Share via

How is security managed in Azure IoT Hub? — SAS tokens & X.509 authentication used

Dhruvesh Sheladiya 0 Reputation points Microsoft Employee
2026-05-14T18:43:38.0366667+00:00

Description

I am trying to understand how Azure IoT Hub manages device-level security and authentication, specifically how mechanisms like SAS tokens and X.509 certificates are used to securely connect and authorize devices.

Environment Details

Azure Service: Azure IoT Hub

Device Type: IoT devices (simulated/physical)

Communication Protocols: MQTT / AMQP / HTTPS

Authentication Types: SAS tokens, X.509 certificates

Security Layer: TLS-encrypted communication

Identity Management: IoT Hub device identity registry

Investigation Details / Observations

IoT Hub requires every device to authenticate before connecting, using credentials stored in the identity registry.

All communication is secured over TLS encryption across supported protocols. [Microsoft...re Roadmap | PowerPoint]

Two primary authentication mechanisms are supported:

SAS (Shared Access Signature) tokens

  X.509 certificate-based authentication
  
  Authentication is followed by **authorization**, where permissions are validated.

Security Mechanisms Observed

SAS Token-Based Authentication

Uses symmetric keys associated with each device

  Generates **time-bound tokens** for secure access [[Azure Data...and Learn | PowerPoint]](https://microsoft.sharepoint.com/teams/customersuccessunituk/_layouts/15/Doc.aspx?sourcedoc=%7BD8D780C6-DBC4-479D-8B8A-67150DD16F04%7D&file=Azure%20Data%20Lake%20Store%20and%20Analytics%20Lunch%20and%20Learn.pptx&action=edit&mobileredirect=true&DefaultItemOpen=1)
  
     Tokens are sent with each request instead of exposing keys [[Azure Data...and Learn | PowerPoint]](https://microsoft.sharepoint.com/teams/customersuccessunituk/_layouts/15/Doc.aspx?sourcedoc=%7BD8D780C6-DBC4-479D-8B8A-67150DD16F04%7D&file=Azure%20Data%20Lake%20Store%20and%20Analytics%20Lunch%20and%20Learn.pptx&action=edit&mobileredirect=true&DefaultItemOpen=1)
     
     **X.509 Certificate-Based Authentication**
     
        Uses public/private key cryptography (PKI model)
        
           Authentication occurs during TLS handshake
           
              IoT Hub validates certificate against configured CA or thumbprint
              
                 Enables scalable trust model for large device fleets [[IoT Hub -...nnectivity | ADO Work Items (MSFT-Skilling)]](https://dev.azure.com/msft-skilling/cebd7ef5-4282-448b-9701-88c8637581b7/_workitems/edit/564763)
                 
                 **Transport Security (TLS)**
                 
                    Ensures encryption of data in transit
                    
                       Supports mutual authentication (device + IoT Hub validation) [[Azure Alch...ow Diagram | PowerPoint]](https://microsoft.sharepoint.com/teams/AzureSupportExperiences/_layouts/15/Doc.aspx?sourcedoc=%7B542D660A-9341-4B76-9B4C-33E64FE6F6FD%7D&file=Azure%20Alchemy%20Data%20Flow%20Diagram.pptx&action=edit&mobileredirect=true&DefaultItemOpen=1)

Steps Followed / Investigation Done

Reviewed IoT Hub authentication and authorization concepts

Explored SAS token generation and usage patterns

Analyzed X.509 certificate-based authentication flow

Observed TLS enforcement across all protocols

Checked how device identities are linked to authentication

Mitigation / Considerations Explored

Evaluated SAS tokens for simple or low-cost device scenarios

Considered X.509 certificates for stronger security and scalability

Reviewed token expiration and renewal handling for SAS

Assessed certificate management requirements (CA setup, rotation)

Challenges / Confusions

When to use SAS tokens vs X.509 certificates in production

How IoT Hub validates SAS tokens internally per request

Complexity of managing certificates at scale (rotation, revocation)

Security trade-offs between symmetric keys and certificate-based auth

Ask / Clarification Needed

What is the recommended authentication model for large-scale IoT deployments?

  • How does IoT Hub handle key rotation and certificate lifecycle management?

What are best practices for securely storing credentials on edge devices?

Description

I am trying to understand how Azure IoT Hub manages device-level security and authentication, specifically how mechanisms like SAS tokens and X.509 certificates are used to securely connect and authorize devices.

Environment Details

Azure Service: Azure IoT Hub

  Device Type: IoT devices (simulated/physical)
  
     Communication Protocols: MQTT / AMQP / HTTPS
     
        Authentication Types: SAS tokens, X.509 certificates
        
           Security Layer: TLS-encrypted communication
           
              Identity Management: IoT Hub device identity registry
              
              ### **Investigation Details / Observations**

                 IoT Hub requires every device to **authenticate before connecting**, using credentials stored in the identity registry.
                 
                    All communication is secured over **TLS encryption** across supported protocols. [[Microsoft...re Roadmap | PowerPoint]](https://microsoft.sharepoint.com/teams/Mooncake_Public_Site/_layouts/15/Doc.aspx?sourcedoc=%7BA4DCA4C8-7A57-4662-BE01-102F1E6EF2DE%7D&file=Microsoft%20Azure%20Roadmap.pptx&action=edit&mobileredirect=true&DefaultItemOpen=1)
                    
                       Two primary authentication mechanisms are supported:
                       
                             SAS (Shared Access Signature) tokens
                             
                                   X.509 certificate-based authentication
                                   
                                      Authentication is followed by **authorization**, where permissions are validated.
                                      
                                      ### **Security Mechanisms Observed**

                                         **SAS Token-Based Authentication**
                                         
                                               Uses symmetric keys associated with each device
                                               
                                                     Generates **time-bound tokens** for secure access [[Azure Data...and Learn | PowerPoint]](https://microsoft.sharepoint.com/teams/customersuccessunituk/_layouts/15/Doc.aspx?sourcedoc=%7BD8D780C6-DBC4-479D-8B8A-67150DD16F04%7D&file=Azure%20Data%20Lake%20Store%20and%20Analytics%20Lunch%20and%20Learn.pptx&action=edit&mobileredirect=true&DefaultItemOpen=1)
                                                     
                                                           Tokens are sent with each request instead of exposing keys [[Azure Data...and Learn | PowerPoint]](https://microsoft.sharepoint.com/teams/customersuccessunituk/_layouts/15/Doc.aspx?sourcedoc=%7BD8D780C6-DBC4-479D-8B8A-67150DD16F04%7D&file=Azure%20Data%20Lake%20Store%20and%20Analytics%20Lunch%20and%20Learn.pptx&action=edit&mobileredirect=true&DefaultItemOpen=1)
                                                           
                                                              **X.509 Certificate-Based Authentication**
                                                              
                                                                    Uses public/private key cryptography (PKI model)
                                                                    
                                                                          Authentication occurs during TLS handshake
                                                                          
                                                                                IoT Hub validates certificate against configured CA or thumbprint
                                                                                
                                                                                      Enables scalable trust model for large device fleets [[IoT Hub -...nnectivity | ADO Work Items (MSFT-Skilling)]](https://dev.azure.com/msft-skilling/cebd7ef5-4282-448b-9701-88c8637581b7/_workitems/edit/564763)
                                                                                      
                                                                                         **Transport Security (TLS)**
                                                                                         
                                                                                               Ensures encryption of data in transit
                                                                                               
                                                                                                     Supports mutual authentication (device + IoT Hub validation) [[Azure Alch...ow Diagram | PowerPoint]](https://microsoft.sharepoint.com/teams/AzureSupportExperiences/_layouts/15/Doc.aspx?sourcedoc=%7B542D660A-9341-4B76-9B4C-33E64FE6F6FD%7D&file=Azure%20Alchemy%20Data%20Flow%20Diagram.pptx&action=edit&mobileredirect=true&DefaultItemOpen=1)
                                                                                                     
                                                                                                     ### **Steps Followed / Investigation Done**

                                                                                                        Reviewed IoT Hub authentication and authorization concepts
                                                                                                        
                                                                                                           Explored SAS token generation and usage patterns
                                                                                                           
                                                                                                              Analyzed X.509 certificate-based authentication flow
                                                                                                              
                                                                                                                 Observed TLS enforcement across all protocols
                                                                                                                 
                                                                                                                    Checked how device identities are linked to authentication
                                                                                                                    
                                                                                                                    ### **Mitigation / Considerations Explored**

                                                                                                                       Evaluated SAS tokens for simple or low-cost device scenarios
                                                                                                                       
                                                                                                                          Considered X.509 certificates for stronger security and scalability
                                                                                                                          
                                                                                                                             Reviewed token expiration and renewal handling for SAS
                                                                                                                             
                                                                                                                                Assessed certificate management requirements (CA setup, rotation)
                                                                                                                                
                                                                                                                                ### **Challenges / Confusions**

                                                                                                                                   When to use SAS tokens vs X.509 certificates in production
                                                                                                                                   
                                                                                                                                      How IoT Hub validates SAS tokens internally per request
                                                                                                                                      
                                                                                                                                         Complexity of managing certificates at scale (rotation, revocation)
                                                                                                                                         
                                                                                                                                            Security trade-offs between symmetric keys and certificate-based auth
                                                                                                                                            
                                                                                                                                            ### **Ask / Clarification Needed**

                                                                                                                                               What is the recommended authentication model for large-scale IoT deployments?
                                                                                                                                               
                                                                                                                                                  How does IoT Hub handle key rotation and certificate lifecycle management?
                                                                                                                                                  
                                                                                                                                                     What are best practices for securely storing credentials on edge devices?
Azure IoT Hub
Azure IoT Hub

An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karnam Venkata Rajeswari 3,575 Reputation points Microsoft External Staff Moderator
    2026-05-14T19:54:44.16+00:00

    Hello @Dhruvesh Sheladiya ,

    Welcome to Microsoft Q&A .Thank you for reaching out to us.

     Securing device connectivity in Azure IoT Hub involves a layered approach, beginning with unique device identities and extending through robust authentication, authorization, and transport encryption. Each device is registered in the identity registry, where credentials—either symmetric keys or X.509 certificate information—are securely maintained.

    All supported communication protocols, including MQTT, AMQP, and HTTPS, operate over TLS 1.2. This ensures encrypted data transfer, integrity protection, and secure server authentication. When X.509 certificates are used, TLS enables mutual authentication, allowing both the device and IoT Hub to validate each other during connection establishment.

    1. Recommended Authentication Model for Large-Scale Deployments For environments with many devices or heightened security requirements, X.509 certificate-based authentication is recommended. This model leverages public key infrastructure (PKI) and CA-signed certificates to establish scalable trust between devices and IoT Hub. Advantages include:
      • Strong device identity assurance
      • Enhanced protection against device cloning
      • Seamless integration with TPM/HSM-backed security
      • Centralized certificate lifecycle management
      Device Provisioning Service (DPS) is ideal for large fleets, offering:
      • Zero-touch provisioning
      • X.509 and TPM attestation
      • Enrollment groups for bulk onboarding
      • Automated reprovisioning workflows
      SAS token authentication remains practical for smaller deployments, cost-sensitive scenarios, or resource-constrained devices. Many production environments use a hybrid model, applying X.509 certificates for gateways and critical infrastructure, and SAS tokens for low-cost or constrained edge devices.
    2. Key Rotation and Certificate Lifecycle Management

    Credential rotation is essential for maintaining long-term device security.

    For SAS authentication:

    • Each device uses primary and secondary symmetric keys
    • Keys can be rotated without downtime by switching between credentials
    • SAS tokens should use shorter expiration periods

    IoT Hub validates SAS token expiry, signature integrity, and device identity during connection establishment.

    For X.509 authentication:

    • Certificate renewal and reprovisioning should be automated
    • Intermediate CA hierarchies are preferable to direct root signing

    Compromised devices are typically blocked by disabling the device identity, removing certificate trust associations, or reprovisioning the affected device.

    1. Best Practices for Secure Credential Storage on Edge Devices Hardware-backed security is strongly recommended for protecting device credentials. Recommended options are:
      • Trusted Platform Modules (TPMs)
      • Hardware Security Modules (HSMs)
      • Secure Elements
      • Trusted Execution Environments (TEE)
      As additional security measures:
      • Enable secure boot and signed firmware
      • Avoid plaintext or hardcoded credentials
      • Use per-device credentials only
      • Apply least-privilege access controls
      • Keep device firmware and SDKs updated regularly
      Please consider checking the following troubleshooting steps if in need- Common SAS authentication issues:
      • Expired SAS tokens
      • Incorrect device system time or NTP drift
      • Invalid HMAC signatures
      • Disabled device identities
      Common X.509 authentication issues:
      • Expired certificates
      • Invalid certificate chains
      • Untrusted CA certificates
      • TLS handshake failures
      The troublehshooting steps would be to :
      • Verify device identity status in IoT Hub
      • Check token expiry and certificate validity periods
      • Validate certificate chains using OpenSSL
      • Review IoT Hub diagnostic logs for authentication failures
      • Enable SDK-level logging for TLS and connection troubleshooting
      • Confirm trusted root CA certificates are updated on devices

    The following references might be helpful , please check them out

    Please let us know if the following response was helpful

    Thank you

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-05-14T18:44:25.52+00:00

    Azure IoT Hub manages device-level security with a combination of per-device identities, strong transport security (TLS), and two main authentication models: SAS tokens and X.509 certificates. Authorization is then enforced based on the authenticated device identity.

    Device identity and authentication

    1. Identity registry
      • Every device or module must have an entry in the IoT Hub identity registry before it can connect.
      • The registry stores the device ID and its authentication credentials (symmetric keys for SAS or X.509 thumbprints/cert chains).
      • On each connection, IoT Hub authenticates the device using those stored credentials.
      Reference: What is Azure IoT Hub?
    2. Supported authentication methods
      • SAS token–based authentication using symmetric keys.
      • X.509 certificate–based authentication using device or CA-signed certificates.
      Reference: What is Azure IoT Hub?

    SAS token–based authentication

    • Each device has a symmetric key in the identity registry.
    • The device generates a Shared Access Signature (SAS) token that includes:
      • Target resource URI (hub + device ID)
      • Expiry time
      • HMAC signature computed with the device key
    • The device sends the SAS token as the password/authorization credential on each connection or request (for example, in MQTT CONNECT password or HTTP Authorization header).
    • IoT Hub validates the SAS token on every use by recomputing the signature with the stored device key and checking the expiry.
    • Best practice is to use per-device keys/tokens, not hub-level shared access policies, to prevent one device from impersonating another.

    Relevant guidance:

    X.509 certificate–based authentication

    1. Direct device certificates
      • The device presents an X.509 certificate during the TLS handshake.
      • IoT Hub validates the certificate against the configured thumbprint or CA trust chain in the identity registry.
    2. CA-signed device certificates (recommended for scale)
      • A CA certificate is registered with IoT Hub.
      • Devices hold leaf certificates chained to that CA.
      • When a device connects, it uploads its certificate chain. IoT Hub:
        1. Cryptographically validates the certificate chain.
        2. Issues a proof-of-possession challenge; the device must sign/answer using its private key.
      • On successful response, IoT Hub considers the device authenticated.
      • TLS is renegotiated and the certificate revalidated on every connection.
      Reference: Authenticate identities with third-party X.509 certificates – X.509 certificate flow
    3. Revocation and blocking
      • IoT Hub does not check external certificate revocation lists.
      • To block a compromised device certificate, disable or delete the device in the identity registry.
      Reference: Authenticate identities with third-party X.509 certificates – Revoke a device certificate

    Transport security (TLS)

    • All supported protocols (MQTT, AMQP, HTTPS) use TLS to protect data in transit.
    • TLS provides confidentiality and integrity; with X.509 device auth it also supports mutual authentication (device and service).
    • Guidance recommends TLS 1.2 and strong cipher suites, and keeping trusted root CAs up to date.

    Relevant guidance:

    1. Prefer X.509 certificates for production and scale
      • X.509 is more secure and scalable than symmetric keys and is the recommended method for production environments and large fleets.
      • Use CA-signed device certificates so that devices can be onboarded and validated via a chain of trust instead of managing per-device symmetric keys.
      References:
    2. Use SAS tokens for specific scenarios
      • Suitable for simpler devices that can securely store a symmetric key and where PKI management is too heavy.
      • Still recommended to use unique keys per device and rotate them regularly.
      References:
    3. Use Device Provisioning Service (DPS) for secure, zero-touch provisioning
      • For large fleets, use Azure IoT Hub Device Provisioning Service (DPS) to handle secure onboarding, identity assignment, and authentication setup at scale.
      • DPS supports X.509 and TPM attestation and helps with certificate roll/rotation.
      References:
    4. Certificate management with Microsoft-managed PKI (preview)
      • IoT Hub introduces certificate management using Microsoft-managed PKI to issue and manage X.509 device certificates.
      • Provides a dedicated cloud-based PKI per Azure Device Registry (ADR) namespace, handling issuance and renewal of operational device certificates used to authenticate to IoT Hub.
      • Requires devices to be provisioned through DPS.
      Reference: What is new in Azure IoT Hub? (preview) – Manage your X.509 credentials with certificate management

    Key rotation and certificate lifecycle

    1. Device credentials should be renewable and rotated
      • Regularly rotate device keys and certificates to limit the impact of compromise or expiration.
      • For X.509, implement certificate rolling/renewal processes (for example, via DPS or certificate management).
      • For SAS, rotate underlying symmetric keys and adjust token lifetimes.
      References:
    2. Certificate revocation / blocking devices
      • IoT Hub doesn’t consult CA CRLs for device cert revocation.
      • To revoke a device, disable or delete it in the identity registry so it can no longer authenticate.
      Reference: Authenticate identities with third-party X.509 certificates – Revoke a device certificate
    3. TLS root and operational certificate updates
      • Ensure devices can update trusted root CAs and their own X.509 device certificates so they continue to connect when certificates expire or are replaced.
      Reference: Secure your IoT solutions – Connection security

    Best practices for storing credentials on edge devices

    1. Use hardware-backed secure storage (HSM/TPM)
      • Store private keys, symmetric keys, and certificates in Hardware Security Modules (HSMs) or Trusted Platform Modules (TPMs) to protect against extraction and tampering.
      • This is strongly recommended for X.509 private keys used in proof-of-possession.
      References:
    2. Minimize device attack surface
      • Choose hardware with only necessary features and with tamper-proof and secure-boot capabilities.
      • Use OS-level encryption (for example, BitLocker on Windows) for data at rest on edge devices.
      References:
    3. Use device SDKs and secure update mechanisms
      • Use Azure IoT device SDKs, which implement secure authentication and encryption patterns.
      • Deploy update agents and use services like Device Update for IoT Hub to keep firmware, runtimes, and SDKs patched.
      References:
    4. Per-device credentials and least privilege
      • Always use per-device credentials (SAS keys or certificates).
      • Avoid shared symmetric keys across devices.
      • Grant only the minimum permissions required for each identity.
      References:

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.