Configuring Outcome: Entra ID Verified ID
Some functionality is limited. This article is subject to change as the feature develops and we make improvements.
At least one Entra ID integration must be enabled via HYPR. See Integrations for instructions on how to accomplish this step.
If you do not have a qualifying Entra ID integration, HYPR Affirm will display this message when you try to do anything:
Click Set Up Integration Now to open the Control Center Standard: Integrations options.
Click Cancel to return to HYPR Affirm.
For HYPR Affirm to work with the integration fully, the IdP must include the following attributes for all target users:
-
Username (UPN field for Entra ID and Username field for Okta)
-
Email Address
Depending on the specific verification flow configuration, HYPR Affirm requires the following additional attributes:
-
Mobile Phone Number (Phone Number Verification step)
-
First and Last Name (Identity Verification step)
-
Manager Information (Required if Approver type of Manager is set. Manager field for Entra ID and ManagerId field for Okta)
-
Street Address (Location step)
-
City (Location step)
-
State (Location step)
-
Postal Code (Location step. This is called Zip code in Okta)
-
Country Code (Location step)
The calls to perform CRUD operations and to test HYPR Affirm IdV flows can be found here in the HYPR Passwordless API collection.
Identity Verification (IdV) flow configuration where MS Entra Verified ID is used as a requester outcome is located in Administering HYPR Affirm.
First we must define the credential to be used; then we will assign it to the desired application and use some of the values to connect to the HYPR Control Center.
Define the Issuable Verifiable Credential in Entra ID
-
As an Entra ID user with administrative rights, search for Verified ID. Click the result of the same name to open the Verified ID Overview.
-
Click + Create Credential.
-
The following dialog opens. Choose Custom credential and click Next.
-
The Create a new credential dialog appears.
Complete the fields as follows:
-
Type Verified Credential Expert into Credential name
-
Copy the following code into the Display definition.
{
"locale": "en-US",
"card": {
"title": "Verified Credential Expert",
"issuedBy": "Microsoft",
"backgroundColor": "#000000",
"textColor": "#ffffff",
"logo": {
"uri": "https://didcustomerplayground.blob.core.windows.net/public/VerifiedCredentialExpert_icon.png",
"description": "Verified Credential Expert Logo"
},
"description": "Use your verified credential to prove to anyone that you know all about verifiable credentials."
},
"consent": {
"title": "Do you want to get your Verified Credential?",
"instructions": "Sign in with your account to get your card."
},
"claims": [
{
"claim": "vc.credentialSubject.firstName",
"label": "First name",
"type": "String"
},
{
"claim": "vc.credentialSubject.lastName",
"label": "Last name",
"type": "String"
}
]
} -
Copy the following code into the Rules definition field:
{
"attestations": {
"idTokenHints": [
{
"mapping": [
{
"outputClaim": "firstName",
"required": true,
"inputClaim": "$.given_name",
"indexed": false
},
{
"outputClaim": "lastName",
"required": true,
"inputClaim": "$.family_name",
"indexed": true
}
],
"required": false
}
]
},
"validityInterval": 2592000,
"vc": {
"type": [
"VerifiedCredentialExpert"
]
}
} -
Click Create when you are finished
-
-
A confirmation page displays. Continue to Obtaining Values for HYPR Affirm.
Obtaining Values for HYPR Affirm
-
If you are not already on the Verified ID page, browse to it.
-
Select Verified Credential Expert (or the name of your credential, if different).
-
Click Manage > Issue a credential in the left navigation menu.
-
From the Request body pane, Copy the
authority,type, andmanifestvalues; you only need some of the values presented for these attributes, as shown here:authority- Corresponds to the Authority ID field when configuring IdV Outcomes- Full value:
did:web:verifiedid.entra.microsoft.com:7e2d06b4-220c-43af-a13a-238094d0aba2:ac62242f-9858-34a8-99ae-1d5664466ac4 - Copy this part: ac62242f-9858-34a8-99ae-1d5664466ac4
- Full value:
type- Corresponds to the Type field when configuring IdV Outcomes- Full value:
Verified Credential Expert - Copy this part: Verified Credential Expert
- Full value:
manifest- Corresponds to the Manifest Contract ID field when configuring IdV Outcomes- Full value:
https://verifiedid.did.msidentity.com/v1.0/tenants/7e2d06b4-220c-43af-a13a-238094d0aba2/verifiableCredentials/contracts/555139eb-d5fd-8cbb-32b5-868fb12e11e7/manifest - Copy this part: 555139eb-d5fd-8cbb-32b5-868fb12e11e7
- Full value:
Configuration of Identity Verification (IdV) flows is described in Administering HYPR Affirm.
Assign Entra ID Application Permissions
-
Search for and open the application you wish to use with HYPR Affirm.
-
In the left navigation menu, click API Permissions.
-
Once on the API Permissions page, click + Add a permission.
-
Click the tab labeled APIs my organization uses, then use the filter to locate Verified Credentials Service Request. Click the credential to open it.
-
Verify the checkbox next to VerifiableCredential is checked, then click Add permissions.
It may be necessary to grant all three permissions (Verifiable Credentials Service, Verifiable Credentials Service Admin, and Verifiable Credentials Service Request) in both Delegated permissions and Application permissions if the Verified ID initially does not work properly with HYPR. To do this, go to the API permissions list and click Grant admin consent for [Entra ID tenant name] next to Add a permission.