Microsoft Entra Verified ID sample setup and deployment
Disclaimer: the source for this blog is MicrosoftDocs below but itis not complete (e.g. publish .json files to the internet) and contains some errors.
There is an error in de Rules JSON in the MicrosoftDocs, you can find the solution in my comment below from S-3-C-U-R-1-T-Y
https://github.com/MicrosoftDocs/azure-docs/issues/96603
The MicrosoftDocs will be updated the coming days (25–08–2022 is the time of writing).
The second error is the Verify section (dotnet build section).
https://github.com/MicrosoftDocs/azure-docs/issues/97560
Microsoft Entra is the (new) Microsoft multicloud Identity & Access portal to access:
- Azure (AD) Active Directory is the Microsoft Cloud Identity & Access Management solution
- Microsoft Entra Permissions Management is the Microsoft CIEM: Cloud Infrastructure (Azure AWS & GCP) Entitlement Management solution
- Microsoft Entra Verified ID is the user centric Identity solution from Microsoft based on Blockchain technology
This blog describes the Microsoft Entra Verified ID (previous Azure Active Directory Verifiable Credentials) from setup and deployment to usage via the Microsoft Authenticator app.
The three parties involved in the Verified ID solution are:
- The Issuer (e.g. work or school organization) can publish credential types (digitally signed credentials) to the User
- The Verifier can search (requires Trusted Domain) for published credential types (request proof and verify claim)
- The User is the individual or entity that receives and approves request for credentials signed with the user’s private key
Setup and deployment
This part is for the IT- or Security Admin.
The resource requirements for setting up Microsoft Entra Verified ID are:
- Public custom domain (e.g. S3cur1y.eu in our example)
- Azure Key Vault
- Verified ID (Azure AD - Global Administrator)
- GitHub Repository
- Azure Static Web Apps
- Azure Active Directory App Registration
Create an Azure Key Vault
The first step is to create an Azure Key Vault to store the public and private keys to sign and verify credentials.
Create an Access Policy with the permissions below and assign the policy to the Verified ID Admin that configures the Verified ID solution.
- Key Management Operations - Create
- Key Management Operations - Delete
- Cryptographic Operations - Sign
Create a second Access Policy with the permissions below and assign to the Verifiable Credentials Service Request service principal:
- Key Management Operations - Get
- Cryptographic Operations - Sign
Configure the Verified ID basics
Open Microsoft Entra (as Global Administrator) and select Verified ID
Enter the basic information:
- <OrganizationName> ; Name of the Organization
- <TrustedDomain> ; URL for the Trusted domain
- <KeyVault> ; name of the Azure Key Vault
The DID (Decentralized IDentifiers) needs to be associated (anchored) with the public domain so it becomes a Trusted domain. The procedure follows the Well-Known DID configuration specification. Microsoft provides the did.json (Website ID verification, example below) and did-configuration.json (Domain verification) files.
The two .json files can be 1) downloaded from the Domain section, 2) uploaded to GitHub and published to the internet (see URL below) via Azure Static Web App (see next chapter) and 3) verified via Verified ID.
GitHub
To publish the did.json and did-configuration.json to the internet we use Github and Azure Static Web Apps. In a new GitHub Repository we create and/or upload three files:
- index.html (empty file required for the build process)
- .well-known/did.json (keep in mind the subdirectory .well-known)
- .well-known/did-configuration.json
Create an Azure Static Web App
Create an Static Web App in Azure where we leverage GitHub for our content (index.html is required for the build process but not used) and the GitHub repository created above with did.json and did-configuration.json file.
The second step is to add a Custom domain (our public Domain) and use a CNAME that points to the <StaticAppURL>.1.azurestaticapps.net.
Add the CNAME Record in the public DNS domain administration for the required validation process.
Verify the Trusted Domain
To verify the Trusted Domain we need to create and verify:
- DID Registration
- Domain ownership verification
DID Registration
For the DID Registration we need to verify access to the did.json.
Basically the verification process tries to access the did.json via the server location above. The status is set to Registered if access is verified.
Domain ownership verification
For the Domain ownership verification we need the Key Vault Access Policy - Key Permissions - Cryptographic Operation ‘Sign' assigned to the user verifying the Domain ownership.
Verify Domain ownership via access to the server location and .json file. The status is set to Verified if access is verified.
The end result is both DID registration and Domain ownership verified.
Create an App Registration
Create an Azure Active Directory App Registration (service principal) with the account type below (Accounts in this organizational directory only).
Add the following API permissions to get the access tokens.
- APIs my organization uses
- Verifiable Credentials Service Request
- Application Permission: VerifiableCredential.Create.All
- Grant Admin consent for <tenant>
Create a secret and write down the Client ID, Tenant ID and Secret value for later use. The setup and deployment part is done. The next part is to create and issue Verified IDs.
Create and Issue Verified IDs
All details are written in the Issue Microsoft Entra Verified ID credentials from an application. I will cover some highlights (else the blog will be too long and too complex) with screen-prints from my Verified ID deployment.
The first step is to add a Verified ID Credential card.
The options are Verified employee or Custom credential (Verified Faculty and student are coming soon). We need to create a Custom credential with the value below
Name VerifiedCredentialExpert
Display definition
Rules definition
Example below
Click Create
The next step is to gather credential and environment details, select Issue credential and write down the <authorityURL> and <manifestURL>.
Application (dev)
The next step (dev part) is to download, configure, build and run the sample application (requires GIT, Visual Studio Code, .NET 5.0 and ngrok).
Download
git clone https://github.com/Azure-Samples/active-directory-verifiable-credentials-dotnet.git
Configure
Edit the details (TenantID, ClientID, Secret and the URLs from above) in theappsettings.json file via Visual Studio Code
Disclaimer: use the Endpoint (beta.did.msidentity.com) above and not the one in the Microsoft docs (verifiedid.did.msidentity.com) else the program will fail.
Build & Run
Build and run the sample application (Visual Studio Code or via the command-line dotnet.exe), see Microsoft link for details.
Pro-tip: my build process resulted in build errors (missing software)
My fix was to run the following command before the build command:
dotnet nuget add source --name nuget.org https://api.nuget.org/v3/index.json
dotnet build “AspNetCoreVerifiableCredentials.csproj” -c Debug -o .\\bin\\Debug\\netcoreapp3.
Use ngrok to publish the local application to the internet. Select Get Credential and the Microsoft Authenticator App to scan the QR code (see ngrok and application command output below).
Add the presented pin-code from the QR code screen in the Microsoft Authenticator and the Add a credential screen appears (layout as we designed in the initial steps).
Add to accept the Verified ID to the Microsoft Authenticator.
I hope this blog gives an example and overview of Verified ID (seeing is believing is my way of understanding technology). Thanks for reading (blog turned out longer than expected)
