Is managed identity available to create IoT Hub client to avoid Azure Active Directory app and secret

Question

I am using below nuget package <PackageReference Include="Microsoft.Azure.Management.IotHub" Version="4.2.0" /> and trying to create IotHubClient.

I have registered one application with AAD and giving permission with IoT Hub instance and using below code to generate the IoT Hub client,

private async Task<IotHubClient> GetIotHubClient()  
    {  
        var authContext = new AuthenticationContext("https://login.microsoftonline.com/XXXXXXXXXXXX");  
        var credential = new ClientCredential(Configuration["AAD-APP-Client-ID", "AAD-APP-Client-Secret"));  
        var token = await authContext.AcquireTokenAsync("https://management.core.windows.net/", credential);  
  
        if (token == null) return null!;  
  
        var credentials = new TokenCredentials(token.AccessToken);  
        var client = new IotHubClient(credentials)  
        {  
            SubscriptionId = "my-SubscriptionId"  
        };  
  
        return client;  
    }  

It's works and I am able to create IoT hub client to talk with it.

Question is, is this the only way to prepare IoTHub client, can some means of managed identity available so that I don't need to main AAD app and their secret's ?

Answer 1

Hello @@IamCoder ,

In general, the solution you use is the right solution to get access to the IoT Hub for API functionality.

See also this blog post and this blog post where a similar approach is used for the REST API:

az login  
az ad sp create-for-rbac -n "testaccount"  

Normally this is provided by an administrator who has access to the production environment. So there is a boundary between programming and service management.

As far as I know, it's not possible to skip it and using eg. the IoT Hub connection string (supporting the right policies).