Protect your organization from account takeover and hiring fraud as deepfake impersonation threats grow. With Microsoft Entra Verified ID, you can use Face Check to verify identities in real time against government-issued IDs like driver’s licenses and passports.
Use Face Check with integrated solutions for
- new employee, guest or admin onboarding
- step-up authentication to access sensitive information
- securing common helpdesk-driven tasks, like user account recovery
Setup is simple and has been designed so that both the enterprise and the person verifying their identity maintain control — without storing or passing biometric information like other face matching solutions.
Join Ankur Patel, from the Microsoft Entra team, as he demonstrates how Face Check with Verified ID works and how to set it up.
Defend against deepfakes.
Ensure that only the right people can access your organization’s resources with real-time facial matching using Face Check with Microsoft Entra Verified ID. Watch here.
AI-powered identity verification.
See how Face Check with Microsoft Entra Verified ID keeps onboarding and account recovery secure. Check it out.
Verify access to resources when roles change.
Face Check with Microsoft Entra Verified ID ensures that only verified users can access critical apps and data. See how it works.
Watch our video here:
QUICK LINKS:
00:00 — Face Check with Microsoft Entra Verified ID
00:54 — AI-powered identity verification
01:44 — First time user experience
03:21 — How it works
04:55 — Use cases
05:34 — Set it up
06:16 — Update an app for Face Check
06:43 — Access packages
08:18 — Wrap up
Link References
For more information, check out https://aka.ms/FaceCheckSetup
Watch the complete playlist for Microsoft Entra Suite at https://aka.ms/EntraSuiteMechanics
Access a list of identity verification providers at https://aka.ms/IDVpartners
Unfamiliar with Microsoft Mechanics?
As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.
- Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries
- Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
- Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast
Keep getting this insider knowledge, join us on social:
- Follow us on Twitter: https://twitter.com/MSFTMechanics
- Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
- Enjoy us on Instagram: https://www.instagram.com/msftmechanics/
Video Transcript:
-Remote impersonation attacks are on the rise, and with the rise of remote work and as AI technology gains ground, as both an ally used for good and as an adversary used for nefarious activities, there’s a growing risk of deepfake impersonation attacks, resulting in account takeover or even hiring fraud.
-To ensure the right person is given and retains access to digital accounts, Face Check with Microsoft Entra Verified ID performs real-time biometric verification against government-issued identity documents, such as a driver’s license and passports.
-This service can help reduce risks when it comes to new employee, guest or admin onboarding, step-up authentication to access sensitive information, or securing common Helpdesk-driven tasks, like user account recovery, where identity verification is now automated and performed digitally and online versus manually and in person from wherever you may be.
-And this is different to the common verification method of simply matching the face door on your phone. Face Check with Verified ID uses AI-powered services to uniquely verify characteristics of your face and it compares it with what’s on your current official government or employee-issued photo ID and determines the confidence of the match.
-Importantly, as an enterprise, you can continuously check and verify a user’s identity whenever there are changes in risk factors, giving you a higher level of security and trust, and it’s simple and straightforward to set up. It’s been designed so that both the enterprise and the person verifying the identity maintain control.
-Unlike other facial matching solutions, this service does not store biometric information. It’s compliant with prevalent privacy regulations, and has built-in safeguards against deepfake ID spoofing. Let me start by showing you how it works in the context of a user enrolling their identity for the first time using Verified ID. This is an example of the end-to-end onboarding experience for a new employee that I recorded earlier using IDEMIA, a global identity verification provider.
-After entering your name, the onboarding portal will present a QR code to verify government-issued ID and face biometrics, and when I use the camera app on my phone to scan, it takes me directly to the IDEMIA app, where I can continue. I’m prompted to verify my location. I will choose my country, United States, and along with the ID document among the ones accepted by my employer, I will choose a driver’s license.
-From here, a process that many of us have been through, I can scan both sides of my driver’s license. I will start with the front side of my driver’s license and line everything up. Now I can flip it over and take a photo on the other side. Everything looks good, so I’ll submit these photos to continue, and in seconds, I have my Verified ID from IDEMIA.
-Now, we’ll present this IDEMIA-issued ID and perform a Face Check to complete the onboarding process. This time, I’ll scan the QR code on my screen using the Microsoft Authenticator app. That will start the Face Check process. And here, I’ve got the camera in selfie mode, and you can see that it’s taking a sequence of photos as a liveness check.
-Then, once it’s finished and I share the results, my organization can confidently create an account for me to access internal resources, such as getting my employee ID or ordering a computer for me to start the job. Let me explain how this worked, along with the components of Face Check with Microsoft Entra Verified ID.
-When a new employee onboards into the organization, they first have to get a digital photo from a trusted third-party provider. Once the digital photo credential has been retrieved, the user is ready to respond to an authentication challenge from a requesting service, and at that stage, they use their phone’s built-in camera to capture and send an image sequence to Microsoft’s Verified ID service.
-From there, advanced AI algorithms with face liveness checks determine the authenticity of the image feed and whether the face is a true match with a photo from the digital credential acquired in the first step. The requesting service or application will only see the pass/fail based on the confidence score of the match.
-The image and biometric information contained in the digital credential is not passed or stored. And finally, based on your configured confidence threshold, the process then grants or denies access to the requested resource. And, beyond onboarding, an existing employee, for example, trying to recover credential like a lost passkey can use their digital photo managed by their organization’s internal HR or badge system to prove they are who they say they are.
-As an organization, you get to determine the required confidence level for biometric facial match, and use recommended defaults. Even moderate changes in physical appearances, like eyeglasses, facial hair cutting or dying your hair, the AI system can account for such variance, and won’t materially affect verification results. Now, there are additional use cases where Face Check may make sense.
-For example, in cases where a user’s phone or ID has been lost or stolen and account recovery’s needed, you can use Face Check to ensure that the right person is recovering access in order to restore their ability to securely access resources. This is in contrast relying on SMS or email roundtrip or 20 knowledge-based questions that are subject to impersonation attacks. Now, another use case is step-up authentication, where you may need to update direct deposit bank information for payroll or other sensitive information where extra protection is required.
-So, there are lots of scenarios where Face Check with Microsoft Entra Verified ID makes a big difference, and setting the service up is straightforward from the Microsoft Entra Admin Center. In the Verified ID Overview page, click Get started. Verified ID takes just a moment to set up. Once complete, to add Face Check, you can scroll down and turn on the service. It’s available as a paid add-on, and also included with Microsoft Entra Suite.
-Next, I’ll define my Azure subscription details with a resource group, and once that’s complete, you will see that Face Check is enabled. From there, you will need to configure your onboarding portal to accept credentials from your preferred ID verification provider, and you can check out aka.ms/IDVpartners for a list of global leading identity verification providers that an enterprise can use right away.
-Next, let’s update the app where we want to perform a Face Check, such as onboarding or help desk portal from our demo. This is an example of the code you can use to initiate a Face Check from your website or app. You’ll see that requested credential from the trusted ID verification partner, and it contains configuration parameters for performing Face Check with claim type, a photo in this case, as well as a required confidence score threshold to verify a match.
-Another place where we find Face Check being very valuable is when people change roles or locations within an organization. Entitle Management in Microsoft Entra is used to manage access for apps. Most recently, access packages now support Face Check to ensure that such access is only granted upon verification.
-I’ll do this using Access Packages. I can configure a one-time setup for a group of resources, for example, based on their role in the company. Let’s create one for New Hires to the Sales team. First, I’ll add them to the right groups and teams, along with their role. Next, I’ll add an enterprise app like you can see here Salesforce, and optionally, you can also grant access to the right internal SharePoint sites.
-When I configure access packages, in the Request step, along with a few other standard options, I can require Verified IDs and that gives me more options to configure the issuer, I’ll choose Woodgrove in this case, and select credential types. Then, this is where you can require Face Check. I’ll do that. And select the photo’s claim name. In this case, it’s the Photo option. From there, I’ll create the policy as usual and complete the remaining steps.
-Now, if I switch over to a requesting user’s view, when they request the access package, the service will perform the Face Check just like I’ve shown before to satisfy the request, and if successful, Microsoft Entra then authorizes permissions to access the package that you have assigned.
-And coming soon, we are building native integration into Conditional Access, so that you can perform step-up authentication checks based on changes in risks across networks, devices, and user conditions. So, that’s how Face Check with Microsoft Entra Verified ID not only helps protect you against impersonation attacks, but also strengthens identity verification for more practical day-to-day use cases.
-To find out more, check out aka.ms/FaceCheckSetup and get started in the Microsoft Entra admin center, and you can find out our complete playlist for Microsoft Entra Suite at aka.ms/EntraSuiteMechanics. Subscribe to Microsoft Mechanics for more updates, and thanks for watching.
Published Feb 28, 2025
Version 1.0
