Microsoft Entra Verified ID

Microsoft Entra Verified ID Face Check: Revolutionizing High-Assurance Identity Verification

What Is Microsoft Entra Verified ID Face Check?

Microsoft Entra Verified ID Face Check is a premium feature within the Microsoft Entra ecosystem, launched as part of Microsoft’s broader identity and access management suite. Unlike traditional authentication methods, Face Check introduces privacy-respecting facial matching to perform high-assurance identity verifications securely and at scale. Powered by Azure AI Vision Face API, it matches a user’s real-time selfie against a trusted photo from a verifiable credential, ensuring the person claiming an identity is genuine. Built for enterprises, this tool adds a critical trust layer without compromising user privacy, sharing only a confidence score rather than sensitive biometric data. It’s a cornerstone of Microsoft’s push into decentralized identity solutions, showcased at events like Microsoft Build.

How Does It Work?

Face Check leverages a cloud-based system integrating Microsoft Entra Verified ID with Azure AI services. It’s designed for seamless setup and use within enterprise tenants. Here’s a breakdown of its workflow:

1. Setup: Enable the Face Check Add-on via the Microsoft Entra Admin Center or Azure Resource Manager (ARM) REST API, linking an Azure subscription.
2. Credential Issuance: A verifiable credential (e.g., VerifiedEmployee or custom credential) with a photo is issued using tools like MyAccount or the Request Service API.
3. Verification Request: An app sends a presentation request, specifying a photo claim and optional confidence threshold (50–100, default 70).
4. Facial Matching: The user takes a selfie via Microsoft Authenticator, which is processed in the cloud against the credential’s photo using Azure Face API liveness checks.
5. Result Delivery: A confidence score is returned to the app (e.g., 86.31%), with no raw biometric data shared. If below the threshold, verification fails with an error message.

This process ensures secure identity confirmation while keeping data ephemeral—selfies are discarded post-processing, not stored or shared.

Features

Face Check stands out with a robust set of capabilities, as detailed in Microsoft’s documentation and validated by its enterprise focus:

• Privacy-Respecting Matching: Shares only a confidence score, not biometric data, enhancing user privacy protection.
• High-Assurance Verification: Uses facial matching technology to confirm identities with precision, ideal for sensitive scenarios.
• Scalability: Supports enterprise-wide deployment via tenant-level configuration, handling verifications at scale.
• Customizable Thresholds: Adjust confidence levels (50–100) to balance security and usability in identity verification workflows.
• Liveness Detection: Prevents spoofing with Azure AI liveness checks, ensuring a real person is present.
• Integration Flexibility: Works with MyAccount, Authenticator, or custom credential APIs for versatile application.

Recent previews of the ARM REST API suggest ongoing enhancements to streamline setup and management.

Pros and Cons

Pros:

• Security: Bolsters trust with biometric verification at scale, reducing impersonation risks.
• Privacy: Protects users by not storing or sharing selfies, aligning with data privacy standards.
• Ease of Use: Simplifies setup via Admin Center or API, integrating with Microsoft Entra ecosystems.
• Versatility: Supports diverse credentials (e.g., VerifiedEmployee, government IDs) for multi-scenario authentication.
• Reliability: iBeta Level 2 conformance ensures resistance to presentation attacks.

Cons:

• Premium Cost: Requires a Face Check Add-on subscription, adding to enterprise identity costs.
• Setup Complexity: Needs Azure subscription linking and contributor roles, potentially daunting for smaller teams.
• Appearance Sensitivity: Changes in user appearance (e.g., haircuts) may lower scores, impacting verification success rates.
• Authenticator Dependency: Limited to Microsoft Authenticator, restricting non-Microsoft wallet compatibility.
• Preview Limitations: Some features, like ARM API, are in public preview, possibly with unresolved bugs.

Use Cases

Face Check’s versatility shines in real-world enterprise applications, with examples drawn from Microsoft’s documentation:

1. Remote Onboarding: Verify new employees by matching selfies to HR-issued VerifiedEmployee credentials, enabling secure remote starts.
2. Helpdesk Self-Service: Confirm identities for password resets or passkey activation using Face Check verification, cutting support time.
3. High-Value Access: Secure access to sensitive data or transactions with trusted identity checks, ideal for finance or healthcare.
4. Custom Credential Verification: Match selfies to custom credentials (e.g., contractor IDs) for tailored security protocols.
5. Entitlement Management: Integrate with Microsoft Entra to validate user privileges via scalable biometric checks.

These scenarios highlight Face Check’s ability to replace manual verification, positioning it as a game-changer for enterprise trust and efficiency.