Azure IoT Device Provisioning Service - An Introduction

16th Feb 2022

Mender offers an integration with Azure IoT Hub. The integration allows to automate the inclusion of new devices into your Azure IoT Hub account having a simpler provisioning workflow by adding them into Mender. The devices added to Mender automatically provisioned and authenticated with Azure IoT Hub. Click here to learn more about the workflow or go to our Documentation to see how to quickly get started.

Why Azure Device Provisioning Service?

Azure and IoT Hub connect IoT devices so that telemetry data from the devices can be sent to, and received from the cloud. While it would be possible to provision a single device or a small number of devices manually to do this, it is desirable to have an automated approach to this as an IoT device in a secure and scalable manner, without requiring human intervention.

A full description of, and features set of Azure Device Provisioning Service is available in the Microsoft documentation. A device must be created or registered in IoT Hub before it can be provisioned. The way to create a device in IoT Hub is summarized here.

Use cases for Azure Device Provisioning Service

Azure Device Provisioning Service provides automatic provisioning features for IoT device fleets that scale into the thousands and the millions. Normally when an operator wants to provision more than one device in an IoT Hub, they have to add a device registration ID and a connection string to each device. Azure DPS removes this manual administration by offering what is called zero touch provisioning, there is no need in this scenario to manually set up devices. Azure DPS is even more powerful and impactful in scenarios where there are multiple IoT hubs in operation, in these scenarios, the operator may have to balance resources across the device fleet, and re provision when a change is made on a device or when devices need to be moved to another IoT Hub where there is lower bandwidth latency.

Azure DPS set up

Full detailed steps on setting up Azure Device Provisioning service are available in this informative tutorial cited from John Adali.

Security considerations in Azure DPS

For device security, symmetric keys and x.509 certificates are used in both types of enrolments. For these certificates to be applied to the devices, a certain process must be followed in DPS to ensure that the devices are properly signed with the correct certificates. The x.509 certificate needs to be validated against the code of the device and this certificate must be unique to this device. The goal here is to prevent any tampering with the code on the device, as if this occurs, then the device will fail the attestation test. A root CA certificate must be created for group enrolment and this root CA certificate can be generated in a tool such as OpenSSL.

Mender integrated with Azure IoT Hub

The best place to do a test of the Azure Mender integration is to sign up for the Mender Enterprise free trial and all features and add-ons are available for 12 months for free.

To see the overview of the integration, please take a look at our partner page. If you're ready to get started with provisioning your devices to Mender, make sure to visit Mender Hub for a detailed, step-by-step tutorial.