Currently the MSFT identity approach uses blockchain as an identity stake and then layer2's the access. The identity stake allows for anyone to verify that the credential is valid and belongs to a real person without everyone involved having to run the entire chain back to that point, with a secondary chain providing a changelog. Since you only need to exist once, this can cost $5 or so without major issue. (We can't use a centralized database for this because people in the US are afraid of the government.) NHS is using it as a cross-region credentialing system, since it's easier for them to accept a blockchain entry than work out all the regulatory nonsense about actually sharing history, or getting their systems to work together securely.