Onboarding with a TAP using Entra Verified ID (Employee onboarding)
The GitHub sample is here.
As per the docs for the Verified ID code sample for employee or guest onboarding:
This sample showcases onboarding of a new hire using a Temporary Access Pass to remotely gain access to their corporate account. It also showcases the onboarding of a B2B guest user by the use of creating an invitation using Microsoft Graph that is redeemed in the application and not via sending an email.
The employee onboarding scenario is the process of pre-registering a new hire and then having the new hire person get access to the account via remote onboarding. The new hire can then onboard and set up their account using TrueIdentity (a fictitious Identity Verification Provider) and use a Temporary Access Pass to gain access to their new account.
The guest onboarding scenario involves setting up a B2B Guest Account by presenting a VerifiedEmployee Verified ID credential from a trusted B2B partner. The user performing the guest onboarding needs to have acquired their VerifiedEmployee credential from MyAccount using their corporate credentials. How to enable Verified ID to be available in MyAccount is documented here.
The sample uses the Microsoft Graph client to interact with Entra ID, create the user profile, and create the TAP code, or create the guest account invite.
In this post, we will look at the employee onboarding scenario.
(Guest user onboarding is covered here).
There are some setup instructions that need to be read carefully.
To expand these:
These are the appsettings:
I set the “TapGroupName” to “TAP” and the “AllowedUserAdminRole” to “UserAdmin”.
The “KeyIdentifier” comes from your KeyVault key.
The “DidAuthority” comes from your Verified ID setup:
I called my application “DID-VC-TAP”.
These are the application permissions:
Notice only one is “Delegated”.
For the KeyVault access policies:
Run the sample:
The screen before sign in:
The screen when you sign in as a non-admin user i.e. you don’t have the “UserAdmin” role.
All you can do is “Guest reverification”.
The screen when you sign in as an admin user:
We will register a new hire:
and “Save User”.
If you manually created the user some other way, you can also find the user using the private email:
and “Find user by email”. The search is against “Other emails”.
This also gives you the “objectId”.
Now click “Get Onboarding Link”.
This adds some links at the bottom:
The first link opens Outlook to send the link via email.
For testing, use the second link, which looks like this:
https://localhost:5001/Employee/Onboarding?token=eyJh…d%3d
The token (JWT) looks like:
{
"exp": 1710401576,
"iat": 1710379976,
"nbf": 1710379976,
"email": "joe@tenant.onmicrosoft.com",
"tid": "00d...c79"
}In Azure AD B2C, this is called the id_token_hint method, aka magic link.
The idea is that you want to pass the email across in a secure manner so you wrap it in a JWT and sign it with the key vault key. The recipient checks the signature and then extracts the email address. The signature will be invalid if a “man-in-the-middle” gets hold of the JWT and alters the email address.
Open the second link in a browser:
If you get a card, it takes you to the TrueIdentity site:
https://trueidentityinc.azurewebsites.netpassing the user name in the query string.
The idea here is that TrueIdentity (a demo. site) is a third-party verified identity issuer like Veriff or IDology.
The flow is described here.
Now you have the card, you can click “I already have my card”.
So far, we have been able to get away with running on “localhost”, but now we get the error “URL must be public” because the VerifiedID backend has no path back to “localhost”. The URL must be to a public site.
For this you need “ngrok”. You run it in the command prompt.
ngrok provides tunnelling, which enables users to access localhost from outside of the PC.
ngrok http 5000This shows:
...
Web Interface http://127.0.0.1:4040
Forwarding https://6038-222-155-36-133.ngrok-free.app -> http://localhost:5000Add:
https://6038-222-155-36-133.ngrok-free.app/signin-oidcto the app. registration redirect URIs.
Navigate to:
https://6038-222-155-36-133.ngrok-free.appand generate a new link.
Now, when you click “I already have a card”, you see:
In the authenticator app, scan the QR code and then “Share” the TrueIdentity VC (Verified Credential) you created earlier.
You will now get a TAP:
Follow the instructions, and you will then be asked to enter the TAP:
“Sign In”, and the account will be added to the authenticator app:
Your account is now set up.
There are a number of “Next steps” you can now do, e.g. go to MyAccounts and issue yourself a VC:
Scan the QR code:
You can now add your company’s Verified Employee VC:
“Add”, and you’ll now see the new VC in the authenticator app:
There are a lot of moving parts in this sample, but it gives a really good overview of how Verified ID can help with onboarding 😄
This is a far more secure solution then coming to work on the first day, going to the IT department and picking up your computer with a Post-it note containing your temporary password stuck on top! Or getting the temporary password emailed to your private email address.
All good!
