Iot Hub shared access policy in ADX data connection

siddharth bansal 321 Reputation points
2023-05-11T12:51:59.5166667+00:00

forum img

In ADX ,while adding a data connection for IOT Hub and choosing shared access policy as registryRead or registryReadWrite , i am not able to ingest data from IOT Hub , the metric of data connection shows 0 events , but if shared policy is given as iothubOwner , then i am able to receive the events, the concern is that i am just reading the data from IotHub ,then why the shared access policy given as registryRead doesnt bring any events. also what are the drawbacks/limitations and security concerns if i select shared policy as iothubowner

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,147 questions
Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
501 questions
0 comments No comments
{count} votes

Accepted answer
  1. LeelaRajeshSayana-MSFT 13,951 Reputation points
    2023-05-11T14:59:20.11+00:00

    Hi @siddharth bansal Greetings! Thank you for posting the question on this forum.

    why the shared access policy given as registryRead doesnt bring any events

    The RegistryRead and RegistryReadWrite permissions on IoT Hub only provides access to Identity Register The identity register only stores information about the devices and modules permitted to connect to the IoT Hub. The Identity Register does not hold any information on the events generated or application metadata.

    The IoT Hub identity registry exposes the following operations:

    • Create device or module identity
    • Update device or module identity
    • Retrieve device or module identity by ID
    • Delete device or module identity
    • List up to 1000 identities
    • Export device identities to Azure blob storage
    • Import device identities from Azure blob storage

    Please refer the article Understand the identity registry in your IoT hub for more details on the Identity Registry.

    Here is a list of default shared access policies applicable to Azure IoT Hub and the permissions they grant.

    User's image

    Refer the below picture to get more details on the permissions that each shared access policy grants.

    User's image

    what are the drawbacks/limitations and security concerns if i select shared policy as iothubowner

    The ADX here does not modify/access any twins explicitly other than consuming the events. It is safe to use the IoTHubOwner policy here. However, we should be cautious using IoTHubOwner access policy in the SDKs as it provides access to all the events generated and can even update twin tags and properties. Use DeviceConnect service policy if are only interested in sending a telemetry data from a device.

    Hope this clarifies. Please let me know if you have any additional questions in the comments below.


    If the response helped, please do click Accept Answer and Yes. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.

    2 people found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Sander van de Velde | MVP 30,711 Reputation points MVP
    2023-05-11T23:10:31.8766667+00:00

    Hello @siddharth bansal,

    The post of @LeelaRajeshSayana-MSFT gives you some background information regarding the IoT Hub policies.

    It's interesting to see that only three policies are shown in ADX while more policies are available normally.

    This is because you need to provide a policy with at least datareader before it pops up in the list (as these three have).

    But to ingest data, you need to provide a policy supporting 'service' rights.

    So I created an extra policy with just these two rights:

    User's image

    The data connection acknowledges this policy:

    User's image

    and data is flowing in:

    User's image

    So, add an extra policy with these two rights and you are good to go!

    It's always good to NOT exposing the original IoTHubOwner policy. Keep it for yourself and distribute custom policies so you can rotate keys once in a while or remove them. With that, you automatically get a list of all services connecting to your iot hub. This is a much more secure and maintainable situation.


    If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

    2 people found this answer helpful.
    0 comments No comments