Merge pull request #207681 from cljung/cljung-vc-post-ga-08

Verified ID post GA corrections/updates

Author: jborsecnik

articles/active-directory/verifiable-credentials/TOC.yml

@@ -10,11 +10,11 @@
 - name: Tutorials
   expanded: true
   items:
-  - name: Set up the Verifiable Credentials service
+  - name: Set up the Verified ID service
     href: verifiable-credentials-configure-tenant.md
   - name: Issue a verifiable credential
     href: verifiable-credentials-configure-issuer.md
-  - name: Verify a Verifiable Credential
+  - name: Verify a verifiable credential
     href: verifiable-credentials-configure-verifier.md
 - name: Concepts
   expanded: true
@@ -52,9 +52,9 @@
     href: how-to-dnsbind.md
   - name: Register your website ID
     href: how-to-register-didwebsite.md
-  - name: Revoke a Verifiable Credential
+  - name: Revoke a verifiable credential
     href: how-to-issuer-revoke.md
-  - name: Opt out of verifiable credentials
+  - name: Opt out of Verified ID service
     href: how-to-opt-out.md
 - name: Samples
   expanded: true

articles/active-directory/verifiable-credentials/credential-design.md

@@ -20,10 +20,6 @@ Verifiable credentials definitions are made up of two components, *display* defi
 
 This article explains how to modify both types of definitions to meet the requirements of your organization. 
 
-> [!IMPORTANT]
-> Microsoft Entra Verified ID is currently in preview. This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
 ## Display definition: wallet credential visuals
 
 Microsoft Entra Verified ID offer a limited set of options that can be used to reflect your brand. This article provides instructions how to customize your credentials, and best practices for designing credentials that look great after they're issued to users.
@@ -98,7 +94,7 @@ The rules definition is a simple JSON document that describes important properti
 
 ### Attestations
 
-The following four attestation types are currently available to be configured in the rules definition. They're used by the verifiable credential issuing service to insert claims into a verifiable credential and attest to that information with your decentralized identifier (DID).
+The following four attestation types are currently available to be configured in the rules definition. They are different ways of providing claims used by the Entra verified ID issuing service to be inserted into a verifiable credential and attest to that information with your decentralized identifier (DID). Multiple attestation types can be used in the rules definition. 
 
 * **ID token**: When this option is configured, you'll need to provide an Open ID Connect configuration URI and include the claims that should be included in the verifiable credential. Users are prompted to 'Sign in' on the Authenticator app to meet this requirement and add the associated claims from their account. To configure this option, see this [how to guide](how-to-use-quickstart-idtoken.md)
 

articles/active-directory/verifiable-credentials/decentralized-identifier-overview.md

@@ -17,11 +17,6 @@ ms.reviewer:
 
 [!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
 
-> [!IMPORTANT]
-> Microsoft Entra Verified ID is currently in public preview.
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. 
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
 Our digital and physical lives are increasingly linked to the apps, services, and devices we use to access a rich set of experiences. This digital transformation allows us to interact with hundreds of companies and thousands of other users in ways that were previously unimaginable.
 
 But identity data has too often been exposed in security breaches. These breaches affect our social, professional, and financial lives. Microsoft believes that there’s a better way. Every person has a right to an identity that they own and control, one that securely stores elements of their digital identity and preserves privacy. This primer explains how we are joining hands with a diverse community to build an open, trustworthy, interoperable, and standards-based Decentralized Identity (DID) solution for individuals and organizations.

articles/active-directory/verifiable-credentials/get-started-request-api.md

@@ -19,9 +19,6 @@ ms.author: barclayn
 
 Microsoft Entra Verified ID includes the Request Service REST API. This API allows you to issue and verify credentials. This article shows you how to start using the Request Service REST API.
 
-> [!IMPORTANT]
-> The Request Service REST API is currently in preview. This preview version is provided without a service level agreement, and you can occasionally expect breaking changes and deprecation of the API while in preview. The preview version of the API isn't recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
 ## API access token
 
 Your application needs to include a valid access token with the required permissions so that it can access the Request Service REST API. Access tokens issued by the Microsoft identity platform contain information (scopes) that the Request Service REST API uses to validate the caller. An access token ensures that the caller has the proper permissions to perform the operation they're requesting.
@@ -288,7 +285,7 @@ To issue or verify a verifiable credential, follow these steps:
 
 1. Submit the request to the Request Service REST API.
 
-The Request Service API returns a HTTP Status Code `201 Created` on a successful call. If the API call returns an error, please check the [error reference documentation](error-codes.md). //TODO
+The Request Service API returns an HTTP Status Code `201 Created` on a successful call. If the API call returns an error, please check the [error reference documentation](error-codes.md). //TODO
 
 ## Issuance request example
 
@@ -313,7 +310,7 @@ Authorization: Bearer  <token>
         "clientName": "Verifiable Credential Expert Sample"
     },
     "type": "VerifiedCredentialExpert",
-    "manifestUrl": "https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert1",
+    "manifest": "https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert1",
     "pin": {
         "value": "3539",
         "length": 4

articles/active-directory/verifiable-credentials/how-to-create-a-free-developer-account.md

@@ -16,10 +16,6 @@ ms.author: barclayn
 
 [!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
 
-> [!IMPORTANT]
-> Microsoft Entra Verified ID is currently in preview. This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
 > [!NOTE]
 > The requirement of an Azure Active Directory (Azure AD) P2 license was removed in early May 2001. The Azure AD Free tier is now supported. 
 

articles/active-directory/verifiable-credentials/how-to-dnsbind.md

@@ -17,12 +17,6 @@ ms.author: barclayn
 
 [!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
 
-> [!IMPORTANT]
-> Microsoft Entra Verified ID is currently in public preview.
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
-
 ## Prerequisites
 
 To link your DID to your domain, you need to have completed the following.
@@ -111,8 +105,8 @@ It is of high importance that you link your DID to a domain recognizable to the
 
 ## How do you update the linked domain on your DID?
 
-1. Navigate to the Verifiable Credentials | Getting Started page.  
-1. On the left side of the page, select **Domain**.
+1. Navigate to the Verified ID in the Azure portal.  
+1. On the left side of the page, select **Registration**.
 1. In the Domain box, enter your new domain name.
 1. Select **Publish**.
 
@@ -139,7 +133,7 @@ If the trust system is ION, once the domain changes are published to ION, the do
 
 ## Distribute well-known config
 
-1. From the Azure portal, navigate to the Verifiable Credentials page. Select **Domain** and choose **Verify this domain**
+1. From the Azure portal, navigate to the Verified ID page. Select **Registration** and choose **Verify** for the domain
 
 2. Download the did-configuration.json file shown in the image below.
 

articles/active-directory/verifiable-credentials/how-to-issuer-revoke.md

@@ -1,5 +1,5 @@
 ---
-title: How to Revoke a Verifiable Credential as an Issuer - Azure Active Directory Verifiable Credentials
+title: How to Revoke a Verifiable Credential as an Issuer - Entra Verified ID
 description: Learn how to revoke a Verifiable Credential that you've issued
 documentationCenter: ''
 author: barclayn
@@ -19,12 +19,7 @@ ms.author: barclayn
 
 As part of the process of working with verifiable credentials (VCs), you not only have to issue credentials, but sometimes you also have to revoke them. In this article, we go over the **Status** property part of the VC specification and take a closer look at the revocation process, why we may want to revoke credentials and some data and privacy implications.
 
-> [!IMPORTANT]
-> Microsoft Entra Verified ID is currently in public preview.
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. 
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
-## Why you may want to revoke a VC?
+## Why you may want to revoke a verifiable credential?
 
 Each customer will have their own unique reason's for wanting to revoke a verifiable credential, but here are some of the common themes we've heard thus far. 
 
@@ -36,18 +31,21 @@ Each customer will have their own unique reason's for wanting to revoke a verifi
 
 Using the indexed claim in verifiable credentials, you can search for issued verifiable credentials by that claim in the portal and revoke it.
 
-1. Navigate to the verifiable credentials blade in Azure Active Directory.
+1. Navigate to the Verified ID blade in the Azure portal as an admin user with sign key permission on Azure KeyVault.
 1. Select the verifiable credential type
 1. On the left-hand menu, choose **Revoke a credential**
    ![Revoke a credential](media/how-to-issuer-revoke/settings-revoke.png) 
-1. Search for the index claim of the user you want to revoke. If you haven't indexed a claim, search won't work, and you won't be able to revoke the verifiable credential.
+1. Search for the index claim of the user you want to revoke. If you haven't indexed a claim, search will not work, and you will not be able to revoke the verifiable credential.
 
    ![Screenshot of the credential to revoke](media/how-to-issuer-revoke/revoke-search.png)
 
     >[!NOTE]
-    >Since we are only storing a hash of the indexed claim from the verifiable credential, only an exact match will populate the search results. We take the input as searched by the IT Admin and we use the same hashing algorithm to see if we have a hash match in our database.
+    >Since only a hash of the indexed claim from the verifiable credential is stored, only an exact match will populate the search results. What is entered in the textbox is hashed using the same algorithm and used as a search criteria to match the stored, hashed, value.
     
-1. Once you've found a match, select the **Revoke** option to the right of the credential you want to revoke.
+1. When a match is found, select the **Revoke** option to the right of the credential you want to revoke. 
+ 
+    >[!NOTE]
+    >The admin user performing the revoke operation needs to have **sign** key permission on Azure KeyVault or you will get error message ***Unable to access KeyVault resource with given credentials***.
 
    ![Screenshot of a warning letting you know that after revocation the user still has the credential](media/how-to-issuer-revoke/warning.png) 
 
@@ -109,7 +107,7 @@ Verifiable credential data isn't stored by Microsoft. Therefore, the issuer need
 ```
 
 >[!NOTE]
->Only one claim can be indexed from a rules claims mapping.  
+>Only one claim can be indexed from a rules claims mapping. If you accidentally have no indexed claim in your rules definition, and you later correct this, already issued verifiable credentials will not be searchable since they were issued when no index existed. 
 
 
 ## How does revocation work?
@@ -120,6 +118,9 @@ Microsoft Entra Verified ID implements the [W3C StatusList2021](https://github.c
 
 In every Microsoft issued verifiable credential, there is a claim called `credentialStatus`. This data is a navigational map to where in a block of data this VC has its revocation flag.
 
+>[!NOTE]
+>If the verifiable credential is old and was issued during the preview period, this claim may not exist. Revocation will not work for this credential and you have to reissue it.
+
 ```json
 ...
 "credentialStatus": { 

articles/active-directory/verifiable-credentials/how-to-opt-out.md

@@ -1,6 +1,6 @@
 ---
 title: Opt out of the Microsoft Entra Verified ID
-description: Learn how to Opt Out of the Verifiable Credentials Preview
+description: Learn how to Opt Out of Entra Verified ID
 documentationCenter: ''
 author: barclayn
 manager: rkarlin
@@ -24,18 +24,13 @@ In this article:
 - What happens to your data?
 - Effect on existing verifiable credentials.
 
-> [!IMPORTANT]
-> Microsoft Entra Verified ID is currently in public preview.
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
 ## Prerequisites
 
 - Complete verifiable credentials onboarding.
 
 ## When do you need to opt out?
 
-Opting out is a one-way operation, after you opt-out your Microsoft Entra Verified ID environment will be reset. During the Public Preview opting out may be required to:
+Opting out is a one-way operation, after you opt-out your Entra Verified ID environment will be reset. Opting out may be required to:
 
 - Enable new service capabilities.
 - Reset your service configuration.
@@ -57,11 +52,11 @@ Once an opt-out takes place, you won't be able to recover your DID or conduct an
 All verifiable credentials already issued will continue to exist. They won't be cryptographically invalidated as your DID will remain resolvable through ION.
 However, when relying parties call the status API, they will always receive back a failure message.  
 
-## How to opt-out from the Microsoft Entra Verified ID Public Preview?
+## How to opt-out from the Microsoft Entra Verified ID service?
 
 1. From the Azure portal search for verifiable credentials.
 2. Choose **Organization Settings** from the left side menu.
-3. Under the section, **Reset your organization**, select **Delete all credentials, and opt out of preview**.
+3. Under the section, **Reset your organization**, select **Delete all credentials and reset service**.
 
     :::image type="content" source="media/how-to-opt-out/settings-reset.png" alt-text="Section in settings that allows you to reset your organization":::
 

articles/active-directory/verifiable-credentials/how-to-register-didwebsite.md

@@ -17,32 +17,27 @@ ms.author: barclayn
 
 [!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
 
-> [!IMPORTANT]
-> Microsoft Entra Verified ID is currently in public preview.
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
 ## Prerequisites
 
 - Complete verifiable credentials onboarding with Web as the selected trust system.
-- Complete the Linked Domain setup.
+- Complete the Linked Domain setup. Without completing this step, you can't perform this registration step.
 
 ## Why do I need to register my website ID?
 
-If your trust system for the tenant is Web, you need register your website ID to be able to issue and verify your credentials. When you use the ION based trust system, information like your issuers' public keys are published to the blockchain. When the trust system is Web, you have to make this information available on your website.  
+If your trust system for the tenant is Web, you need register your website ID to be able to issue and verify your credentials. When the trust system is Web, you have to make this information available on your website and complete this registration. When you use the ION based trust system, information like your issuers' public keys are published to blockchain and you don't need to complete this step.
 
 ## How do I register my website ID?
 
-1. Navigate to the Verifiable Credentials | Getting Started page.
-1. On the left side of the page, select Domain.
+1. Navigate to the Verified ID in the Azure portal.
+1. On the left side of the page, select Registration.
 1. At the Website ID registration, select Review.
 
    ![Screenshot of website registration page.](media/how-to-register-didwebsite/how-to-register-didwebsite-domain.png)
 1. Copy or download the DID document being displayed in the box
 
    ![Screenshot of did.json.](media/how-to-register-didwebsite/how-to-register-didwebsite-diddoc.png)
 1. Upload the file to your webserver. The DID document JSON file needs to be uploaded to location /.well-known/did.json on your webserver.
-1. Once the file is available on your webserver, you need to select the Refresh registration status button to verify that the system can request the file.
+1. Once the file is available on your webserver, you need to select the **Refresh registration status** button to verify that the system can request the file.
 
 ## When is the DID document in the did.json file used?
 
@@ -52,6 +47,10 @@ The DID document contains the public keys for your issuer and is used during bot
 
 The DID document in the did.json file needs to be republished if you changed the Linked Domain or if you rotate your signing keys.
 
+## How can I verify that the registration is working?
+
+The portal verifies that the `did.json` is reachable and correct when you click the [**Refresh registration status** button](#how-do-i-register-my-website-id). You should also consider verifying that you can request that URL in a browser to avoid errors like not using https, bad SSL certificate or URL not being public. If the did.json file can be requested anonymously in a browser, without warnings or errors, the portal will not be able to complete the **Refresh registration status** step either. 
+
 ## Next steps
 
 - [Tutorial for issue a verifiable credential](verifiable-credentials-configure-issuer.md)