az iot ops
Note
This reference is part of the azure-iot-ops extension for the Azure CLI (version 2.53.0 or higher). The extension will automatically install the first time you run an az iot ops command. Learn more about extensions.
This command group is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Manage Azure IoT Operations.
Azure IoT Operations is a set of highly aligned, but loosely coupled, first-party Kubernetes services that enable you to aggregate data from on-prem assets into an industrial-grade MQTT Broker, add edge compute and set up bi-directional data flow with a variety of services in the cloud.
By default IoT Operations CLI commands will periodically check to see if a new extension version is available.
This behavior can be disabled with az config set iotops.check_latest=false
.
Commands
Name | Description | Type | Status |
---|---|---|---|
az iot ops asset |
Manage assets. |
Extension | Preview |
az iot ops asset create |
Create an asset. |
Extension | Preview |
az iot ops asset data-point |
Manage data points in an asset. |
Extension | Preview |
az iot ops asset data-point add |
Add a data point to an asset. |
Extension | Preview |
az iot ops asset data-point export |
Export data points in an asset. |
Extension | Preview |
az iot ops asset data-point import |
Import data points in an asset. |
Extension | Preview |
az iot ops asset data-point list |
List data points in an asset. |
Extension | Preview |
az iot ops asset data-point remove |
Remove a data point in an asset. |
Extension | Preview |
az iot ops asset delete |
Delete an asset. |
Extension | Preview |
az iot ops asset endpoint |
Manage asset endpoint profiles. |
Extension | Preview |
az iot ops asset endpoint certificate |
Manage owned certificates in an asset endpoint. |
Extension | Preview |
az iot ops asset endpoint certificate add |
Add an owned certificate to an asset endpoint. |
Extension | Preview |
az iot ops asset endpoint certificate list |
List owned certificates in an asset endpoint. |
Extension | Preview |
az iot ops asset endpoint certificate remove |
Remove an owned certificate in an asset endpoint. |
Extension | Preview |
az iot ops asset endpoint create |
Create an asset endpoint. |
Extension | Preview |
az iot ops asset endpoint delete |
Delete an asset endpoint. |
Extension | Preview |
az iot ops asset endpoint query |
Query the Resource Graph for asset endpoints. |
Extension | Preview |
az iot ops asset endpoint show |
Show an asset endpoint. |
Extension | Preview |
az iot ops asset endpoint update |
Update an asset endpoint. |
Extension | Preview |
az iot ops asset event |
Manage events in an asset. |
Extension | Preview |
az iot ops asset event add |
Add an event to an asset. |
Extension | Preview |
az iot ops asset event export |
Export events in an asset. |
Extension | Preview |
az iot ops asset event import |
Import events in an asset. |
Extension | Preview |
az iot ops asset event list |
List events in an asset. |
Extension | Preview |
az iot ops asset event remove |
Remove an event in an asset. |
Extension | Preview |
az iot ops asset query |
Query the Resource Graph for assets. |
Extension | Preview |
az iot ops asset show |
Show an asset. |
Extension | Preview |
az iot ops asset update |
Update an asset. |
Extension | Preview |
az iot ops broker |
Mqtt broker management and operations. |
Extension | Preview |
az iot ops broker authn |
Broker authentication management. |
Extension | Preview |
az iot ops broker authn list |
List mqtt broker authentication resources associated with an instance. |
Extension | Preview |
az iot ops broker authn show |
Show details of an mqtt broker authentication resource. |
Extension | Preview |
az iot ops broker authz |
Broker authorization management. |
Extension | Preview |
az iot ops broker authz list |
List mqtt broker authorization resources associated with an instance. |
Extension | Preview |
az iot ops broker authz show |
Show details of an mqtt broker authorization resource. |
Extension | Preview |
az iot ops broker list |
List mqtt brokers associated with an instance. |
Extension | Preview |
az iot ops broker listener |
Broker listener management. |
Extension | Preview |
az iot ops broker listener list |
List mqtt broker listeners associated with a broker. |
Extension | Preview |
az iot ops broker listener show |
Show details of an mqtt broker listener. |
Extension | Preview |
az iot ops broker show |
Show details of an mqtt broker. |
Extension | Preview |
az iot ops broker stats |
Show dmqtt running statistics. |
Extension | Preview |
az iot ops check |
Evaluate cluster-side runtime health of deployed IoT Operations services. |
Extension | Preview |
az iot ops dataflow |
Dataflow management. |
Extension | Preview |
az iot ops dataflow endpoint |
Dataflow endpoint management. |
Extension | Preview |
az iot ops dataflow endpoint list |
List dataflow endpoint resources associated with an instance. |
Extension | Preview |
az iot ops dataflow endpoint show |
Show details of a dataflow endpoint resource. |
Extension | Preview |
az iot ops dataflow list |
List dataflows associated with a dataflow profile. |
Extension | Preview |
az iot ops dataflow profile |
Dataflow profile management. |
Extension | Preview |
az iot ops dataflow profile list |
List dataflow profiles associated with an instance. |
Extension | Preview |
az iot ops dataflow profile show |
Show details of a dataflow profile. |
Extension | Preview |
az iot ops dataflow show |
Show details of a dataflow associated with a dataflow profile. |
Extension | Preview |
az iot ops delete |
Delete IoT Operations from the cluster. |
Extension | Preview |
az iot ops init |
Bootstrap, configure and deploy IoT Operations to the target Arc-enabled cluster. |
Extension | Preview |
az iot ops list |
List IoT Operations instances. |
Extension | Preview |
az iot ops show |
Show an IoT Operations instance. |
Extension | Preview |
az iot ops support |
IoT Operations support command space. |
Extension | Preview |
az iot ops support create-bundle |
Creates a standard support bundle zip archive for use in troubleshooting and diagnostics. |
Extension | Preview |
az iot ops update |
Update an IoT Operations instance. |
Extension | Preview |
az iot ops verify-host |
Runs a set of cluster host verifications for IoT Operations deployment compatibility. |
Extension | Preview |
az iot ops check
Command group 'iot ops' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Evaluate cluster-side runtime health of deployed IoT Operations services.
The command by default shows a human friendly summary view of the selected service.
More detail can be requested via --detail-level
.
{Supported service APIs}
- akri.sh/[v0]
- deviceregistry.microsoft.com/[v1beta1]
- mqttbroker.iotoperations.azure.com/[v1beta1]
- opcuabroker.iotoperations.azure.com/[v1beta1]
- connectivity.iotoperations.azure.com/[v1beta1]
For more information on cluster requirements, please check https://aka.ms/iot-ops-cluster-requirements.
az iot ops check [--as-object {false, true}]
[--context]
[--detail-level {0, 1, 2}]
[--ops-service {akri, broker, dataflow, deviceregistry, opcua}]
[--post {false, true}]
[--pre {false, true}]
[--resource-name]
[--resources {asset, assetendpointprofile, assettype, broker, brokerlistener, configuration, dataflow, dataflowendpoint, dataflowprofile, instance}]
Examples
Basic usage. Checks `broker` health with summary output.
az iot ops check
Evaluates `broker` like prior example, however output is optimized for CI.
az iot ops check --as-object
Checks `opcua` health and configuration with detailed output.
az iot ops check --svc opcua --detail-level 1
Checks 'deviceregistry' health, but constrains results to `asset` resources.
az iot ops check --svc deviceregistry --detail-level 1 --resources asset
Use resource name to constrain results to `asset` resources with `my-asset-` name prefix
az iot ops check --svc deviceregistry --resources asset --resource-name 'my-asset-*'
Optional Parameters
Output check content and validations in a CI friendly data structure.
Kubeconfig context name to use for k8s cluster communication. If no context is provided current_context is used.
Controls the level of detail displayed in the check output. Choose 0 for a summary view (minimal output), 1 for a detailed view (more comprehensive information), or 2 for a verbose view (all available information).
The IoT Operations service deployment that will be evaluated.
Run post-deployment checks.
Run pre-requisite checks to determine if the minimum requirements of a service deployment are fulfilled.
Only run checks for the specific resource name. The name is case insensitive. Glob patterns '' and '?' are supported. Note: Only alphanumeric characters, hyphens, '?' and '' are allowed.
Only run checks on specific resource kinds. Use space-separated values.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot ops delete
Command group 'iot ops' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Delete IoT Operations from the cluster.
The operation uses Azure Resource Graph to determine correlated resources. Resource Graph being eventually consistent does not guarantee a synchronized state at the time of execution.
az iot ops delete --cluster
--resource-group
[--force {false, true}]
[--no-progress {false, true}]
[--yes {false, true}]
Examples
Minimum input for complete deletion.
az iot ops delete --cluster mycluster -g myresourcegroup
Skip confirmation prompt and continue to deletion process. Useful for CI scenarios.
az iot ops delete --cluster mycluster -g myresourcegroup -y
Force deletion regardless of warnings. May lead to errors.
az iot ops delete --cluster mycluster -g myresourcegroup --force
Required Parameters
Target cluster name for IoT Operations deletion.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Force the operation to execute.
Disable visual representation of work.
Confirm [y]es without a prompt. Useful for CI and automation scenarios.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot ops init
Command group 'iot ops' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Bootstrap, configure and deploy IoT Operations to the target Arc-enabled cluster.
For additional resources including how to Arc-enable a cluster see https://learn.microsoft.com/en-us/azure/iot-operations/deploy-iot-ops/howto-prepare-cluster
IoT Operations depends on a service principal (SP) for Key Vault CSI driver secret synchronization.
By default, init will do work in creating and configuring a suitable app registration via Microsoft Graph then apply it to the cluster.
You can short-circuit this work, by pre-creating an app registration, then providing values for --sp-app-id, --sp-object-id and --sp-secret. By providing the SP fields, no additional work via Microsoft Graph operations will be done.
Pre-creating an app registration is useful when the logged-in principal has constrained Entra Id permissions. For example in CI/automation scenarios, or an orgs separation of user responsibility.
az iot ops init --cluster
--resource-group
[--add-insecure-listener {false, true}]
[--bfr]
[--bfw]
[--broker]
[--broker-authn]
[--broker-backend-part]
[--broker-backend-rf]
[--broker-backend-workers]
[--broker-config-file]
[--broker-listener]
[--broker-mem-profile {High, Low, Medium, Tiny}]
[--broker-service-type {ClusterIp, LoadBalancer, NodePort}]
[--ca-dir]
[--ca-file]
[--ca-key-file]
[--ca-valid-days]
[--cluster-namespace]
[--context]
[--csi-config]
[--csi-ver]
[--custom-location]
[--desc]
[--df-profile-instances]
[--disable-rotation {false, true}]
[--disable-rsync-rules {false, true}]
[--ensure-latest {false, true}]
[--kubernetes-distro {k3s, k8s, microk8s}]
[--kv-id]
[--kv-spc-secret-name]
[--location]
[--name]
[--no-block {false, true}]
[--no-deploy {false, true}]
[--no-progress {false, true}]
[--no-tls {false, true}]
[--rotation-int]
[--runtime-socket]
[--show-template {false, true}]
[--simulate-plc {false, true}]
[--sp-app-id]
[--sp-object-id]
[--sp-secret]
[--sp-secret-valid-days]
Examples
Minimum input for complete setup. This includes Key Vault configuration, CSI driver deployment, TLS config and deployment of IoT Operations.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id /subscriptions/2cb3a427-1abc-48d0-9d03-dd240819742a/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mykeyvault
Same setup as prior example, except with the usage of an existing app Id and a flag to include a simulated PLC server as part of the deployment. Including the app Id will prevent init from creating an app registration.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --simulate-plc
To skip deployment and focus only on the Key Vault CSI driver and TLS config workflows simple pass in --no-deploy. This can be useful when desiring to deploy from a different tool such as Portal.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --no-deploy
To only deploy IoT Operations on a cluster that has already been prepped, simply omit --kv-id and include --no-tls.
az iot ops init --cluster mycluster -g myresourcegroup --no-tls
Use --no-block to do other work while the deployment is on-going vs waiting for the deployment to finish before starting the other work.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --no-block
This example shows providing values for --sp-app-id, --sp-object-id and --sp-secret. These values should reflect the desired service principal that will be used for the Key Vault CSI driver secret synchronization. Please review the command summary for additional details.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --sp-object-id 224a7a3f-c63d-4923-8950-c4a85f0d2f29 --sp-secret $SP_SECRET
To customize runtime configuration of the Key Vault CSI driver, --csi-config can be used. For example setting resource limits on the telegraf container dependency.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --csi-config telegraf.resources.limits.memory=500Mi telegraf.resources.limits.cpu=100m
Required Parameters
Target cluster name for IoT Operations deployment.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
When enabled the mqtt broker deployment will include a listener bound to port 1883 with no authN or authZ.For non-production workloads only.
Mqtt broker frontend replicas.
Mqtt broker frontend workers.
The mqtt broker name.
The mqtt broker authN name.
Mqtt broker backend partitions.
Mqtt broker backend redundancy factor.
Mqtt broker backend workers.
Path to a json file with custom broker config properties. Useful for advanced scenarios. The expected format is described at https://aka.ms/aziotops-broker-config.
The mqtt broker listener name.
Mqtt broker memory profile.
Mqtt broker service type.
The local directory the generated test CA and private key will be placed in. If no directory is provided no files will be written to disk. Applicable when no --ca-file and --ca-key-file are provided.
The path to the desired CA file in PEM format.
The path to the CA private key file in PEM format. !Required! when --ca-file is provided.
Option to control the duration in days of the init generated x509 CA. Applicable if --ca-file and --ca-key-file are not provided.
The cluster namespace IoT Operations infra will be deployed to. Must be lowercase.
Kubeconfig context name to use for k8s cluster communication. If no context is provided current_context is used.
CSI driver extension custom configuration. Format is space-separated key=value pairs. --csi-config can be used one or more times.
CSI driver extension version.
The custom location name corresponding to the IoT Operations deployment. The default is in the form '{cluster_name}-{token}-ops-init-cl'.
Description of the IoT Operations instance.
The instance count associated with the default dataflow profile.
Flag to disable secret rotation.
Resource sync rules will not be included in the IoT Operations deployment.
Ensure the latest IoT Ops CLI is being used, raising an error if an upgrade is available.
The Kubernetes distro to use for Akri configuration. The selected distro implies the default container runtime socket path when no --runtime-socket value is provided.
Key Vault ARM resource Id. Providing this resource Id will enable the client to setup all necessary resources and cluster side configuration to enable the Key Vault CSI driver for IoT Operations.
The Key Vault secret name to use as the default SPC secret. If the secret does not exist, it will be created with a cryptographically secure placeholder value.
The ARM location that will be used for provisioned RPSaaS collateral. If not provided the connected cluster location will be used.
IoT Operations instance name. The default is in the form '{cluster_name}-ops-instance'.
Return immediately after the IoT Operations deployment has started.
The IoT Operations deployment workflow will be skipped.
Disable visual representation of work.
The TLS configuration workflow will be skipped.
Rotation poll interval.
The default node path of the container runtime socket. If not provided (default), the socket path is determined by --kubernetes-distro.
Flag when set, will output the template intended for deployment.
Flag when set, will configure the OPC-UA broker installer to spin-up a PLC server.
Service principal app Id. If provided will be used for CSI driver setup. Otherwise an app registration will be created. Required if the logged in principal does not have permissions to query graph.
Service principal (sp) object Id. If provided will be used for CSI driver setup. Otherwise the object Id will be queried from the app Id - creating the sp if one does not exist. Required if the logged in principal does not have permissions to query graph. Use az ad sp show --id <app Id> --query id -o tsv
to produce the proper object Id. Alternatively using Portal you can navigate to Enterprise Applications in your Entra Id tenant.
The secret corresponding to the provided service principal app Id. If provided will be used for CSI driver setup. Otherwise a new secret will be created. Required if the logged in principal does not have permissions to query graph.
Option to control the duration in days of the init generated service principal secret. Applicable if --sp-secret is not provided.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot ops list
Command group 'iot ops' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
List IoT Operations instances.
Use --query with desired JMESPath syntax to query the result.
az iot ops list [--resource-group]
Examples
List all instances in the subscription.
az iot ops list
List all instances of a particular resource group.
az iot ops list -g myresourcegroup
List the instances in the subscription that have a particular tag value.
az iot ops list -g myresourcegroup --query "[?tags.env == 'prod']"
Optional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot ops show
Command group 'iot ops' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Show an IoT Operations instance.
Optionally the command can output a tree structure of associated resources representing the IoT Operations deployment against the backing cluster.
az iot ops show --name
--resource-group
[--tree {false, true}]
Examples
Basic usage to show an instance.
az iot ops show --name myinstance -g myresourcegroup
Output a tree structure of associated resources representing the IoT Operations deployment.
az iot ops show --name myinstance -g myresourcegroup --tree
Required Parameters
IoT Operations instance name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Use to visualize the IoT Operations deployment against the backing cluster.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot ops update
Command group 'iot ops' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Update an IoT Operations instance.
Currently instance tags and description can be updated.
az iot ops update --name
--resource-group
[--desc]
[--tags]
Examples
Update instance tags. This is equivalent to a replace.
az iot ops update --name myinstance -g myresourcegroup --tags a=b c=d
Remove instance tags.
az iot ops update --name myinstance -g myresourcegroup --tags ""
Update the instance description.
az iot ops update --name myinstance -g myresourcegroup --desc "Fabrikam Widget Factory B42"
Required Parameters
IoT Operations instance name.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Description of the IoT Operations instance.
Instance tags. Property bag in key-value pairs with the following format: a=b c=d.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot ops verify-host
Command group 'iot ops' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Runs a set of cluster host verifications for IoT Operations deployment compatibility.
Intended to be run directly on a target cluster host. The command may prompt to apply a set of privileged actions such as installing a dependency. In this case the CLI must be run with elevated permissions. For example
sudo AZURE_EXTENSION_DIR=~/.azure/cliextensions az iot ops verify-host
.
az iot ops verify-host [--no-progress {false, true}]
Optional Parameters
Disable visual representation of work.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.