Microsoft Entra Face Check Secures High-Risk Identity Flows
Summary
Microsoft is expanding Face Check in Microsoft Entra Verified ID to strengthen identity verification during remote onboarding, access requests, and account recovery. The update removes per-user Face Check limits in Microsoft Entra Suite and highlights general availability for verified account recovery, helping organizations reduce impersonation risk and help desk dependency.
Introduction
Identity attacks increasingly target the moments before authentication succeeds: onboarding, privilege requests, and recovery. Microsoft says it tracks more than 600 million identity attacks daily, making high-assurance identity verification a growing requirement for organizations adopting passwordless sign-in and passkeys.
Microsoft is positioning Face Check with Microsoft Entra Verified ID as a way to add stronger verification at these high-risk points without exposing sensitive biometric data to applications.
What’s new
Face Check expanded for broader use
Microsoft has removed the per-user Face Check limit in Microsoft Entra Suite, making it easier to deploy across more users and workflows.
Verified account recovery is now generally available
Microsoft also announced that verified account recovery is now GA. This is aimed at total lockout scenarios where users have lost access to passkeys or other registered authentication methods.
Privacy-focused facial matching
Face Check compares a live selfie to the photo in a trusted Verified ID credential using Azure AI services. The relying application receives only a match confidence score, not the selfie or underlying biometric data.
Key scenarios Microsoft highlights
- Remote onboarding: New hires can verify identity using a government ID-based attestation from a verification partner, then present a Verified ID back to the organization.
- Access requests: In Microsoft Entra entitlement management, organizations can require Verified ID verification before granting access packages for sensitive resources.
- Self-service account recovery: Users in lockout situations can verify identity through a partner, receive temporary access, and re-register authentication methods without a help desk call.
Why this matters for IT admins
For Entra administrators, this update addresses a common gap in modern identity security: proving the user is the legitimate credential holder during sensitive workflows. That matters even more as passwordless adoption grows and attackers shift toward impersonation, phishing, and social engineering.
There are also operational benefits:
- Reduced help desk volume for account lockouts
- Lower reliance on manual identity checks
- Stronger controls for high-impact access approvals
- Better support for remote and hybrid onboarding
Next steps
Admins should review where stronger identity proofing is needed most, especially in:
- New employee onboarding flows
- Entitlement management access packages
- Account recovery for passwordless users
Organizations using Microsoft Entra Suite should evaluate enabling Face Check with Verified ID and test the new self-service account recovery experience. Microsoft has also added a cost savings calculator in the Entra ID account recovery blade to help estimate support savings.
For tenants focused on reducing impersonation risk, this is a practical update worth piloting now.
Need help with Entra ID?
Our experts can help you implement and optimize your Microsoft solutions.
Talk to an ExpertStay updated on Microsoft technologies