How do I make an Update call to a Digital Twin with the SDK from a C# program running on a Docker container?

Question

How do I make an Update call to a Digital Twin with the SDK from a C# program running on a Docker container?

Samuel Bidó 0

I'm trying to display the local state of a SCADA system (i.e. machines on or off) on a Digital Twin 3D scene. I already tested that 3D scene.

I made a .NET program that retrieves the data from the SCADA Server through a REST API and then runs await client.UpdateDigitalTwinAsync(id, patch); to update the state of the specified digital twin. But this gives me a 403 Forbidden error.

The program is running on the dotnet:9.0 Docker image so I used environment variables for the credentials with Docker Compose.

I've created the App Registration, which is where I got the credentials from, gave the registration Read/Write API access to Digital Twins and added to my user the Azure Digital Twins Data Owner role.

If I get to publish the state to the digital twin I believe I'll be set for the project. Please help as my undergrad depends on this.

Here's the code for the program:

// See https://aka.ms/new-console-template for more information

using System.Text.Json;
using System.Text.Json.Serialization;
using Azure;
using Azure.DigitalTwins.Core;
using Azure.Identity;

Console.WriteLine("Azure Digital Twins publisher started.");

HttpClient httpClient = new()
{
	BaseAddress = new Uri($"http://{Environment.GetEnvironmentVariable("CONTROLLER_HOST")}:{Environment.GetEnvironmentVariable("CONTROLLER_PORT")}"),
};

async Task<T> queryDeviceState<T>(string id)
{
	var url = new Uri($"{httpClient.BaseAddress.AbsoluteUri}status/{id}");
	Console.WriteLine(url.AbsolutePath);
	return JsonSerializer.Deserialize<T>(await httpClient.GetAsync(url.AbsolutePath).Result.Content.ReadAsStringAsync());
}

string adtInstanceUrl = $"https://{Environment.GetEnvironmentVariable("DIGITAL_TWINS_INSTANCE")}"; 

var credential = new EnvironmentCredential();
var client = new DigitalTwinsClient(new Uri(adtInstanceUrl), credential);

async Task publishToTwin(string id, DeviceState state)
{
	var patch = new JsonPatchDocument();
	patch.AppendAdd("/id", state.id);
	patch.AppendAdd("/isOn", state.isOn);

	await client.UpdateDigitalTwinAsync(id, patch);
}

while (true)
{
	string[] twins = ["a1", "a2", "c1", "c2"];

	foreach (string deviceId in twins)
	{
		DeviceState state = await queryDeviceState<DeviceState>(deviceId);

		DeviceState example = new DeviceState("a3",true);

		Console.WriteLine("Should look like:");
		Console.WriteLine($"{example.id} is {example.isOn}");

		Console.WriteLine($"{state.id} is {state.isOn}");
		await publishToTwin(id: deviceId, state: state);
	}

	Thread.Sleep(int.Parse(Environment.GetEnvironmentVariable("UPDATE_PERIOD") ?? "2000"));
}

struct DeviceState
{
	[JsonPropertyName("id")]
	public string id { get; set; }
	[JsonPropertyName("isOn")]
	public bool isOn { get; set; }

	public DeviceState(string id, bool isOn)
	{
		this.id = id;
		this.isOn = isOn;
	}
}

VSawhney 800 Reputation points Microsoft External Staff Moderator

2025-06-18T08:28:57.4166667+00:00

Hello Samuel Bidó,

Following up to check if the response provided helped you. Please feel free reach us for further help.

Thank you!
VSawhney 800 Reputation points Microsoft External Staff Moderator

2025-06-20T05:47:52.5333333+00:00

Hello Samuel Bidó,

Just checking in again to see if the response provided helped. Please feel free reach us for further help.

Thank you!
Sander van de Velde | MVP 36,766 Reputation points MVP Volunteer Moderator

2025-06-20T06:40:27.5633333+00:00

Hello Samuel Bidó,

welcome to this moderated Azure community forum.

As seen in this blog post an identity must be assigned to the Digital Twins environment. You code must using this identity.

Using an Azure Function, the managed identity can be used.

You code runs in a Docker container, which is normally sand-boxed so no outside information/identities are available unless appointed to.

Can you check if you can run you code inside docker an container using an app registration/ client secret?
Samuel Bidó 0 Reputation points

2025-06-26T23:33:11.6233333+00:00

Thanks for the blog post link. Had trouble finding this question oops.

I need it to run locally as the SCADA server is local, so I can't run my program on a function.

I'm using Tenant ID, Client ID and Client Secret for authentication.

I can create a ServiceClient with the SDK, it's just that when I try to update the digital twins I created in the explorer I get the 403 Forbidden error.

I copied and pasted all the values into the docker-compose.yml as environment variables, straight from the Azure web portal.

I just need to be able to update the twins for the visualizations and widgets, I don't need to have a pipeline setup with a database for the timeseries data.

I just don't see my app registration when I try to give it the role of ADT Data Owner.
Samuel Bidó 0 Reputation points

2025-06-26T23:55:46.2666667+00:00

I just checked and to use a managed identity you must run it on an AZ Function.

I think I can code a relay.

Samuel Bidó 0

It seems you can only use the ADT SDK with a Managed Identity so I made a relay with an Azure Function.

Ran into the problem that I coded it for an .NET 8 LTS but ran it on Isolated .NET 9 and because of that it wouldn't parse the incoming JSON.

Used an LLM to convert it to Isolated and got it to work.

Here's the code:

using
using
using
using
using
using
using
namespace
public
{
private
public
 {
_logger
 }
 [
public
 [
 {
_logger
DeviceState
try
 {
// Read the request body as a stream and deserialize it
update
if
 {
_logger
return
 }
 }
catch
 {
_logger
return
 }
catch
 {
_logger
return
 }
var
var
_logger
try
 {
var
patch
patch
// You might want to handle the response from UpdateDigitalTwin
// For example, checking the status code or content.
Response
_logger
_logger
var
await
return
 }
catch
 {
_logger
var
await
return
 }
catch
 {
_logger
var
await
return
 }
 }
public
}

1 answer

Your answer

VSawhney 800 Reputation points Microsoft External Staff Moderator

2025-06-18T08:28:57.4166667+00:00

Hello Samuel Bidó,

Following up to check if the response provided helped you. Please feel free reach us for further help.

Thank you!
VSawhney 800 Reputation points Microsoft External Staff Moderator

2025-06-20T05:47:52.5333333+00:00

Hello Samuel Bidó,

Just checking in again to see if the response provided helped. Please feel free reach us for further help.

Thank you!
Sander van de Velde | MVP 36,766 Reputation points MVP Volunteer Moderator

2025-06-20T06:40:27.5633333+00:00

Hello Samuel Bidó,

welcome to this moderated Azure community forum.

As seen in this blog post an identity must be assigned to the Digital Twins environment. You code must using this identity.

Using an Azure Function, the managed identity can be used.

You code runs in a Docker container, which is normally sand-boxed so no outside information/identities are available unless appointed to.

Can you check if you can run you code inside docker an container using an app registration/ client secret?
Samuel Bidó 0 Reputation points

2025-06-26T23:33:11.6233333+00:00

Thanks for the blog post link. Had trouble finding this question oops.

I need it to run locally as the SCADA server is local, so I can't run my program on a function.

I'm using Tenant ID, Client ID and Client Secret for authentication.

I can create a ServiceClient with the SDK, it's just that when I try to update the digital twins I created in the explorer I get the 403 Forbidden error.

I copied and pasted all the values into the docker-compose.yml as environment variables, straight from the Azure web portal.

I just need to be able to update the twins for the visualizations and widgets, I don't need to have a pipeline setup with a database for the timeseries data.

I just don't see my app registration when I try to give it the role of ADT Data Owner.
Samuel Bidó 0 Reputation points

2025-06-26T23:55:46.2666667+00:00

I just checked and to use a managed identity you must run it on an AZ Function.

I think I can code a relay.
Samuel Bidó 0 Reputation points

2025-06-28T22:39:08.2633333+00:00

It seems you can only use the ADT SDK with a Managed Identity so I made a relay with an Azure Function.

Ran into the problem that I coded it for an .NET 8 LTS but ran it on Isolated .NET 9 and because of that it wouldn't parse the incoming JSON.

Used an LLM to convert it to Isolated and got it to work.

Here's the code:

using using using using using using using namespace public { private public { _logger } [ public [ { _logger DeviceState try { // Read the request body as a stream and deserialize it update if { _logger return } } catch { _logger return } catch { _logger return } var var _logger try { var patch patch // You might want to handle the response from UpdateDigitalTwin // For example, checking the status code or content. Response _logger _logger var await return } catch { _logger var await return } catch { _logger var await return } } public }

Answer 1

Hello Samuel Bidó,

It looks like you're running into a 403 Forbidden error when trying to update your Digital Twin using the .NET SDK in your Docker container. Let's break down a few things to troubleshoot this.

Permissions Check: Ensure that your App Registration has the necessary permissions. You've mentioned that you've assigned the "Azure Digital Twins Data Owner" role to your user, but make sure that the App Registration also has the appropriate permissions set up in the Azure portal under "API permissions" for Azure Digital Twins. Sometimes it might require admin consent for the permissions to take effect.
Environment Variables: Since you're using Docker, double-check that your environment variables containing the credentials and other relevant information are correctly set in your docker-compose.yml. Make sure that the variables you are trying to access (like DIGITAL_TWINS_INSTANCE) are being passed correctly into the Docker container.
Service Principal Authentication: If you're running the application in a non-interactive environment (like from a Docker container), make sure you're using the correct method to authenticate. You might want to consider using a client secret or certificate-based authentication instead of environment variables for the credentials.
Endpoint and Instance: Double-check the adtInstanceUrl to ensure it points to the correct Azure Digital Twins instance URL.
Rate Limits and Throttling: While less likely, keep in mind that Azure subscription limits or throttling could also be a reason for the error. Check your Azure subscription's usage and look for any limits on requests or updates.
Logs and Trace: If possible, enable logging within your application to get more insight into what's happening when it attempts to make that update call. This could also help to identify if there are issues with the payload being sent in the request.

Hope this helps!
Thank you!

Share via

How do I make an Update call to a Digital Twin with the SDK from a C# program running on a Docker container?

1 answer

Your answer