Issue Azure AD Verifiable Credentials from an application (preview)
In this tutorial, you run a sample application from your local computer that connects to your Azure Active Directory (Azure AD) tenant. Using the application, you're going to issue and verify a verified credential expert card.
In this article, you learn how to:
- Set up Azure Blob Storage for storing your Azure AD Verifiable Credentials configuration files.
- Create and upload your Verifiable Credentials configuration files.
- Create the verified credential expert card in Azure.
- Gather credentials and environment details to set up the sample application.
- Download the sample application code to your local computer.
- Update the sample application with your verified credential expert card and environment details.
- Run the sample application and issue your first verified credential expert card.
- Verify your verified credential expert card.
The following diagram illustrates the Azure AD Verifiable Credentials architecture and the component you configure.

Prerequisites
- Set up a tenant for Azure AD Verifiable Credentials.
- To clone the repository that hosts the sample app, install GIT.
- Visual Studio Code, or similar code editor.
- .NET 5.0.
- ngrok (free).
- A mobile device with Microsoft Authenticator:
- Android version 6.2108.5654 or later installed.
- iOS version 6.5.82 or later installed.
Create a storage account
Azure Blob Storage is an object storage solution for the cloud. Azure AD Verifiable Credentials uses Azure Blob Storage to store the configuration files when the service is issuing verifiable credentials.
Create and configure Blob Storage by following these steps:
If you don't have an Azure Blob Storage account, create one.
After you've created the storage account, create a container. In the left menu for the storage account, scroll to the Data storage section, and select Containers.
Select + Container.
Type a name for your new container. The container name must be lowercase, must start with a letter or number, and can include only letters, numbers, and the dash (-) character. For example, vc-container.
Set Public access level to Private (no anonymous access).
Select Create.

Grant access to the container
After you create your container, grant the signed-in user the correct role assignment so they can access the files in Blob Storage.
From the list of containers, select vc-container.
From the menu, select Access Control (IAM).
Select + Add, and then select Add role assignment.

In Add role assignment:
For the Role, select Storage Blob Data Reader.
For the Assign access to, select User, group, or service principal.
Then, search the account that you're using to perform these steps, and select it.

Important
By default, container creators get the owner role assigned. The owner role isn't enough on its own. Your account needs the storage blob data reader role. For more information, see Use the Azure portal to assign an Azure role for access to blob and queue data.
Upload the configuration files
Azure AD Verifiable Credentials uses two JSON configuration files, the rules file and the display file.
- The rules file describes important properties of verifiable credentials. In particular, it describes the claims that subjects (users) need to provide before a verifiable credential is issued for them.
- The display file controls the branding of the credential and styling of the claims.
In this section, you upload sample rules and display files to your storage. For more information, see How to customize your verifiable credentials.
To upload the configuration files, follow these steps:
Copy the following JSON, and save the content into a file called VerifiedCredentialExpertDisplay.json.
{ "default": { "locale": "en-US", "card": { "title": "Verified Credential Expert", "issuedBy": "Microsoft", "backgroundColor": "#2E4053", "textColor": "#ffffff", "logo": { "uri": "https://didcustomerplayground.blob.core.windows.net/public/VerifiedCredentialExpert_icon.png", "description": "Verified Credential Expert Logo" }, "description": "Use your verified credential to prove to anyone that you know all about verifiable credentials." }, "consent": { "title": "Do you want to get your Verified Credential?", "instructions": "Sign in with your account to get your card." }, "claims": { "vc.credentialSubject.firstName": { "type": "String", "label": "First name" }, "vc.credentialSubject.lastName": { "type": "String", "label": "Last name" } } } }Copy the following JSON, and save the content into a file called VerifiedCredentialExpertRules.json. The following verifiable credential defines a couple of simple claims in it:
firstNameandlastName.{ "attestations": { "idTokens": [ { "id": "https://self-issued.me", "mapping": { "firstName": { "claim": "$.given_name" }, "lastName": { "claim": "$.family_name" } }, "configuration": "https://self-issued.me", "client_id": "", "redirect_uri": "" } ] }, "validityInterval": 2592001, "vc": { "type": [ "VerifiedCredentialExpert" ] } }In the Azure portal, go to the Azure Blob Storage container that you created.
In the left menu, select Containers to show a list of blobs it contains. Then select the vc-container that you created earlier.
Select Upload to open the upload pane and browse your local file system to find a file to upload. Select the VerifiedCredentialExpertDisplay.json and VerifiedCredentialExpertRules.json files. Then select Upload to upload the files to your container.
Create the verified credential expert card in Azure
In this step, you create the verified credential expert card by using Azure AD Verifiable Credentials. After creating a verified credential, your Azure AD tenant can issue this credential to users who initiate the process.
Using the Azure portal, search for verifiable credentials. Then select Verifiable Credentials (Preview).
After you set up your tenant, the Create a new credential window should appear. If it’s not opened, or you want to create more credentials, in the left menu, select Credentials. Then select + Credential.
In Create a new credential, do the following:
For Name, enter VerifiedCredentialExpert. This name is used in the portal to identify your verifiable credentials. It's included as part of the verifiable credentials contract.
For Subscription, select your Azure AD subscription where you created Blob Storage.
Under the Display file, select Select display file. In the Storage accounts section, select vc-container. Then select the VerifiedCredentialExpertDisplay.json file and click Select.
Under the Rules file, Select rules file. In the Storage accounts section, select the vc-container. Then select the VerifiedCredentialExpertRules.json file, and choose Select.
Select Create.
The following screenshot demonstrates how to create a new credential:

Gather credentials and environment details
Now that you have a new credential, you're going to gather some information about your environment and the credential that you created. You use these pieces of information when you set up your sample application.
In Verifiable Credentials, select Credentials. From the list of credentials, select VerifiedCredentialExpert, which you created earlier.

Copy the Issue Credential URL. This URL is the combination of the rules and display files. It's the URL that Authenticator evaluates before it displays to the user verifiable credential issuance requirements. Record it for later use.
Copy the Decentralized identifier, and record it for later.
Copy your Tenant ID, and record it for later.

Download the sample code
The sample application is available in .NET, and the code is maintained in a GitHub repository. Download the sample code from GitHub, or clone the repository to your local machine:
git clone https://github.com/Azure-Samples/active-directory-verifiable-credentials-dotnet.git
Configure the verifiable credentials app
Create a client secret for the registered application that you created. The sample application uses the client secret to prove its identity when it requests tokens.
Go to the App registrations page that is located inside Azure Active Directory.
Select the verifiable-credentials-app application you created earlier.
Select the name to go into the registration details.
Copy the Application (client) ID, and store it for later.

From the main menu, under Manage, select Certificates & secrets.
Select New client secret, and do the following:
In Description, enter a description for the client secret (for example, vc-sample-secret).
Under Expires, select a duration for which the secret is valid (for example, six months). Then select Add.
Record the secret's Value. You'll use this value for configuration in a later step. The secret’s value won't be displayed again, and isn't retrievable by any other means. Record it as soon as it's visible.
At this point, you should have all the required information that you need to set up your sample application.
Update the sample application
Now you'll make modifications to the sample app's issuer code to update it with your verifiable credential URL. This step allows you to issue verifiable credentials by using your own tenant.
Under the active-directory-verifiable-credentials-dotnet-main folder, open Visual Studio Code, and select the project inside the 1.asp-net-core-api-idtokenhint folder.
Under the project root folder, open the appsettings.json file. This file contains information about your Azure AD Verifiable Credentials. Update the following properties with the information that you recorded in earlier steps:
- Tenant ID: your tenant ID
- Client ID: your client ID
- Client Secret: your client secret
- IssuerAuthority: Your decentralized identifier
- VerifierAuthority: Your decentralized identifier
- Credential Manifest: Your issue credential URL
Save the appsettings.json file.
The following JSON demonstrates a complete appsettings.json file:
{
"AppSettings": {
"Endpoint": "https://beta.did.msidentity.com/v1.0/{0}/verifiablecredentials/request",
"VCServiceScope": "bbb94529-53a3-4be5-a069-7eaf2712b826/.default",
"Instance": "https://login.microsoftonline.com/{0}",
"TenantId": "12345678-0000-0000-0000-000000000000",
"ClientId": "33333333-0000-0000-0000-000000000000",
"ClientSecret": "123456789012345678901234567890",
"CertificateName": "[Or instead of client secret: Enter here the name of a certificate (from the user cert store) as registered with your application]",
"IssuerAuthority": "did:ion:EiCcn9dz_OC6HY60AYBXF2Dd8y5_2UYIx0Ni6QIwRarjzg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfN2U4MmYzNjUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiaUo0REljV09aWVA...",
"VerifierAuthority": " did:ion:EiCcn9dz_OC6HY60AYBXF2Dd8y5_2UYIx0Ni6QIwRarjzg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfN2U4MmYzNjUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiaUo0REljV09aWVA...",
"CredentialManifest": "https://beta.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert"
}
}
Issue your first verified credential expert card
Now you're ready to issue your first verified credential expert card by running the sample application.
From Visual Studio Code, run the Verifiable_credentials_DotNet project. Or, from the command shell, run the following commands:
cd active-directory-verifiable-credentials-dotnet/1-asp-net-core-api-idtokenhint dotnet build "AspNetCoreVerifiableCredentials.csproj" -c Debug -o .\\bin\\Debug\\netcoreapp3. dotnet runIn another terminal, run the following command. This command runs ngrok to set up a URL on 3000, and make it publicly available on the internet.
ngrok http 5000Note
On some computers, you might need to run the command in this format:
./ngrok http 3000.Open the HTTPS URL generated by ngrok.

From a web browser, select Get Credential.

Using your mobile device, scan the QR code with the Authenticator app. You can also scan the QR code directly from your camera, which will open the Authenticator app for you.

At this time, you will see a message warning that this app or website might be risky. Select Advanced.

At the risky website warning, select Proceed anyways (unsafe). You're seeing this warning because your domain isn't linked to your decentralized identifier (DID). To verify your domain, follow the guidance in Link your domain to your decentralized identifier (DID). For this tutorial, you can skip the domain registration, and select Proceed anyways (unsafe).

You will be prompted to enter a PIN code that is displayed in the screen where you scanned the QR code. The PIN adds an extra layer of protection to the issuance. The PIN code is randomly generated every time an issuance QR code is displayed.

After entering the PIN number, the Add a credential screen appears. At the top of the screen, you see a Not verified message (in red). This warning is related to the domain validation warning mentioned earlier.
Select Add to accept your new verifiable credential.

Congratulations! You now have a verified credential expert verifiable credential.

Go back to the sample app. It shows you that a credential successfully issued.

Verify the verified credential expert card
Now you are ready to verify your verified credential expert card by running the sample application again.
Hit the back button in your browser to return to the sample app home page.
Select Verify credentials.

Using the authenticator app, scan the QR code, or scan it directly from your mobile camera.
When you see the warning message, select Advanced. Then select Proceed anyways (unsafe).
Approve the presentation request by selecting Allow.

After you approve the presentation request, you can see that the request has been approved. You can also check the log. To see the log, select the verifiable credential.

Then select Recent Activity.

You can now see the recent activities of your verifiable credential.

Go back to the sample app. It shows you that the presentation of the verifiable credentials was received.

Verifiable credential names
Your verifiable credential contains Megan Bowen for the first name and last name values in the credential. These values were hardcoded in the sample application, and were added to the verifiable credential at the time of issuance in the payload.
In real scenarios, your application pulls the user details from an identity provider. The following code snippet shows where the name is set in the sample application.
//file: IssuerController.cs
[HttpGet("/api/issuer/issuance-request")]
public async Task<ActionResult> issuanceRequest()
{
...
// Here you could change the payload manifest and change the first name and last name.
payload["issuance"]["claims"]["given_name"] = "Megan";
payload["issuance"]["claims"]["family_name"] = "Bowen";
...
}
Next steps
In the next step, learn how a third-party application, also known as a relying party application, can verify your credentials with its own Azure AD tenant verifiable credentials API service.