Verification

Verify Microsoft Entra Verified ID verifiable credentials using the walt.id Verifier API. The credentials are requested using the OID4VP standard and can be presented using any compliant wallet ( e.g.Microsoft Authenticator App, walt.id web wallet). Before we can verify credentials, we need to have the following in place.

  • Azure account with Microsoft Verified ID enabled.
  • Azure App - An Azure App to authenticate against the Microsoft APIs.

Now we will be using the walt.id verifier API to generate an OID4VC credential request URL which can be rendered as a QR or provided as a link for compliant wallets to scan or use. Once the wallet has passed the request the user is asked to share the requested credential with the verifier.

Please make sure you setup a callback URL in the entra.conf before moving on with the verification. Learn more here.

Request

API Reference

CURL

Endpoint: /entra/verify

Example Request

curl -X 'POST' \
  'https://verifier.portal.walt.id/entra/verify' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "data": {
    "vc_policies": [
      "expired",
      "not-before",
      {
        "policy": "allowed-issuer",
        "args": "did:web:entra.walt.id"
      }
    ]
  },
  "entraVerification": {
    "authority": "<VerifierDID>",
    "authorization": {
      "clientId": "<clientId>",
      "clientSecret": "<clientSecret>",
      "tenantId": "<tenantId>",
      "scope": "3db474b9-6a0c-4840-96ac-1fceb342124f/.default"
    },
    "credentials": [
      {
        "purpose": "Test",
        "type": "VerifiedCredentialEmployeeID"
      }
    ]
  }
}
'

Body

{
  "data": {
    "vc_policies": [
      "expired",
      "not-before",
      {
        "policy": "allowed-issuer",
        "args": "did:web:entra.walt.id"
      }
    ]
  },
  "entraVerification": {
    "authority": "<VerifierDID>",
    "authorization": {
      "clientId": "<clientId>",
      "clientSecret": "<clientSecret>",
      "tenantId": "<tenantId>",
      "scope": "3db474b9-6a0c-4840-96ac-1fceb342124f/.default"
    },
    "credentials": [
      {
        "purpose": "Test",
        "type": "VerifiedCredentialEmployeeID"
      }
    ]
  }
}

Body Parameters

data - Holds a set of nested objects and lists to configure the verification request

  • vc_policies: Walt.id policies to apply next to Entra's default signature validation. Policies provided in list, as string if no arguments needed, or object if arguments required.
  • entraVerification: An object holding the verifier DID, the authentication parameters needed by the Verifier API to interact with Microsoft's APIs and a list of credentials to request and verify from users.
    • authority - Verifier DID. Must be a did that your Azure account manages. Default DID can be found under " Organization Settings" when visiting Verified ID overview page in Azure. Link.
    • authorization - Authentication parameters needed by the Issuer API to interact with Microsoft's APIs.
      • clientId - Found on overview page of you registered App in Microsoft Azure. Guide.
      • clientSecret - Found on the Certificate & Secrets section in the registered app. Guide.
      • tenantId - Found under "Organization Settings" when visiting Verified ID overview page in Azure. Link.
      • scope - hardcoded value 3db474b9-6a0c-4840-96ac-1fceb342124f/.default
    • credentials: A list of objects description credentials to request from the user. The objects take a purpose which can be any type of string and type which is the type of credential you want to request.

Example Response

The responded URL can be rendered as QR code or provided as a link to the user to fulfill the credential request, e.g., with the Microsoft Authenticator App.

{
  "url": "openid-vc://?request_uri=https://verifiedid.did.msidentity.com/v1.0/tenants/a8671fa1-780f-4af1-8341-cd431da2c46d/verifiableCredentials/presentationRequests/ebb6d884-59d5-4cc1-858a-5e8ed8d80e63",
  "nonce": "1894a8cc-9cb3-4175-ae25-8501854a81bd"
}
SetupFeatures