The Multi-Tenant Architecture: Enterprise-Grade Identity at Scale
As organizations scale their identity infrastructure, they encounter a new challenge: how do you manage identity verification across multiple business units, subsidiaries, or service offerings while maintaining security and compliance? The answer lies in multi-tenant architecture—a sophisticated approach to identity management that enterprises are increasingly adopting.
Understanding Multi-Tenant Verified ID Systems
In a multi-tenant Verified ID system, different tenants (separate organizational domains) can operate independently while sharing a common identity infrastructure. Each tenant can issue its own credentials, enforce its own policies, and manage its own users—but they can all verify credentials issued by other tenants.
Consider this real-world scenario: Your organization has an HR department that needs to verify employee identity, and a separate Face Check service in another tenant that performs biometric verification. Both operate as independent services, but they need to work together seamlessly. Here’s how it works:
The Multi-Tenant Credential Flow with Biometric Verification
Breaking Down the Architecture
Tenant 1: Authentication Tenant
This is where your user first authenticates. It contains your company’s OIDC identity provider and has access to user profile information (like photos stored in Microsoft Graph). When the user requests a credential, this tenant generates an ID token containing their claims and optional biometric data.
Tenant 2: Verified ID Tenant
This separate tenant is responsible for credential issuance. Importantly, it can accept and validate ID tokens from other tenants (cross-tenant attestation). It creates the actual verifiable credential—a cryptographically signed object containing the user’s claims and any included media like photos. This separation of concerns allows organizations to maintain distinct security boundaries while sharing identity infrastructure.
Tenant 3: Face Check Service
When verification requires biometric confirmation, a dedicated Face Check service (potentially in yet another tenant or as a separate service) compares a live selfie against the photo stored in the credential. Using Azure AI Face API, it generates a confidence score indicating the likelihood that both photos show the same person.
The Power of Cross-Tenant Credential Verification
What makes this architecture powerful is that each tenant can independently verify credentials issued by other tenants. Here’s why this matters:
Decoupled Operations
Each tenant operates independently—no single point of failure affects the entire system.
Specialized Services
Biometric verification can be handled by specialized services optimized for that purpose.
Regulatory Compliance
Different tenants can be in different jurisdictions, meeting local data residency requirements.
Scalability
Each tenant scales independently based on its own load and requirements.
Biometric Verification with Face Check
Face Check represents the evolution of identity verification. Instead of relying on static credentials, it adds a liveness component: the user must prove they are physically present and that their live appearance matches the photo in their credential.
Here’s how it works in the context of a multi-tenant system:
- Credential Possession: User proves they have a valid credential (issued by Tenant 2) by presenting it through Microsoft Authenticator
- Live Verification: User takes a selfie using the Authenticator app, which performs a liveness check to ensure it’s a live person, not a photo or video
- Biometric Matching: The Face Check service compares the selfie against the photo embedded in the credential
- Confidence Scoring: Returns a confidence score (e.g., «86% match confidence») that the verifier can use to make a trust decision
Enterprise Advantage: By separating Face Check into its own service/tenant, organizations can implement different confidence thresholds for different use cases. High-security scenarios might require 90%+ confidence, while lower-risk scenarios might accept 70%.
Security at the Multi-Tenant Level
Multi-tenant architectures introduce unique security considerations that Verified ID addresses elegantly:
- Cryptographic Verification: Each credential is signed by its issuer. Verifiers can confirm authenticity without contacting the issuer, using only the issuer’s public key
- Revocation Checking: Tenants maintain revocation registries; verifiers can check if a credential has been revoked
- Selective Disclosure: Users share only the claims needed for verification, not the entire credential
- Zero Trust: Verifiers don’t need to trust intermediaries—cryptography ensures authenticity
This architecture is particularly valuable for organizations operating in regulated industries like finance, healthcare, and government, where audit trails, data minimization, and compliance are non-negotiable.
Verified ID on Azure Marketplace
Organizations looking to implement Verified ID solutions can now access Fortytwo’s expertise directly through the Azure Marketplace. This offering provides:
Pre-Built Components
Reference architectures for common use cases
Rapid Deployment
Ready-to-use infrastructure as code
Consulting Support
Expert guidance on implementation and integration
Azure Native Integration
Seamless connection with existing Azure service
Coming up next in this series
Understanding the architecture of Verified ID is one thing; seeing how it transforms real business processes is another. In the next part of this series, we’ll explore concrete use cases and the tangible benefits organizations achieve when implementing this technology.
We’re talking real numbers: reducing onboarding time by 85%, cutting identity verification costs dramatically, enabling zero-trust partner access without the credential management overhead, and finally solving the «forgot password» problem that costs enterprises millions annually. From streamlining employee onboarding to enabling secure partner ecosystems, from meeting GDPR and eIDAS compliance to creating tamper-proof educational credentials—we’ll show you the ROI with actual metrics: time saved, costs reduced, security incidents prevented, and compliance requirements met. If you need to build a business case for decentralized identity or wondering «where do I even start?», this post will give you the practical roadmap and the numbers that matter to leadership.