deleting registration at DPS in group enrollment

Omar Navarro 331 Reputation points
2022-10-05T21:30:54.297+00:00

After deleting a specific registration within an enrollment group, Is it possible to re-register the device with the same name?

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,136 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AshokPeddakotla-MSFT 28,316 Reputation points
    2022-10-07T09:10:54.9+00:00

    @Omar Navarro Thanks for this great and helpful query on this forum.

    After deleting a specific registration within an enrollment group, Is it possible to re-register the device with the same name?

    Just to clarify about the query, Are you referring to delete a device with x.509 attestation in group enrollment and add/register the same device again with same name?

    If you just delete the device Registration, then the device may get registered with the DPS services in the future (Because it has got the leaf certificate with valid/expiration date), which is not desirable.

    Is there a specific reason you would like to do it again?

    As per the definition here: https://learn.microsoft.com/en-us/azure/iot-dps/concepts-service#registration

    A registration is the record of a device successfully registering/provisioning to an IoT Hub via the Device Provisioning Service. Registration records are created automatically; they can be deleted, but they cannot be updated.

    The Device Provisioning Service has the following rate limits.

    248483-image.png

    Best approach to deprovision a single device from an enrollment group:

    1. Create a disabled individual enrollment for the device.

    If you have the device (end-entity) certificate, you can create a disabled X.509 individual enrollment.
    If you don't have the device certificate, you can create a disabled symmetric key individual enrollment based on the device ID in the registration record for that device.
    To learn more, see Disallow specific devices in an enrollment group.

    The presence of a disabled individual enrollment for a device revokes access to the provisioning service for that device while still permitting access for other devices that have the enrollment group's signing certificate in their chain. Do not delete the disabled individual enrollment for the device. Doing so will allow the device to re-enroll through the enrollment group.

    2.Use the list of provisioned devices for that enrollment group to find the IoT hub that the device was provisioned to and disable or delete it from that hub's identity registry.

    There is a useful discussion from ralarcones here: If you have a huge number of devices registered in DPS that can go thru life cycle where you remove part of that huge number of devices, but need to register others, then you would reach the limits of DPS. This would be something to consider if we are talking about multiple hundreds of thousands or even millions of devices.

    For example, imaging you are reaching the DPS limits during some performance tests which need to remove registration records to continue working (something that could happen if ypu are looking to deploy millions of devices in production and you are testing the provisioning process).

    Other example, imaging that in production, you are close to the limits for DPS during your regular usage, if for any reason they need to re-provision part of your device fleet, it would rise some issues (imagine a change in authentication, a change in the certificates...).

    For DPS limits check: https://learn.microsoft.com/en-us/azure/iot-dps/about-iot-dps#quotas-and-limits

    Of course, if you are managing a big number of devices you will need to use a scripting approach to manage the deletions.

    For disenroll devices check: https://learn.microsoft.com/en-us/azure/iot-dps/how-to-revoke-device-access-portal
    For deprovisioning devices check: https://learn.microsoft.com/en-us/azure/iot-dps/how-to-unprovision-devices

    To point out that directly removing an enrollment does not remove the registration records, you need to take care of it as mentioned in the documentation. Removing an enrollment would lead to have the registration records in an "orphan" state (by now, I know there is some actions on-going this situation). There is explicit guidance to remove an enrollment to avoid this situation too.

    Hope this helps! Do let us know if you have any further queries.

    If the response is helpful, please click Accept Answer and upvote it.