2: The Future of Digital Identity: The verified ID workflow and issuance

Harri Jaakkonen
30 minutes ago
4 min read

The Multi-Tenant Architecture: Enterprise-Grade Identity at Scale

As organizations scale their identity infrastructure, they encounter a new challenge: how do you manage identity verification across multiple business units, subsidiaries, or service offerings while maintaining security and compliance? The answer lies in multi-tenant architecture—a sophisticated approach to identity management that enterprises are increasingly adopting.

Understanding Multi-Tenant Verified ID Systems

In a multi-tenant Verified ID system, different tenants (separate organizational domains) can operate independently while sharing a common identity infrastructure. Each tenant can issue its own credentials, enforce its own policies, and manage its own users—but they can all verify credentials issued by other tenants.

Consider this real-world scenario: Your organization has an HR department that needs to verify employee identity, and a separate Face Check service in another tenant that performs biometric verification. Both operate as independent services, but they need to work together seamlessly. Here's how it works:

The Multi-Tenant Credential Flow with Biometric Verification

Breaking Down the Architecture

Tenant 1: Authentication Tenant

This is where your user first authenticates. It contains your company's OIDC identity provider and has access to user profile information (like photos stored in Microsoft Graph). When the user requests a credential, this tenant generates an ID token containing their claims and optional biometric data.

Tenant 2: Verified ID Tenant

This separate tenant is responsible for credential issuance. Importantly, it can accept and validate ID tokens from other tenants (cross-tenant attestation). It creates the actual verifiable credential—a cryptographically signed object containing the user's claims and any included media like photos. This separation of concerns allows organizations to maintain distinct security boundaries while sharing identity infrastructure.

Tenant 3: Face Check Service

When verification requires biometric confirmation, a dedicated Face Check service (potentially in yet another tenant or as a separate service) compares a live selfie against the photo stored in the credential. Using Azure AI Face API, it generates a confidence score indicating the likelihood that both photos show the same person.

The Power of Cross-Tenant Credential Verification

What makes this architecture powerful is that each tenant can independently verify credentials issued by other tenants. Here's why this matters:

Decoupled Operations

Each tenant operates independently—no single point of failure affects the entire system.

Specialized Services

Biometric verification can be handled by specialized services optimized for that purpose.

Regulatory Compliance

Different tenants can be in different jurisdictions, meeting local data residency requirements.

Scalability

Each tenant scales independently based on its own load and requirements.

Biometric Verification with Face Check

Face Check represents the evolution of identity verification. Instead of relying on static credentials, it adds a liveness component: the user must prove they are physically present and that their live appearance matches the photo in their credential.

Here's how it works in the context of a multi-tenant system:

Credential Possession: User proves they have a valid credential (issued by Tenant 2) by presenting it through Microsoft Authenticator
Live Verification: User takes a selfie using the Authenticator app, which performs a liveness check to ensure it's a live person, not a photo or video
Biometric Matching: The Face Check service compares the selfie against the photo embedded in the credential
Confidence Scoring: Returns a confidence score (e.g., "86% match confidence") that the verifier can use to make a trust decision

Enterprise Advantage: By separating Face Check into its own service/tenant, organizations can implement different confidence thresholds for different use cases. High-security scenarios might require 90%+ confidence, while lower-risk scenarios might accept 70%.

Security at the Multi-Tenant Level

Multi-tenant architectures introduce unique security considerations that Verified ID addresses elegantly:

Cryptographic Verification: Each credential is signed by its issuer. Verifiers can confirm authenticity without contacting the issuer, using only the issuer's public key
Revocation Checking: Tenants maintain revocation registries; verifiers can check if a credential has been revoked
Selective Disclosure: Users share only the claims needed for verification, not the entire credential
Zero Trust: Verifiers don't need to trust intermediaries—cryptography ensures authenticity

This architecture is particularly valuable for organizations operating in regulated industries like finance, healthcare, and government, where audit trails, data minimization, and compliance are non-negotiable.

Verified ID on Azure Marketplace

Organizations looking to implement Verified ID solutions can now access Fortytwo's expertise directly through the Azure Marketplace. This offering provides:

Pre-Built Components

Reference architectures for common use cases

Rapid Deployment

Ready-to-use infrastructure as code

Consulting Support

Expert guidance on implementation and integration

Azure Native Integration

Seamless connection with existing Azure service

Coming up next in this series

Understanding the architecture of Verified ID is one thing; seeing how it transforms real business processes is another. In the next part of this series, we'll explore concrete use cases and the tangible benefits organizations achieve when implementing this technology.

We're talking real numbers: reducing onboarding time by 85%, cutting identity verification costs dramatically, enabling zero-trust partner access without the credential management overhead, and finally solving the "forgot password" problem that costs enterprises millions annually. From streamlining employee onboarding to enabling secure partner ecosystems, from meeting GDPR and eIDAS compliance to creating tamper-proof educational credentials—we'll show you the ROI with actual metrics: time saved, costs reduced, security incidents prevented, and compliance requirements met. If you need to build a business case for decentralized identity or wondering "where do I even start?", this post will give you the practical roadmap and the numbers that matter to leadership.

Stay tuned!

Everything starts with your identity

Not sure what you need? Book a chat

Enterprise-grade Azure Landing Zones built on Microsoft’s best-practice frameworks by real experts

We put next-generation Microsoft Security tools to work for you.

Did you know Fortytwo has multiple Advanced Specialization certifications by Microsoft?

Our Azure Marketplace products

Did you know that running products through Azure marketplace you are billed through your Azure invoice directly from your Microsoft partner?