|
| 1 | +--- |
| 2 | +title: Configure verified ID settings for an access package in entitlement management (Preview) - Azure AD |
| 3 | +description: Learn how to configure verified ID settings for an access package in entitlement management. |
| 4 | +services: active-directory |
| 5 | +documentationCenter: '' |
| 6 | +author: owinfreyatl |
| 7 | +manager: amycolannino |
| 8 | +editor: HANKI |
| 9 | +ms.service: active-directory |
| 10 | +ms.workload: identity |
| 11 | +ms.tgt_pltfrm: na |
| 12 | +ms.topic: how-to |
| 13 | +ms.subservice: compliance |
| 14 | +ms.date: 01/25/2023 |
| 15 | +ms.author: owinfrey |
| 16 | +ms.reviewer: hanki |
| 17 | +ms.collection: M365-identity-device-management |
| 18 | + |
| 19 | +--- |
| 20 | + |
| 21 | +# Configure verified ID settings for an access package in entitlement management (Preview) |
| 22 | + |
| 23 | +When setting up an access package policy, admins can specify whether it’s for users in the directory, connected organizations, or any external user. Entitlement Management determines if the person requesting the access package is within the scope of the policy. |
| 24 | + |
| 25 | +Sometimes you might want users to present additional identity proofs during the request process such as a training certification, work authorization, or citizenship status. As an access package manager, you can require that requestors present a verified ID containing those credentials from a trusted issuer. Approvers can then quickly view if a user’s verifiable credentials were validated at the time that the user presented their credentials and submitted the access package request. |
| 26 | + |
| 27 | +As an access package manager, you can include verified ID requirements for an access package at any time by editing an existing policy or adding a new policy for requesting access. |
| 28 | + |
| 29 | +This article describes how to configure the verified ID requirement settings for an access package. |
| 30 | + |
| 31 | +## Prerequisites |
| 32 | + |
| 33 | +Before you begin, you must set up your tenant to use the [Microsoft Entra Verified ID service](../verifiable-credentials/decentralized-identifier-overview.md). You can find detailed instructions on how to do that here: [Configure your tenant for Microsoft Entra Verified ID](../verifiable-credentials/verifiable-credentials-configure-tenant.md). |
| 34 | + |
| 35 | +## Create an access package with verified ID requirements (Preview) |
| 36 | + |
| 37 | +To add a verified ID requirement to an access package, you must start from the access package’s requests tab. Follow these steps to add a verified ID requirement to a new access package. |
| 38 | + |
| 39 | + |
| 40 | +**Prerequisite role**: Global administrator |
| 41 | + |
| 42 | +> [!NOTE] |
| 43 | +> Identity Governance administrator, User administrator, Catalog owner, or Access package manager will be able to add verified ID requirements to access packages soon. |
| 44 | +
|
| 45 | +1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**. |
| 46 | + |
| 47 | +1. In the left menu, select **Access packages** and then select **+ New access package**. |
| 48 | + |
| 49 | +1. On the **Requests** tab, scroll to the **Required Verified Ids** section. |
| 50 | + |
| 51 | +1. Select **+ Add issuer** and choose an issuer from the Entra Verified ID network. If you want to issue your own credentials to users, see: [Issue Microsoft Entra Verified ID credentials from an application](../verifiable-credentials/verifiable-credentials-configure-issuer.md). |
| 52 | + :::image type="content" source="media/entitlement-management-verified-id-settings/select-issuer.png" alt-text="Select issuer for entra verified credentials."::: |
| 53 | + |
| 54 | +1. Select the **credential type(s)** you want users to present during the request process. |
| 55 | + :::image type="content" source="media/entitlement-management-verified-id-settings/issuer-credentials.png" alt-text="Screenshot of credential types for entra verified IDs."::: |
| 56 | + > [!NOTE] |
| 57 | + > If you select multiple credential types from one issuer, users will be required to present credentials of all selected types. Similarly, if you include multiple issuers, users will be required to present credentials from each of the issuers you include in the policy. To give users the option of presenting different credentials from various issuers, configure separate policies for each issuer/credential type you’ll accept. |
| 58 | +1. Select **Add** to add the verified ID requirement to the access package policy. |
| 59 | + |
| 60 | +1. Once you have finished configuring the rest of the settings, you can review your selections on the **Review + create** tab. You can see all verified ID requirements for this access package policy in the **Verified IDs** section. |
| 61 | + :::image type="content" source="media/entitlement-management-verified-id-settings/verified-ids-list.png" alt-text="Screenshot of a list of verified IDs."::: |
| 62 | + |
| 63 | + |
| 64 | +## Request an access package with verified ID requirements (Preview) |
| 65 | + |
| 66 | +Once an access package is configured with a verified ID requirement, end-users who are within the scope of the policy are able to request access using the My Access portal. Similarly, approvers are able to see the claims of the VCs presented by requestors when reviewing requests for approval. |
| 67 | + |
| 68 | +The requestor steps are as follows: |
| 69 | + |
| 70 | +1. Go to [myaccess.microsoft.com](HTTPS://myaccess.microsoft.com) and sign in. |
| 71 | + |
| 72 | +1. Search for the access package you want to request access to (you can browse the listed packages or use the search bar at the top of the page) and select **Request**. |
| 73 | + |
| 74 | +1. If the access package requires you to present a verified ID, you should see a grey information banner as shown here: |
| 75 | + :::image type="content" source="media/entitlement-management-verified-id-settings/present-verified-id-access-package.png" alt-text="Screenshot of the present verified ID for access package option."::: |
| 76 | +1. Select **Request Access**. You should now see a QR code. Use your phone to scan the QR code. This launches Microsoft Authenticator, where you'll be prompted to share your credentials. |
| 77 | + :::image type="content" source="media/entitlement-management-verified-id-settings/verified-id-qr-code.png" alt-text="Screenshot of use QR code for verified IDs."::: |
| 78 | +1. After you share your credentials, My Access will automatically take you to the next step of the request process. |
| 79 | + |
| 80 | + |
| 81 | +## Next steps |
| 82 | + |
| 83 | +[Delegate access governance to access package managers](entitlement-management-delegate-managers.md) |
0 commit comments