Merge pull request #187640 from barclayn/eu-data

adding the FAQ entry

Author: ShannonLeavitt

articles/active-directory/verifiable-credentials/TOC.yml

@@ -5,6 +5,8 @@
   items:
   - name: Introduction to Azure Active Directory Verifiable Credentials
     href: decentralized-identifier-overview.md
+  - name: What's new
+    href: whats-new.md
 - name: Tutorials
   expanded: true
   items:
@@ -52,8 +54,6 @@
 - name: Reference
   expanded: true
   items:
-  - name: What's new
-    href: whats-new.md
   - name: Issuance API specification
     href: issuance-request-api.md
   - name: Presentation API specification

articles/active-directory/verifiable-credentials/media/verifiable-credentials-faq/identity-hub.png

@@ -6,7 +6,7 @@ manager: karenhoran
 ms.service: active-directory
 ms.subservice: verifiable-credentials
 ms.topic: conceptual
-ms.date: 04/01/2021
+ms.date: 02/08/2022
 ms.author: barclayn
 # Customer intent: As a developer I am looking for information on how to enable my users to control their own information 
 ---
@@ -38,7 +38,7 @@ Individuals owning and controlling their identities are able to exchange verifia
 
 ### What is a Verifiable Credential? 
 
-Credentials are a part of our daily lives; driver's licenses are used to assert that we are capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries. Verifiable Credentials provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. [The W3C Verifiable Credentials spec](https://www.w3.org/TR/vc-data-model//) explains this in further detail.
+Credentials are a part of our daily lives; driver's licenses are used to assert that we're capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries. Verifiable Credentials provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. [The W3C Verifiable Credentials spec](https://www.w3.org/TR/vc-data-model//) explains this in further detail.
 
 
 ## Conceptual questions
@@ -49,32 +49,84 @@ There are multiple ways of offering a recovery mechanism to users, each with the
 
 ### How can a user trust a request from an issuer or verifier? How do they know a DID is the real DID for an organization?
 
-We have implemented [the Decentralized Identity Foundation's Well Known DID Configuration spec](https://identity.foundation/.well-known/resources/did-configuration/) in order to connect a DID to a highly known existing system, domain names. Each DID created using the  Azure Active Directory Verifiable Credentials has the option of including a root domain name that will be encoded in the DID Document. Follow the article titled [Link your Domain to your Distributed Identifier](how-to-dnsbind.md) to learn more.  
+We implement [the Decentralized Identity Foundation's Well Known DID Configuration spec](https://identity.foundation/.well-known/resources/did-configuration/) in order to connect a DID to a highly known existing system, domain names. Each DID created using the  Azure Active Directory Verifiable Credentials has the option of including a root domain name that will be encoded in the DID Document. Follow the article titled [Link your Domain to your Distributed Identifier](how-to-dnsbind.md) to learn more.  
 
 ### Why does the Verifiable Credential preview use ION as its DID method, and therefore Bitcoin to provide decentralized public key infrastructure?
 
-ION is a decentralized, permissionless, scalable decentralized identifier Layer 2 network that runs atop Bitcoin. It achieves scalability without including a special cryptoasset token, trusted validators, or centralized consensus mechanisms. We use Bitcoin for the base Layer 1 substrate because of the strength of the decentralized network to provide a high degree of immutability for a chronological event record system.
+ION is a decentralized, permissionless, scalable decentralized identifier Layer 2 network that runs atop Bitcoin. It achieves scalability without including a special crypto asset token, trusted validators, or centralized consensus mechanisms. We use Bitcoin for the base Layer 1 substrate because of the strength of the decentralized network to provide a high degree of immutability for a chronological event record system.
 
 ## Using the preview
 
-### Why must I use NodeJS for the Verifiable Credentials preview? Any plans for other programming languages? 
-
-We chose NodeJS because it is a very popular platform for application developers. We will be releasing a Rest API that will allow the developers to issue and verify credentials. 
-
 ### Is any of the code used in the preview open source?
 
 Yes! The following repositories are the open-sourced components of our services.
 
 1. [SideTree, on GitHub](https://github.com/decentralized-identity/sidetree)
-2. The [VC SDK for Node, on GitHub](https://github.com/microsoft/VerifiableCredentials-Verification-SDK-Typescript)
-3. An [Android SDK for building decentralized identity wallets, on GitHub](https://github.com/microsoft/VerifiableCredential-SDK-Android)
-4. An [iOS SDK for building decentralized identity wallets, on GitHub](https://github.com/microsoft/VerifiableCredential-SDK-iOS)
+1. An [Android SDK for building decentralized identity wallets, on GitHub](https://github.com/microsoft/VerifiableCredential-SDK-Android)
+1. An [iOS SDK for building decentralized identity wallets, on GitHub](https://github.com/microsoft/VerifiableCredential-SDK-iOS)
 
 
-## What are the licensing requirements?
+### What are the licensing requirements?
 
 An Azure AD P2 license is required to use the preview of Verifiable Credentials. This is a temporary requirement, as we expect pricing for this service to be billed based on usage. 
 
+### How do I reconfigure the Azure AD Verifiable credentials service?
+
+Reconfiguration requires that you opt out and opt back into the Azure Active Directory Verifiable Credentials service, your existing verifiable credentials configurations will reset and your tenant will obtain a new DID forAc use during issuance and presentation.
+
+1. Follow the [opt-out](how-to-opt-out.md) instructions.
+1. Go over the Azure Active Directory Verifiable credentials [deployment steps](verifiable-credentials-configure-tenant.md) to reconfigure the service.
+    1. If you are in the European region, it's recommended that your Azure Key Vault and container are in the same European region otherwise you may experience some performance and latency issues. Create new instances of these services in the same EU region as needed.
+1. Finish [setting up](verifiable-credentials-configure-tenant.md#set-up-verifiable-credentials) your verifiable credentials service. You need to recreate your credentials.
+    1. If your tenant needs to be configured as an issuer, it's recommended that your storage account is in the European region as your Verifiable Credentials service.
+    2. You also need to issue new credentials because your tenant now holds a new DID.
+
+### How can I check my Azure AD Tenant's region?
+
+1. In the [Azure portal](https://portal.azure.com), go to Azure Active Directory for the subscription you use for your Azure Active Directory Verifiable credentials deployment.
+1. Under Manage, select Properties
+    :::image type="content" source="media/verifiable-credentials-faq/region.png" alt-text="settings delete and opt out":::
+1. See the value for Country or Region. If the value is a country or a region in Europe, your Azure AD Verifiable Credentials service will be set up in Europe.
+
+### How can I check if my tenant has the new Hub endpoint?
+
+1. In the Azure portal, go to the Verifiable Credentials service.
+1. Navigate to the Organization Settings. 
+1. Copy your organization’s Decentralized Identifier (DID). 
+1. Go to the ION Explorer and paste the DID in the search box 
+1. Inspect your DID document and search for the ` “#hub” ` node.
+
+```json
+ "service": [
+      {
+        "id": "#linkeddomains",
+        "type": "LinkedDomains",
+        "serviceEndpoint": {
+          "origins": [
+            "https://contoso.com/"
+          ]
+        }
+      },
+      {
+        "id": "#hub",
+        "type": "IdentityHub",
+        "serviceEndpoint": {
+          "instances": [
+            "https://beta.hub.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000"
+          ],
+          "origins": []
+        }
+      }
+    ],
+```
+
+### If I reconfigure the Azure AD Verifiable Credentials service, do I need to re-link my DID to my domain?
+
+Yes, after reconfiguring your service, your tenant has a new DID use to issue and verify verifiable credentials. You need to [associate your new DID](how-to-dnsbind.md) with your domain.
+
+### Is it possible to request Microsoft to retrieve "old DIDs"?
+
+No, at this point it is not possible to keep your tenant's DID after you have opt-out of the service.
 
 ## Next steps
 

articles/active-directory/verifiable-credentials/media/verifiable-credentials-faq/region.png

@@ -6,7 +6,8 @@ manager: karenhoran
 ms.service: active-directory
 ms.subservice: verifiable-credentials
 ms.topic: reference
-ms.date: 10/08/2021
+ms.date: 02/08/2022
+ms.custom: references_regions
 ms.author: barclayn
 
 #Customer intent: As an Azure AD Verifiable Credentials issuer, verifier or developer, I want to know what's new in the product so that I can make full use of the functionality as it becomes available.
@@ -17,6 +18,91 @@ ms.author: barclayn
 
 This article lists the latest features, improvements, and changes in the Azure Active Directory (Azure AD) Verifiable Credentials service.
 
+## February 2022
+
+We are rolling out some important updates to our service that are breaking changes and require Azure AD Verifiable Credentials service reconfiguration.
+
+- The Azure AD Verifiable Credentials service can now store and handle data processing in the Azure European region. [More information](whats-new.md?#azure-ad-verifiable-credentials-available-in-europe)
+- Azure AD Verifiable Credentials customers can take advantage of enhancements to credential revocation that add a higher degree of privacy through the implementation of the [W3C Status List 2021](https://w3c-ccg.github.io/vc-status-list-2021/) standard. [Read more](whats-new.md?#credential-revocation-with-enhanced-privacy)
+
+>[!IMPORTANT]
+> All Azure AD Verifiable Credential customers receiving a banner notice in the Azure portal need to go through a service reconfiguration before March 31st 2022. On March 31st 2022 tenants that have not been reconfigured will lose access to any previous configuration and will require to configure a new instance of the Azure AD Verifiable Credential service. Learn more about how to [reconfigure your tenant](verifiable-credentials-faq.md?#how-do-i-reconfigure-the-azure-ad-verifiable-credentials-service).
+
+### Azure AD Verifiable Credentials available in Europe
+
+Since the Azure AD Verifiable Credentials service's Public Preview rollout, the service has been available in our Azure North America region. Now, the service is also available in our Azure European region. Customers with Azure AD tenants setup in Europe will have Verifiable Credentials data located and processed in our Azure Europe region. Customers with Azure AD tenants setup in Europe who start using the Azure AD Verifiable Credentials service after February 15, 2022, will automatically have their data processed in Europe and don't need to take any further actions. Customers with Azure AD tenants setup in Europe that started using the Azure AD Verifiable Credentials service before February 15, 2022, are required to reconfigure the service on their tenants before March 31, 2022.
+
+Take the following steps to configure the Verifiable Credentials service in Europe:
+1. [Check the location](verifiable-credentials-faq.md#how-can-i-check-my-azure-ad-tenants-region) of your Azure Active Directory to make sure is in Europe.
+1. [Reconfigure the Verifiable Credentials service](verifiable-credentials-faq.md?#how-do-i-reconfigure-the-azure-ad-verifiable-credentials-service) in your tenant. 
+
+>[!IMPORTANT]
+> On March 31st, 2022 European tenants that have not been [reconfigured](verifiable-credentials-faq.md?#how-do-i-reconfigure-the-azure-ad-verifiable-credentials-service) in Europe will lose access to any previous configuration and will require to configure a new instance of the Azure AD Verifiable Credential service.
+
+#### Are there any changes to the way that we use the Request API as a result of this move?
+
+Applications that use the Azure Active Directory Verifiable Credentials service must use the Request API endpoint that corresponds to their Azure AD tenant's region.  
+
+| Tenant region | Request API endpoint POST |
+|------------|-------------------|
+| Europe | https://beta.eu.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request |
+| Non-EU | https://beta.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request  |
+
+To confirm which endpoint you should use, we recommend checking your Azure AD tenant's region as described above. If the Azure AD tenant is in the EU, you should use the Europe endpoint.  
+
+### Credential Revocation with Enhanced Privacy
+
+The Azure AD Verifiable Credential service supports the [W3C Status List 2021](https://w3c-ccg.github.io/vc-status-list-2021/) standard. Each Issuer tenant will have an [Identity Hub](https://identity.foundation/identity-hub/spec/) endpoint that is used by verifiers to check on the status of a credential using a privacy-respecting mechanism. The identity hub endpoint for the tenant is also published in the DID document. This feature replaces the current status endpoint.
+
+To uptake this feature follow the next steps:
+1. [Check if your tenant has the Hub endpoint](verifiable-credentials-faq.md#how-can-i-check-if-my-tenant-has-the-new-hub-endpoint).
+    1. If so, go to the next step.
+    1. If not, [reconfigure the Verifiable Credentials service](verifiable-credentials-faq.md?#how-do-i-reconfigure-the-azure-ad-verifiable-credentials-service) in your tenant and go to the next step.
+1. Create new verifiable credentials contracts. In the rules file you must add the ` "credentialStatusConfiguration": "anonymous" ` property to start using the new feature in combination with the Hub endpoint for your credentials:
+
+Sample contract file:
+``` json 
+{
+  "attestations": {
+    "idTokens": [
+      {
+        "id": "https://self-issued.me",
+        "mapping": {
+          "firstName": { "claim": "$.given_name" },
+          "lastName": { "claim": "$.family_name" }
+        },
+        "configuration": "https://self-issued.me",
+        "client_id": "",
+        "redirect_uri": ""
+      }
+    ]
+  },
+  "validityInterval": 2592001,
+"credentialStatusConfiguration": "anonymous",
+  "vc": {
+    "type": [ "VerifiedCredentialExpert" ]
+  }
+} 
+```
+3. You have to issue new verifiable credentials using your new configuration. All verifiable credentials previously issued will continue to exist as your previous DID will remain resolvable however, they use the previous status endpoint implementation.
+
+>[!IMPORTANT]
+> Reconfiguring the Azure AD Verifiable Credentials service is required so that the new Identity Hub service endpoint can be created for the tenant. Tenants have until March 31st 2022, to schedule and manage the reconfiguration of the Verifiable Vredential service. On March 31st, 2022 tenants that have not been reconfigured will lose access to any previous configuration and will require to configure a new instance of the Azure AD Verifiable Credential service.
+
+
+## December 2021
+
+- We added [Postman collections](https://github.com/Azure-Samples/active-directory-verifiable-credentials/tree/main/Postman) to our samples as a quick start to start using the Request Service REST API.
+- New sample added that demonstrates the integration of [Azure AD Verifiable Credentials with Azure AD B2C](https://github.com/Azure-Samples/active-directory-verifiable-credentials/tree/main/B2C).
+- Fastrack setup sample for setting up the Azure AD Verifiable Credentials services using [PowerShell and an ARM template](https://github.com/Azure-Samples/active-directory-verifiable-credentials/tree/main/ARM).
+- Sample Verifiable Credential configuration files to show sample cards for [IDToken](https://github.com/Azure-Samples/active-directory-verifiable-credentials/tree/main/CredentialFiles/IDToken), [IDTokenHit](https://github.com/Azure-Samples/active-directory-verifiable-credentials/tree/main/CredentialFiles/IDTokenHint) and [Self-attested](https://github.com/Azure-Samples/active-directory-verifiable-credentials/tree/main/CredentialFiles/IDTokenHint) claims.
+
+## November 2021
+
+- We made updates to the Request Service REST API for [issuance](issuance-request-api.md?#callback-type) and [presentation](presentation-request-api.md?#callback-type)
+Callback types enforcing rules so that URL endpoints for callbacks are reachable.
+- UX updates to the Microsoft Authenticator verifiable credentials experience: Animations on card selection from the wallet.
+
 ## October 2021
 
 You can now use [Request Service REST API](get-started-request-api.md) to build applications that can issue and verify credentials from any programming language you're using. This new REST API provides an improved abstraction layer and integration to the Azure AD Verifiable Credentials Service.