Use Azure IoT with Azure Sphere

Important

This is the Azure Sphere (Legacy) documentation. Azure Sphere (Legacy) is retiring on 27 September 2027, and users must migrate to Azure Sphere (Integrated) by this time. Use the Version selector located above the TOC to view the Azure Sphere (Integrated) documentation.

Azure Sphere devices can communicate with Azure IoT using managed services like Azure IoT Hub and Azure IoT Central.

Before you begin

No matter which service you use, you must have an Azure subscription. If your organization does not already have a subscription, you can set up a free trial.

Important

Although you can create an Azure subscription for no charge, the sign-up process requires you to provide a credit card number.

Azure Sphere visibility in Azure IoT

The mechanism for Azure IoT to accept data from an Azure Sphere device is to configure an Azure IoT service to trust the Azure Sphere device, to provision the device to the Azure IoT service, and then to connect to the Azure IoT service with trustworthy credentials. Azure IoT services can be configured to accept the Azure Sphere Device Authentication and Attestation (DAA) certificate as a trustworthy credential. Utilizing this certificate is built-in to the device's operating system for connections to Azure IoT using the Azure IoT C SDK, however Azure IoT services need to be configured to accept the Azure Sphere catalog certificate which is the parent certificate in the chain for the DAA certificate. Alternatively, a custom device certificate chain can be utilized to connect to Azure IoT services. The benefit of using the Azure Sphere DAA certificate is that DAA certificates are renewed daily, and the presence of a valid certificate indicates that a device is trustworthy and has attested it is genuine and configured securely. When connecting with a custom device certificate, these authorization assurances are not available and will need to be managed independently. Custom certificates are needed for organizations with certificate management systems that are required for use with Azure IoT for security, regulatory, or compliance assurances, and should only be used with Azure Sphere when required.

Using Azure IoT with Azure Sphere certificates

Authenticate your Azure Sphere catalog

After you have an Azure subscription, you must establish trust between Azure Sphere and your Azure IoT Central application or Azure IoT Hub instance. You must perform validation steps only once by downloading a certificate authority (CA) certificate from the Azure Sphere Security Service and validating it using a code generated by Azure IoT Hub or Azure IoT Central. The validation process authenticates your Azure Sphere catalog.

The authentication process is slightly different for Azure IoT Hub and Azure IoT Central:

Next steps

Once you have an Azure subscription and a validated CA, you can run the Azure IoT sample application from GitHub, which connects to either Azure IoT Central or Azure IoT Hub.

Using Azure IoT with custom certificates

Context for custom certificate usage

Custom certificates can be configured to work with Azure IoT DPS, Hub, and Central. In order to use a custom certificate with Azure Sphere, the certificate needs to be generated on a per-device basis and provided to Azure Sphere devices. Azure Sphere provides options for receiving data from various sources, storing data, and encrypting data for persistent storage that can be used to acquire these certificates. Once present on a device, an Azure Sphere application can use the Azure IoT C SDK with APIs to override Azure Sphere authentication to Azure IoT services.

Configuring Azure Sphere applications to use custom certificates

When using DPS to provision Azure Sphere devices into other Azure IoT services, Azure Sphere applications will need to create a DPS session using the Azure IoT C SDK, which begins with Prov_Device_LL_Create. By default, Azure Sphere will utilize its internal DAA certificate for DPS sessions, so an additional call is needed to pass the custom certificate chain to the Azure IoT C SDK and override the built-in certificate from the Azure Sphere Security Service using AzureIoT_OverrideAzureSphereAuthDPS.

For connecting to Azure IoT Hub, a different call from the Azure IoT C SDK is used to begin a session, IoTHubDeviceClient_LL_CreateFromDeviceAuth. Similarly to DPS, an additional call is needed to pass the custom certificate chain to the Azure IoT C SDK to override the built-in certificate, AzureIoT_OverrideAzureSphereAuthIoTHub. Note, that even when using both DPS and IoT Hub, both overrides are needed since the Azure IoT C SDK is organized separately for DPS and IoT Hub, and both overrides need to be called using the same certificate chain.

About Azure IoT DPS

Azure IoT Hub Device Provisioning Service (DPS) allows devices to be enrolled via Zero-Touch Provisiong into other Azure IoT services, such as IoT Hub and Central. This means that devices do not need to be hard coded for specific IoT endpoints, and device administrators do not need to be in physical proximity for devices to be configured to connect to Azure IoT services. For Azure Sphere devices, device provisioning typically occurs during product manufacturing or deployment, where a device is claimed into an Azure Sphere Security Service catalog for active management. For the purposes of Azure IoT, provisioning refers only to authorizing access to Azure IoT resources and not to the device's deployment state. DPS can be configured to trust all devices under an Azure Sphere catalog by registering a catalog intermediate certificate, DPS can then authorize devices daily as their DAA certifcates are renewed as part of Azure Sphere's renewal of trust, providing a strong level of assurance that authorized devices are known to be in a secure, good, and genuine state. Utilizing DPS with Azure Sphere allows devices to more easily be deployed at scale with other Azure IoT services.

Learn more about Azure IoT DPS

About Azure IoT Hub

Azure IoT Hub is a managed service that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages.

Azure IoT Hub supports multiple messaging patterns–for example, device-to-cloud telemetry, file upload from devices, and request-reply methods to control your devices from the cloud. In addition, Azure IoT Hub monitoring helps you maintain the health of your solution by tracking events like device creation, device failures, and device connections.

Learn more about Azure IoT Hub

About Azure IoT Central

Azure IoT Central is a managed service that simplifies the creation of IoT solutions. Azure IoT Central simplifies the initial setup of your IoT solution and reduces the management burden, operational costs, and overhead of a typical IoT project.

Learn more about Azure IoT Central