Entra Tenant Setup
Verified ID tenant setup
Entra Verified ID provides two options for setup - quick setup and advanced. Generally, quick setup trades ease of use for more restrictions on branding, credentials and rate limits. Advanced setup requires access to your organization's DNS records for validation and more technical expertise, but it will scale better in the long run.
For more details, please see the setup pages on Microsoft's doc site:
Quick Setup: https://learn.microsoft.com/en-us/entra/verified-id/verifiable-credentials-configure-tenant-quick
Advanced Setup: https://learn.microsoft.com/en-us/entra/verified-id/verifiable-credentials-configure-tenant
App Registration
Using the Microsoft-based TrueCredential authorization method requires that you make an app registration in your Entra tenant. This app registration can be used to make both issuance and presentation requests.
Please see https://learn.microsoft.com/en-us/entra/verified-id/verifiable-credentials-configure-tenant#register-an-application-in-microsoft-entra-id for detailed instructions on how to create your app registration.
When finished, you should end up with:
- client ID
- client secret
- scope (can be derived from client id, but needs to be created in Entra first)
Also, please retrieve your verified ID decentralized identifier (DID). It should look like did:web:<tenantId>:<authorityId> if you did quick setup, or did:web:your-org-name.com if you did advanced setup.
API Authorization
First, get a token against the app registration you just created:
POST https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token
Make sure to use the x-www-form-urlencoded content type for the token request
| Field name | Value |
|---|---|
| grant_type | client_credentials |
| scope | api://{{client_id}}/.default |
| client_id | {{client_id}} |
| client_secret | {{client_secret}} |
Create Issuance URL
Second, make a request to the createIssuanceUrl endpoint
POST https://verifiedid.did.msidentity.com/beta/verifiableCredentials/createIssuanceUrl
Content-Type: application/json
Authorization: Bearer <token>
{
"authority": "{{ your_authority_did }}",
"issuerAuthority": "did:web:vc.true-credential.com",
"credentialTypes": [ "VerifiedIdentity" ],
"name": "Test",
"logoUrl": "https://www.your-org.com/logo.png",
"language": "en-us"
}
| Field name | Value |
|---|---|
| authority | The did:web: prefixed value uniquely identifying your Entra tenant, from above |
| issuerAuthority | the DID of the tenant you'd like to request a credential from. Should always be did:web:vc.true-credential.com |
| credentialTypes | Array of credential types. Should typically be a single element of type "VerifiedIdentity" |
| logoUrl | Optional field for you to provide your logo for custom branding. Coming soon. |
| language | Optional field for you to provide the locale to render the proccess in. Coming soon. |
The server should respond with HTTP 201 Created. You will receive an error if you don't have an active subscription. You will receive a response body like so:
{
"issuanceUrl": "https://www.true-credential.com/api/wf/msmp/connect",
"issuanceTokenId": "f1b530a4-5642-495b-bcf5-2e933d45e3a7"
}
To initiate the proofing flow, you'll need to send the user to a URL. Please use the following template to construct it {{ issuanceUrl }}?tokenId={{ issuanceTokenId }} e.g. https://www.true-credential.com/api/wf/msmp/connect?tokenId=f1b530a4-5642-495b-bcf5-2e933d45e3a7