Iot Hub shared access policy in ADX data connection

Question

In ADX ,while adding a data connection for IOT Hub and choosing shared access policy as registryRead or registryReadWrite , i am not able to ingest data from IOT Hub , the metric of data connection shows 0 events , but if shared policy is given as iothubOwner , then i am able to receive the events, the concern is that i am just reading the data from IotHub ,then why the shared access policy given as registryRead doesnt bring any events. also what are the drawbacks/limitations and security concerns if i select shared policy as iothubowner

Answer 1

Hi @siddharth bansal Greetings! Thank you for posting the question on this forum.

why the shared access policy given as registryRead doesnt bring any events

The RegistryRead and RegistryReadWrite permissions on IoT Hub only provides access to Identity Register The identity register only stores information about the devices and modules permitted to connect to the IoT Hub. The Identity Register does not hold any information on the events generated or application metadata.

The IoT Hub identity registry exposes the following operations:

• Create device or module identity
• Update device or module identity
• Retrieve device or module identity by ID
• Delete device or module identity
• List up to 1000 identities
• Export device identities to Azure blob storage
• Import device identities from Azure blob storage

Please refer the article Understand the identity registry in your IoT hub for more details on the Identity Registry.

Here is a list of default shared access policies applicable to Azure IoT Hub and the permissions they grant.

Refer the below picture to get more details on the permissions that each shared access policy grants.

what are the drawbacks/limitations and security concerns if i select shared policy as iothubowner

The ADX here does not modify/access any twins explicitly other than consuming the events. It is safe to use the IoTHubOwner policy here. However, we should be cautious using IoTHubOwner access policy in the SDKs as it provides access to all the events generated and can even update twin tags and properties. Use DeviceConnect service policy if are only interested in sending a telemetry data from a device.

Hope this clarifies. Please let me know if you have any additional questions in the comments below.

---

If the response helped, please do click Accept Answer and Yes. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.

Answer 2

Hello @siddharth bansal,

The post of @LeelaRajeshSayana-MSFT gives you some background information regarding the IoT Hub policies.

It's interesting to see that only three policies are shown in ADX while more policies are available normally.

This is because you need to provide a policy with at least datareader before it pops up in the list (as these three have).

But to ingest data, you need to provide a policy supporting 'service' rights.

So I created an extra policy with just these two rights:

The data connection acknowledges this policy:

and data is flowing in:

So, add an extra policy with these two rights and you are good to go!

It's always good to NOT exposing the original IoTHubOwner policy. Keep it for yourself and distribute custom policies so you can rotate keys once in a while or remove them. With that, you automatically get a list of all services connecting to your iot hub. This is a much more secure and maintainable situation.

---

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.