What Entra Verified ID Is and Why Licensing Matters
Microsoft Entra Verified ID is Microsoft's implementation of the W3C Verifiable Credentials standard — a decentralised identity framework that allows organisations to issue, present, and verify digital credentials without centralised authority. The practical applications include employee credential issuance (a verifiable digital ID that an employee can present to a partner organisation or service without requiring that partner to query your directory), customer identity verification (verifying that a user holds a genuine credential from a trusted issuer), and high-assurance onboarding (replacing document-heavy verification processes with cryptographically verifiable credentials).
Licensing matters because Verified ID sits at an awkward commercial boundary: the core service is free, but the enterprise-grade capabilities that make Verified ID commercially valuable — particularly Face Check and high-volume verification — have consumption-based costs that can surprise organisations that planned on the free tier.
This guide explains the licensing model, what is included at no additional cost, where charges apply, and how to plan Verified ID adoption in a way that avoids unexpected costs in the first year of deployment.
Where Verified ID sits in the Entra product family: Entra Verified ID is one component of the broader Microsoft Entra product portfolio, which includes Entra ID (formerly Azure AD), Entra ID Governance, Entra External ID, Entra Permissions Management, and Entra Workload Identities. Each has different licensing. Entra Verified ID's licensing model is distinct from all of them — it is not a feature of Entra ID or Entra ID Governance, and holding those licences does not automatically entitle you to Verified ID premium capabilities.
What Is Included for Free
Microsoft's stated position is that the core Verified ID service is free to use for any organisation with a Microsoft Azure subscription. In practice, "free" covers the following capabilities:
Credential issuance: Any organisation can configure Verified ID in their Entra tenant, design credential schemas, and issue verifiable credentials to their own employees or users at no direct licensing cost. The credential issuance infrastructure — the DID (Decentralised Identifier) registration, the credential schema publication, the issuance service — incurs no per-credential charge under the free tier.
Credential presentation and basic verification: The ability to present credentials and perform standard cryptographic verification of credential authenticity is included at no additional cost. If a user presents a credential your organisation issued, and a relying party verifies that credential against the cryptographic proof, there is no consumption charge for that verification transaction.
Integration and development tooling: The Microsoft Entra Verified ID SDKs, the Request Service API, and the Authenticator integration for Android and iOS are all available at no charge. Building and testing Verified ID integrations does not trigger licensing costs.
This free scope is substantive and genuinely covers many pilot and internal employee credential use cases. The commercial model only becomes relevant when organisations move to two specific premium capabilities: Face Check and high-volume external verification scenarios.
Face Check: The Primary Premium Feature
Face Check is the capability that most commonly triggers Verified ID premium charges. It enables liveness detection and facial matching during credential verification — a user presents a Verified ID credential that includes their photo, Face Check compares the live selfie taken during verification against the photo in the credential, and confirms that the person presenting the credential is the same person to whom it was issued.
Face Check is essential for high-assurance verification scenarios: remote employee onboarding where you cannot perform in-person identity checks, customer KYC (Know Your Customer) processes, and partner or supplier identity verification where the credential holder's physical presence cannot be independently confirmed.
Face Check Pricing
Face Check is charged on a consumption basis — per verification transaction. As of 2026, Face Check pricing is approximately £0.50–£0.65 per verification at standard rates, with volume commitments available for high-throughput scenarios. EA customers who negotiate Face Check usage into their Microsoft Azure commitment can typically achieve 20–35% better rates than list price.
The cost implications depend heavily on your verification volume. For an employee onboarding process that verifies 500 new starters per year, Face Check costs approximately £250–£325 per year — commercially immaterial. For a financial services firm performing KYC verification on 100,000 new customers per year, the cost is £50,000–£65,000 per year — a significant budget line that requires advance planning and commercial negotiation.
| Scenario | Annual Verification Volume | Estimated Annual Face Check Cost | Commercial Priority |
|---|---|---|---|
| Employee credential issuance only (no Face Check) | N/A | £0 | None — free tier covers this |
| Employee onboarding with Face Check (500/year) | 500 verifications/year | £250–£325/year | Low — negotiate as part of Azure MACC |
| B2B partner verification (5,000/year) | 5,000 verifications/year | £2,500–£3,250/year | Medium — commit via Azure MACC for rate discount |
| Customer onboarding / KYC (50,000/year) | 50,000 verifications/year | £25,000–£32,500/year | High — negotiate dedicated rate commitment |
| Financial services or regulated KYC (500,000/year) | 500,000 verifications/year | £250,000–£325,000/year | Critical — EA/MACC negotiation required |
Entra ID Licence Dependencies
While Verified ID itself does not require a specific Entra ID licence tier for basic operations, enterprise deployment typically has Entra ID dependency that should be modelled alongside Verified ID costs.
Conditional Access Integration
The most compelling enterprise use case for Verified ID is integration with Conditional Access — requiring users to present a valid verifiable credential as a factor in a Conditional Access policy before accessing a resource. This integration requires Entra ID P1 or P2, which is included in M365 E3 and E5 but not in standalone Entra ID Free or P1-only configurations. Organisations running the free Entra ID tier cannot leverage Conditional Access-integrated Verified ID scenarios without upgrading.
Identity Governance Integration
For organisations that want to use Verified ID as an input to Entra ID Governance processes — for example, triggering an access review when a verified employee credential is issued, or automating joiner/mover/leaver workflows based on credential status — the Entra ID Governance licence (~£7/user/month) is required. This is a separate consideration from the Verified ID service itself.
External ID Integration
For customer-facing Verified ID scenarios, Entra External ID B2C or B2B licensing applies to the external users who present credentials — separate from Verified ID service costs. This creates a layered cost structure for high-volume consumer identity scenarios: Verified ID charges per verification (Face Check), External ID charges per Monthly Active User, and Azure infrastructure underpins both. Model all three layers when building a business case for consumer-facing Verified ID.
The Verified ID Licensing Framework in Practice
Employee Credential Programmes (Typical Cost: Low to Zero)
The most straightforward and lowest-cost Verified ID use case is employee credential issuance — issuing verifiable digital IDs to employees that they can present to partners, subsidiaries, or services to confirm their employment and role without those relying parties needing to query your directory.
This scenario uses the free Verified ID issuance tier. No Face Check is required for credential issuance. If relying parties perform basic cryptographic verification (confirming the credential was issued by your organisation and has not been revoked), there is no verification charge. The primary cost is development and integration time, not licensing.
Where costs appear in employee credential programmes: if your onboarding process requires Face Check at the point of credential issuance (confirming the person collecting the credential matches the identity document provided during hiring), Face Check charges apply to each new employee onboarding. For most organisations, this is an easily budgetable annual cost based on hiring volume.
Partner and Supplier Verification (Typical Cost: Medium)
Using Verified ID to verify that a partner employee holds a valid credential from their employer organisation is a high-value enterprise use case — it enables zero-trust partner access without requiring directory federation or guest account provisioning. A supplier's employee presents a Verified ID credential issued by their employer; your system verifies cryptographically that the credential is genuine and has not been revoked; access is granted based on the credential attributes without any directory linkage.
Cost for this scenario depends on whether Face Check is required at the point of partner access (typically not, for established partner employees — the credential itself is sufficient assurance). If Face Check is not used, the verification is covered by the free tier. If Face Check is required (high-security environments, first-access verification), charges apply at the per-verification rate.
Customer Identity and KYC (Typical Cost: High)
High-assurance customer onboarding — verifying that a new customer is who they claim to be using a government-issued Verified ID credential combined with Face Check liveness detection — is the premium Verified ID scenario. This is the use case that drives material Face Check charges, and it is also the use case where Verified ID provides the most compelling commercial alternative to traditional identity verification vendors (LexisNexis, Jumio, Onfido, Veriff).
The competitive comparison is important for EA negotiation. Traditional identity verification vendors charge £0.80–£2.50 per verification transaction, depending on the document type and verification depth. Face Check at EA-negotiated rates of £0.35–£0.50 per verification is materially cheaper — which means that organisations moving from traditional IDV vendors to Verified ID with Face Check can argue a strong cost-reduction case that partially offsets Microsoft pricing.
Regulatory compliance caveat: Verified ID with Face Check may not satisfy regulatory KYC requirements in all jurisdictions without additional controls. In regulated financial services environments (FCA in the UK, FinCEN in the US), verify that your Verified ID implementation meets the technical standards required for your specific regulatory KYC obligation before making commercial commitments. The regulatory posture is evolving rapidly and differs by jurisdiction and regulated activity type.
How to Negotiate Verified ID Costs in Your EA
Include Face Check in Your Azure MACC
Face Check charges flow through Azure — they appear on your Azure invoice and count toward your Azure MACC commitment. This means that if you have a meaningful Azure MACC commitment, Face Check usage is not an incremental cost — it consumes MACC capacity. The negotiation implication is that you should size your MACC to include projected Face Check consumption rather than treating it as an out-of-MACC line item.
For organisations with significant Face Check volumes, negotiate a dedicated Face Check rate commitment within your MACC as part of EA renewal. Account teams who understand that you have a material verification volume have negotiating authority to commit to specific per-verification rates in exchange for volume commitments — particularly if you are actively evaluating third-party IDV vendors as an alternative.
Use Competitive IDV Pricing as Leverage
Microsoft is competing with established identity verification vendors for Face Check use cases. Onfido, Jumio, Veriff, and LexisNexis all offer SDK-based identity verification products in the same use case space. Obtaining commercial quotes from two or three of these vendors and presenting them to your Microsoft account team creates genuine negotiating pressure — Microsoft does not want to lose a Face Check commitment to a non-Microsoft IDV vendor.
The most effective way to use this leverage: present the IDV alternatives as the default path for new customer onboarding and frame the Verified ID/Face Check option as the preferred path contingent on competitive pricing. This is not a bluff — it is accurate, because the integration work required for Verified ID is non-trivial and the decision has not been made until commercial terms are agreed.
Staged Deployment to Manage First-Year Risk
Do not commit to high Face Check volumes before you have measured actual verification rates in production. A consumer onboarding process that projects 100,000 verifications per year may achieve 40,000 in Year 1 due to lower-than-expected product adoption. Stage your MACC inclusion of Face Check — commit conservatively in Year 1 with a renegotiation right at annual review, rather than committing to full projected volume upfront. Overcommitting Verified ID capacity is not refundable.
Verified ID in the Broader Entra Security Investment
Verified ID does not exist in isolation — it is most powerful when integrated with the other components of the Entra security platform. Understanding where Verified ID fits in the Microsoft security licensing investment helps prioritise its deployment relative to higher-baseline-impact investments.
In almost every enterprise, the foundational identity investments — Entra ID P1/P2 for Conditional Access and PIM, Entra ID Governance for lifecycle automation, Defender for Identity for on-premises AD protection — deliver higher per-user security impact than Verified ID, because they address the attack vectors that are actively exploited at scale (credential compromise, lateral movement, privileged access abuse). Verified ID addresses a different problem — high-assurance identity verification for cross-organisational scenarios — and should be sequenced accordingly.
The practical sequencing recommendation: complete Entra ID P1/P2 deployment, PIM for privileged roles, and basic lifecycle automation before investing in Verified ID at scale. Verified ID is a sophisticated capability that requires mature identity governance as a foundation to deliver its full value.
Microsoft Identity & Security Licensing Intelligence
Weekly analysis of Entra licensing changes, security product cost trends, and EA negotiation tactics — from 20 years in Microsoft licensing.
No spam. Unsubscribe at any time.
Frequently Asked Questions
Does Entra Verified ID require a specific Entra ID plan?
No — the core Verified ID service (issuance, basic verification) does not require a paid Entra ID plan. Any tenant with an Azure subscription can enable Verified ID. However, enterprise integration scenarios — particularly Conditional Access integration and Identity Governance workflows — require Entra ID P1/P2 and Entra ID Governance respectively. These are separate licensing considerations.
Is Face Check included in the E5 Security or E5 Compliance bundle?
No. Face Check is not included in any M365 E5 bundle, any Entra ID Governance licence, or any E5 Security bundle. It is a consumption-based charge on your Azure invoice. There is no flat-rate Face Check entitlement at any M365 subscription tier.
Can we use Verified ID for customer identity without Entra External ID?
The two products serve different but complementary functions. Verified ID handles the issuance and verification of verifiable credentials. Entra External ID B2B/B2C handles the identity lifecycle and session management for external users. For consumer-facing scenarios that require authenticated sessions after verification, both products are typically required. For one-time verification scenarios without persistent identity (a user verifies their age, completes the transaction, and there is no ongoing account), Verified ID can operate without External ID.
What happens if we exceed our budgeted Face Check volume?
Face Check is consumption-based with no hard ceiling — usage above your budgeted amount is billed at the applicable rate on your Azure invoice. There is no service interruption. This means budget overruns are possible if verification volumes spike unexpectedly. Implement monitoring and alerts on Face Check consumption via Azure Cost Management, and set budget alerts at 80% and 100% of projected monthly spend to avoid invoice surprises.
For organisations evaluating Verified ID for high-assurance onboarding, partner access, or regulated KYC scenarios, engage our team for independent commercial analysis and EA negotiation support. We have structured Face Check commercial terms across financial services, regulated industries, and high-volume consumer applications.