Share via


Azure role-based access control (RBAC) and Device Update

Device Update uses Azure RBAC to provide authentication and authorization for users and service APIs. In order for other users and applications to have access to Device Update, users or applications must be granted access to this resource. It is also necessary to configure access for Azure Device Update service principal for successfully deploying updates and managing your devices.

Configure access control roles

These are the roles that are supported by Device Update:

Role Name Description
Device Update Administrator Has access to all Device Update resources
Device Update Reader Can view all updates and deployments
Device Update Content Administrator Can view, import, and delete updates
Device Update Content Reader Can view updates
Device Update Deployments Administrator Can manage deployment of updates to devices
Device Update Deployments Reader Can view deployments of updates to devices

A combination of roles can be used to provide the right level of access. For example, a developer can import and manage updates using the Device Update Content Administrator role, but needs a Device Update Deployments Reader role to view the progress of an update. Conversely, a solution operator with the Device Update Reader role can view all updates, but needs to use the Device Update Deployments Administrator role to deploy a specific update to devices.

Configuring access for Azure Device Update service principal in the IoT Hub

Device Update for IoT Hub communicates with the IoT Hub for deployments and manage updates at scale. In order to enable Device Update to do this, users need to set IoT Hub Data Contributor access for Azure Device Update Service Principal in the IoT Hub permissions.

Below actions will be blocked with upcoming release, if these permissions are not set:

  • Create Deployment
  • Cancel Deployment
  • Retry Deployment
  • Get Device
  1. Go to the IoT Hub connected to your Device Update Instance. Click Access Control(IAM)
  2. Click + Add -> Add role assignment
  3. Under Role tab, select IoT Hub Data Contributor
  4. Click Next. For Assign access to, select User, group, or service principal. Click + Select Members, search for 'Azure Device Update'
  5. Click Next -> Review + Assign

To validate that you've set permissions correctly:

  1. Go to the IoT Hub connected to your Device Update Instance. Click Access Control(IAM)
  2. Click Check access
  3. Select User, group, or service principal and search for 'Azure Device Update'
  4. After clicking on 'Azure Device Update', verify that the IoT Hub Data Contributor role is listed under Role assignments

Authenticate to Device Update REST APIs

Device Update uses Azure Active Directory (AD) for authentication to its REST APIs. To get started, you need to create and configure a client application.

Create client Azure AD app

To integrate an application or service with Azure AD, first register a client application with Azure AD. Client application setup will vary depending on the authorization flow you'll need (users, applications or managed identities). For example, to call Device Update from:

  • Mobile or desktop application, add Mobile and desktop applications platform with https://login.microsoftonline.com/common/oauth2/nativeclient for the Redirect URI.
  • Website with implicit sign-on, add Web platform and select Access tokens (used for implicit flows).

Configure permissions

Next, add permissions for calling Device Update to your app:

  1. Go to the API permissions page of your app and select Add a permission.
  2. Go to APIs my organization uses and search for Azure Device Update.
  3. Select user_impersonation permission and select Add permissions.

Request authorization token

The Device Update REST API requires an OAuth 2.0 authorization token in the request header. The following sections show some examples of ways to request an authorization token.

Using Azure CLI

az login
az account get-access-token --resource 'https://api.adu.microsoft.com/'

Using PowerShell MSAL Library

MSAL.PS PowerShell module is a wrapper over Microsoft Authentication Library for .NET (MSAL .NET). It supports various authentication methods.

Using user credentials:

$clientId = '<app_id>'
$tenantId = '<tenant_id>'
$authority = "https://login.microsoftonline.com/$tenantId/v2.0"
$Scope = 'https://api.adu.microsoft.com/user_impersonation'

Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope

Using user credentials with device code:

$clientId = '<app_id>’
$tenantId = '<tenant_id>’
$authority = "https://login.microsoftonline.com/$tenantId/v2.0"
$Scope = 'https://api.adu.microsoft.com/user_impersonation'

Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope -Interactive -DeviceCode

Using app credentials:

$clientId = '<app_id>’
$tenantId = '<tenant_id>’
$cert = '<client_certificate>'
$authority = "https://login.microsoftonline.com/$tenantId/v2.0"
$Scope = 'https://api.adu.microsoft.com/.default'

Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope -ClientCertificate $cert

Support for managed identities

Managed identities provide Azure services with an automatically managed identity in Azure AD in a secure manner. This eliminates the needs for developers having to manage credentials by providing an identity. Device Update for IoT Hub supports system-assigned managed identities.

System-assigned managed identity

To add and remove a system-assigned managed identity in Azure portal:

  1. Sign in to the Azure portal and navigate to your desired Device Update for IoT Hub account.
  2. Navigate to Identity in your Device Update for IoT Hub portal
  3. Navigate to Identity in your IoT Hub portal
  4. Under System-assigned tab, select On and click Save.

To remove system-assigned managed identity from an Device Update for IoT hub account, select Off and click Save.

Next Steps