Terminology

Important

This is the Azure Sphere (Legacy) documentation. Azure Sphere (Legacy) is retiring on 27 September 2027, and users must migrate to Azure Sphere (Integrated) by this time. Use the Version selector located above the TOC to view the Azure Sphere (Integrated) documentation.

Note

Azure Sphere refers to the PAPI based interface as Azure Sphere (Legacy) and the integrated Azure Resource Manager interface as Azure Sphere (Integrated).

Application capability

The permissions that an application requires to access resources. For example, applications require capabilities to use peripherals such as GPIOs (general purpose I/O) and UARTs (universal asynchronous receiver-transmitter), connect to internet hosts, and change the Wi-Fi configuration.

Application containers

The top (fourth) level of the multi-layer Azure Sphere OS architecture, which provides dynamic compartments for agile, secure, and robust high-level applications.

Application libraries (applibs)

The Microsoft-authored custom libraries that support high-level application development.

Application manifest

A file that identifies the application capabilities that an application requires and includes application metadata. Every application must have an application manifest named app_manifest.json.

Attestation

The process by which a client proves its configuration to a remote server. In the Azure Sphere context, an Azure Sphere device attests to the Azure Sphere Security Service (AS3) so that the service can determine the level of trust and integrity of the device.

Azure Sphere chip

An MCU (microcontroller unit) that is compatible with Azure Sphere.

Azure Sphere device

Any device that incorporates an Azure Sphere chip, or the Azure Sphere chip itself.

Azure Sphere operating system (OS)

Microsoft's custom, Linux-based microcontroller operating system that, as designed, runs on an Azure Sphere chip and connects to the Azure Sphere Security Service.

Azure Sphere project

The collection of files, generally organized into a single directory and its subdirectories, used to create an Azure Sphere application. All Azure Sphere projects contain an application manifest file and at least one source-code file, usually main.c. Azure Sphere projects created with Visual Studio or Visual Studio Code will have an additional subdirectory to support the IDE.

Azure Sphere reference development board (RDB)

A compact development board that incorporates an Azure Sphere chip and conforms to the reference development board design specifications.

Azure Sphere SDK

The tools, libraries, and header files that together enable application developers to build applications for the Azure Sphere device. The Azure Sphere SDK (software development kit) includes all the tools that are required to build and manage applications and deployments. Microsoft provides an SDK for Windows and an SDK for Linux.

Azure Sphere Security Service (AS3)

Microsoft's cloud-based service that communicates with Azure Sphere chips to enable maintenance, update, and control. Sometimes abbreviated AS3.

Azure Sphere tenant

A special cloud-based entity that represents an organization for the Azure Sphere Security Service. The Azure Sphere tenant provides a secure way for an organization to manage its Azure Sphere devices in isolation from those of any other organization. Each device belongs to exactly one Azure Sphere tenant.

Note that the term "tenant" is sometimes used elsewhere to refer to an Azure Active Directory instance. In the context of Azure Sphere, however, we use "tenant" to refer exclusively to an Azure Sphere tenant.

Claiming

The process by which an Azure Sphere OEM (original equipment manufacturers) takes ownership of a device. Each Azure Sphere device must be "claimed" by an Azure Sphere tenant, so that the tenant knows about all its devices and can manage them as a group. A device cannot be claimed into multiple tenants and cannot be moved from one tenant to another.

Cloud loading

The process by which the Azure Sphere Security Service communicates with an Azure Sphere device to perform an update. See also sideload.

Component

The updatable unit of software that a feed delivers. Each component has a unique component ID. The component ID for an application appears in the ComponentId field of the application's app_manifest.json file. See also image.

Connected device

A manufacturer's product that includes an embedded Azure Sphere chip that runs the Azure Sphere OS and connects to the Azure Sphere Security Service (AS3).

Crossover MCU

A microcontroller unit (MCU) that combines real-time and application processors. The MT3620 is a crossover MCU.

Defense in depth

A layered approach to security in which multiple mitigations are applied against each threat. One of the seven properties of highly secure devices.

Deploy

To make a component available for over-the-air update. A deployment delivers software from the cloud to one or more Azure Sphere devices. See also sideload.

Device authentication and attestation service

The primary point of contact with the Azure Sphere Security Service for Azure Sphere devices to authenticate their identity, ensure the integrity and trust of the system software, and certify that they are running a trusted code base.

Device capability

The permission to perform a device-specific activity. For example, the AppDevelopment capability enables debugging, along with other development-related tasks, on an Azure Sphere device. Device capabilities are granted by the Azure Sphere Security Service and are stored in flash memory on the Azure Sphere chip. By default, Azure Sphere chips have no device capabilities.

Device group

A named collection of devices of the same product type.

Device ID

The unique, immutable value generated by the silicon manufacturer to identify an individual Azure Sphere MCU.

Device provisioning

The process of adding the initial device data to the stores in your solution. To enable a new device to connect to your hub, you must add a device ID and keys to the IoT Hub identity registry. The Device Provisioning Service can automatically provision devices in an IoT hub or IoT Central application.

Device twin

A JSON document that stores device state information including metadata, configurations, and conditions. Azure IoT Hub maintains a device twin for each device that you connect to Azure IoT Hub. See Understand and use device twins for more details.

Dynamic compartments

The use of protection boundaries within the hardware and software stack to prevent a flaw or breach in one component from propagating to other parts of the system. Azure Sphere incorporates hardware-enforced barriers between software components to provide dynamic compartments. One of the seven properties of highly secure devices.

Error reporting

The automatic collection and timely distribution of information about an error, so that problems can be quickly diagnosed and corrected. One of the seven properties of highly secure devices.

Hardware-based root of trust

A security foundation that is generated in and protected by hardware. In the Azure Sphere chip, this is implemented as unforgeable cryptographic keys. Physical countermeasures resist side-channel attacks. One of the seven properties of highly secure devices.

High-level application

An application that runs on the high-level core on the Azure Sphere hardware. High-level applications run on the Azure Sphere OS and can use the application libraries and other OS features.

Image

A binary file that represents a single version of an application or board configuration. The specific component is identified by its component ID.

Image type

An image attribute that identifies the type of component an image represents; synonymous with component type. Depending on the image type, the bits may be in different formats. For applications (which is one image type), images comprise a serialized file system that contains the executable for their code.

Image package

The combination of an image with its metadata that is produced by the build process. An image package can be sideloaded to an Azure Sphere device for testing and debugging or cloud loaded for production use.

IoT Central

IoT Central is an IoT application platform (aPaaS) that simplifies the creation of IoT solutions. Azure IoT Central provides a ready-to-use UX and API surface built to connect, manage, and operate fleets of devices at scale.

IoT Edge

A service and related client libraries and runtime that enables cloud-driven deployment of Azure services and solution-specific code to on-premises devices. IoT Edge devices can aggregate data from other devices to perform computing and analytics before sending the data to the cloud.

IoT Hub

A fully managed Azure service that enables reliable and secure bidirectional communications between millions of devices and a solution back end. For more information, see What is Azure IoT Hub?. Using your Azure subscription, you can create IoT hubs to handle your IoT messaging workloads.

On-chip cloud services

The third level of the multi-layer Azure Sphere OS architecture, which provides update, authentication, and connectivity.

Password-less authentication

Authentication that is based on certificates, instead of passwords. A certificate is a statement of identity and authorization that is signed with a secret private key and validated with a known public key, and is thus more secure than a password. Azure Sphere uses certificates to prove identities for mutual authentication when communicating with other local devices and with servers in the cloud. One of the seven properties of highly secure devices.

Pluton security subsystem

The Azure Sphere subsystem that creates a hardware root of trust, stores private keys, and runs complex cryptographic operations. It includes a Security Processor (SP) CPU, cryptographic engines, a hardware random number generator (RNG), a key store, and a cryptographic operation engine (COE).

Product

A GUID (globally unique identifier) that identifies an Azure Sphere MCU that is incorporated into a connected device to perform a specific function. A product manufacturer creates a product for each model of connected device, such as a dishwasher or coffeemaker.

Product manufacturer

A company or individual who produces a connected device that incorporates an Azure Sphere MCU and has a custom application.

Real-time capable application (RTApp)

An application that runs on one of the real-time cores on the Azure Sphere hardware. RTApps can run on bare-metal hardware or with a real-time operating system (RTOS).

Recovery

The low-level process of replacing the Azure Sphere OS on the device, without using the cloud update process, but instead using a special recovery bootloader. See also update.

Renewable security

The ability to update to a more secure state automatically even after the device has been compromised. Renewal brings the device forward to a secure state and revokes compromised assets for known vulnerabilities or security breaches. One of the seven properties of highly secure devices.

Security monitor

The lowest level of the Azure Sphere OS architecture, which is responsible for protecting security-sensitive hardware, such as memory, flash, and other shared MCU resources and for safely exposing limited access to these resources.

Sideload

The process of loading software by a means that does not involve the Azure Sphere Security Service (AS3) but instead is performed directly with the device, often under the control of a software developer, field engineer, or similar person. Development environments such as Visual Studio sideload applications for debugging. A developer can also initiate sideloading by using the Azure Sphere CLI (command-line interface) with an attached device.

Sysroot

A set of libraries, header files, and tools that are used to compile and link a high-level application that targets a particular set of APIs. Some sysroots support only production APIs, and other sysroots support both production APIs and Beta APIs. The Azure Sphere SDK includes multiple sysroots that target different API sets.

Trusted computing base (TCB)

The software and hardware that are used to create a secure environment for an operation. The TCB should be kept as small as possible to minimize the surface that is exposed to attackers and to reduce the probability that a bug or feature can be used to circumvent security protections. A small TCB is one of the seven properties of highly secure devices.

Update

The process of changing the Azure Sphere OS or application to comply with a deployment. An update can be sideloaded (such as during development and debugging) or can be cloud loaded by the Azure Sphere Security Service (in a normal end-user situation). Support for cloud updates is an integral part of Azure Sphere. See also recovery.