Microsoft Entra Verified ID for Small Businesses in Berlin
Traditional identity verification relies on credentials — passwords, tokens, certificates — that can be stolen, forged, or misused. Microsoft Entra Verified ID takes a fundamentally different approach: decentralized, cryptographically verifiable identity credentials that users own and control. For small businesses in Berlin, Verified ID enables trustworthy digital interactions with employees, partners, and customers without centralizing sensitive identity data.
Built on the W3C Verifiable Credentials standard and Microsoft’s decentralized identity infrastructure, Entra Verified ID is the enterprise-grade implementation of a concept that will reshape how digital identity is established — from employee background checks to customer onboarding.
What Is Entra Verified ID?
Entra Verified ID is a decentralized identity service based on open standards (W3C Verifiable Credentials, DID — Decentralized Identifiers). Instead of a centralized identity authority holding all verification data, the system works as follows:
- Issuer: An organization (e.g., your HR department, a university, a government body) issues a digitally signed credential to a user.
- Holder: The user stores the credential in their Microsoft Authenticator wallet.
- Verifier: Another organization requests proof of the credential — the user presents it, and the verifier cryptographically confirms its authenticity without contacting the issuer.
No data is stored centrally — the credential lives in the user’s wallet. The verifier only sees what the user chooses to share and can confirm it’s authentic without calling back to the issuer. This is the core privacy advantage of decentralized identity.
Core Use Cases for Small Businesses
Employee Credential Issuance
Issue verifiable employee credentials to your staff — a digitally signed assertion that this person is employed at your organization, holds a specific role, or has passed security training. External partners and vendors can verify the employee’s status without calling your HR department. When an employee leaves, you revoke the credential — instantly invalidating it across all verifiers.
Partner and Vendor Verification
When onboarding contractors or partners, request a Verified ID credential from their home organization. You verify their employment status and role without exchanging sensitive HR data. Particularly valuable for supply chain security and NIS2 compliance requirements around third-party risk management.
Face Check (Identity Verification)
Microsoft’s Face Check feature adds biometric liveness detection to Verified ID — confirming that the person presenting the credential matches the photo on file. This is the highest assurance level for remote identity verification, suitable for high-value account recovery, financial transaction authorization, or privileged access requests.
Self-Service Account Recovery
Traditional account recovery is a high-risk attack vector — social engineering of help desks accounts for a significant share of identity-related breaches. Verified ID with Face Check provides cryptographic assurance of identity during recovery, replacing the typical “what’s your mother’s maiden name” helpdesk interaction.
How Verified ID Works Technically
The technical flow involves three components working together:
- Microsoft Entra Verified ID service: Hosts the issuer configuration, revocation registry, and verification endpoints. Manages the DID documents published to the decentralized network.
- Microsoft Authenticator: The user’s credential wallet on their mobile device. Stores issued credentials and presents them when requested.
- Request Service API: Your application calls this API to initiate issuance or verification flows, generating QR codes or deep links that the Authenticator processes.
Credentials are signed with the issuer’s private key and anchored to the Microsoft Entra Verified ID service (no blockchain dependency for enterprise deployments). Revocation uses a status list mechanism — the verifier checks the issuer’s published status list to confirm the credential hasn’t been revoked.
Setting Up Verified ID: Configuration Steps
Step 1: Enable Verified ID in Entra Admin Center
Entra Admin Center → Verified ID → Setup. Configure your organization’s DID, set up Azure Key Vault for key management (Verified ID uses Key Vault to sign credentials), and configure storage (Azure Blob Storage for credential metadata). The setup wizard guides you through each dependency.
Step 2: Create a Credential Type
Define what claims your credential will contain — e.g., employeeId, displayName, jobTitle, department. Credentials are defined as JSON schemas. Microsoft provides predefined credential types for common scenarios (VerifiedEmployee, VerifiedUser) that accelerate deployment.
Step 3: Configure Issuance
Set up the issuance flow — either self-service (employees request their own credentials via a portal) or automated (integrated with your HR system or Entra ID user attributes). The Request Service API call returns a QR code the employee scans with Authenticator.
Step 4: Build a Verification Flow
On the relying party side (the application that needs to verify credentials), call the Request Service API to generate a presentation request. Present this as a QR code or deep link. The user scans it with Authenticator, which shows them what claims will be shared and requests consent. The verified presentation is returned to your application.
Verified ID and NIS2 Compliance
NIS2 requires organizations to manage supply chain security risk — including the identity assurance of third-party access. Verified ID provides a documented, cryptographic verification mechanism for contractor and partner identities that satisfies the intent of NIS2 Article 21 supply chain security requirements. Each verification creates an audit record, providing evidence of identity due diligence.
Pricing and Licensing
Entra Verified ID is included at no additional cost in all Microsoft Entra ID plans (including Free). Face Check is priced per verification — Microsoft charges per Face Check transaction, making it practical for high-assurance scenarios without ongoing subscription overhead. Check the current Microsoft pricing page for current Face Check rates.
Conclusion: Credentials Your Partners Can Trust
Microsoft Entra Verified ID represents the next generation of enterprise identity verification — moving from “trust because we say so” to “verify cryptographically.” For Berlin SMBs operating in B2B supply chains, handling sensitive partner access, or looking to harden account recovery against social engineering, Verified ID provides a standards-based, privacy-preserving solution that scales from a single use case to enterprise-wide identity fabric.
IT Experts Berlin can help you design and implement Verified ID issuance and verification flows tailored to your business processes. Contact us for a consultation.
Related Articles
- Microsoft Entra External ID: Verified ID complements B2B collaboration — use Verified ID for cryptographic identity assurance when onboarding partners, and B2B guest access to manage their ongoing resource permissions
- Microsoft Entra PIM: Combine Verified ID with PIM for high-assurance privileged role activation — Face Check biometric verification before activating admin roles eliminates social engineering during privileged access requests
- Conditional Access: Integrate Verified ID presentation into Conditional Access flows — require verifiable credentials as an additional signal for access to high-sensitivity resources