means a government-issued record evidencing an individual's identity.
What does it mean to verify credentials? ›Definition of Credential Verification: it is the process of verification from the original source of a specific credential (education, training, licensure). Its purpose is to determine the accuracy of the qualifications of an individual/potential employee.
What is credential verification? ›Credential verifications enable you to verify if your candidate has the work experience, the education qualifications, the professional memberships and or trade licences they state they have. Credentials may be essential to your company reach its goals and safeguarding your reputation.
How do I find my 6 digit authentication code for Microsoft? ›- Open the Microsoft Authenticator app on your phone.
- Tap the + > Work or school account.
- Use your phone to scan the QR square that is on your computer screen. Notes: ...
- Your account will be added automatically to the app and will display a six-digit code.
A common fix for any problems with the authenticator app is to update your software. Ensure your device and all apps are up to date. For more support on the authentication app, you can view the authenticator app set-up video, or you can visit Microsoft's support pages.
How do I find my Microsoft authenticator code and URL? ›On your computer, note the Code and Url information on the Configure mobile app page. Keep this page open so you can see the code and URL. Open the Authenticator app, select Add account from the Customize and control icon in the upper-right, and then select Work or school account. Select OR ENTER CODE MANUALLY.
How can I get access token username and password? ›- Have a user use their browser to request an authorization token (they would be asked to enter their username/password).
- Copy the authorization token from the browser and use it in the request header in a client (e.g. postman) to access my api.
What do I do with my personal access token? ›
Once you have a token, you can enter it instead of your password when performing Git operations over HTTPS. Personal access tokens can only be used for HTTPS Git operations. If your repository uses an SSH remote URL, you will need to switch the remote from SSH to HTTPS.
What is the difference between ID token and access token? ›ID tokens are JSON Web Tokens (JWTs) that conform to the OpenID Connect (OIDC) specification. They are composed of a set of key-value pairs called claims. Unlike access tokens, which are opaque objects that cannot be inspected by the application, ID tokens are meant to be inspected and used by the application.
What is Identity server used for? ›IdentityServer is an authentication server that implements OpenID Connect (OIDC) and OAuth 2.0 standards for ASP.NET Core. It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints.
Can I use Google as an identity provider? ›Configuring Google as a provider
To configure Google as an identity provider: Go to the Identity Providers page in the Google Cloud console. Click Add A Provider. Select Google from the list.
Employment and income verification will only be provided via The Work Number. You can reach The Work Number employee services line at: (800) 367-2884, available 24 hours a day, 7 days a week or visit their website: http://www.theworknumber.com for automated employment verifications.
How do I know if my Microsoft account is verified? ›Type settings in search bar and click on Accounts. Click on Your account on the left side, and click on the Verify link under "You need to verify your identity." on the right side. Type your Microsoft account password, and click on OK.
Why would I get a text with a Microsoft verification code? ›During the Windows phone sign-in process, we use the phone number associated with your Microsoft account to text you. We use the security code in this message to automatically verify that the account is yours.
Why do I keep getting texts for Microsoft verification? ›If you're receiving unsolicited verification codes, this means that someone is trying to login your account and unable to pass the verification process.
Do you have to answer employment verification? ›Generally, you are not legally responsible to answer an employee verification request unless it is issued by a federal group. However, most employers do answer these requests as often as possible, even when not legally required. The most important thing is to only give the information you can legally give.
Does Microsoft track employee activity? ›Employee Monitoring Using Microsoft Teams
Microsoft Teams enables managers to track the workforce's video and voice calls, chats, and meetings, along with the durations of each. The platform has an admin center from which managers are able to pull up information regarding the individual activities of all team members.
How do I know if an email from Microsoft is legit? ›
If you aren't sure about the source of an email, check the sender. You'll know it's legitimate if it's from the Microsoft account team at account-security-noreply@accountprotection.microsoft.com.
Why did I get a verification code if I didn't request? ›When you receive this notification, it means that someone has entered your phone number and requested the registration code. This often happens if another user mistyped your number when trying to enter their own number to register, and can also happen when someone attempts to take over your account.
Why is someone asking to send me a verification code? ›The Google authentication process prompts the scammer to prove that they own the number by entering a six-digit code sent to the victim's phone. The scammer tricks the victim into sharing the verification code, then uses this to “prove” they have access to the victim's U.S. number.
Why did I get a verification code I didn't request? ›A: If you receive an authentication code but did not request one, there is a chance your account password has been compromised – but don't worry, whomever is attempting to access your account cannot get the code sent to you.
Why did I get a text message from an email with a link? ›These messages are spam texts, also known as robotexts. The fact is, most spam texts don't come from another mobile phone. They usually come from a scammer who is sitting behind a computer sending a massive amount of texts from an email address or other messaging account.
How do I get rid of fake Microsoft Spyware Alert? ›- Click on the three dots at the top right corner.
- Choose “Settings”
- Click “Advanced ” in the bottom left of the window.
- Press ”Reset and clean up”
- Choose “Restore settings to their original defaults”
- Click “Reset settings”