Is it possible to send a D2C request to an Azure IOTHub device using the device primary key without using the device ID or device hostname?

Deepak Chaurasiya 20 Reputation points
2023-10-09T06:01:47.8933333+00:00

I want to send a D2C request to an Azure IOTHub device using the device primary key, which is present in the properties of every device registered in IOTHub, without mentioning the device ID or device hostname.

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,136 questions
{count} votes

Accepted answer
  1. Matthijs van der Veer 4,376 Reputation points MVP
    2023-10-09T08:49:02.1566667+00:00

    Based on your questions, it seems you want to connect your devices with a shared access signature (SAS) token. The SDKs will abstract this process a bit, but here's what's happening underwater:

    The SAS creation process takes the following parameters:

    Parameter Note Example
    Resource URI Combination of the IoT Hub FQDN and the Device ID myiothub.azure-devices.net/devices/mydevice
    Signature (primary of secondary) These are the keys associated with the device. These are not guaranteed unique across devices. wc5FLbNggLJBY/sdGR/mC+XLPQZmjAOiX1TTDXhZl84=
    Expiry time This indicates the expiration date of the generated SAS token 1703492085
    policyName Left empty for device SAS tokens

    All of these are required, but the SDK will usually take care of the expiration time. The policyName is only used for IoT Hub level SAS tokens, which are not relevant for devices. So in short, no, you can't go with just the primary key. You'll need to provide the device ID as well.

    ⚠️ Important note: Both symmetric shared access keys (primary and secondary) aren't guaranteed to be unique across devices. They are not replacements for a unique identifier. The device ID is the only unique identifier for a device in IoT Hub.

    Alternatives:

    If for some reason you're blocked from using the device ID, you could look into Azure Device Provisioning Service, however in case of Symmetric Key attestation, you'll still need to provide a registration ID, which will return the device ID as a result. If you're using X.509 certificates, you can use the certificate thumbprint instead of the device ID.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Sander van de Velde 29,776 Reputation points MVP
    2023-10-09T06:30:01.33+00:00

    Hello @Deepak Chaurasiya,

    welcome to this moderated community forum.

    It seems you are referencing the Azure IoT Hub device connection string.

    This connection string is built up in three parts:

    1. The IoT Hub name so the device knows the public endpoint
    2. The name of the device because each device sends its own messages
    3. The primary or secondary key (so keys can be rolled)

    The key itself is just a key, a (semi) random array of characters, so it's useless without the context of the connection string.

    Because the connection string has a symmetric key, it's less secure than using a certificate or TPM (when using the Device Provisioning Service).

    Using an Azure Device Provision Service is highly recommended for more secure solutions.

    It supports IoT devices with TPM, symmetric key, and X.509 certificate authentications. This is offered for both individual enrollments and group enrollments which offer even more control.


    If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

    0 comments No comments