Share via

"IoT Hub has insufficient permissions" notification on adu instances page even though the role's been assigned.

Leonardo Song 0 Reputation points
2026-04-03T07:21:00.36+00:00

Azure Device Update already has been assigned IoT Hub Data Contributor for the iothub; but the instance under the adu still gives a notification regarding the necessary role; the linked hub is the target iothub which is scope of the role assignment. Would this adu instance work?

Azure Role-based access control
Azure Role-based access control

An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anshika Varshney 9,740 Reputation points Microsoft External Staff Moderator
    2026-04-06T10:05:27.9633333+00:00

    Hi Leonardo Song,

    This message usually appears when the identity that is accessing the IoT Hub does not have the right permissions assigned at the Azure level. The IoT Hub itself is working, but Azure is blocking access because of role based access control.

    Here are a few things you can check step by step.

    First, check which identity is being used. This could be a user account, a service principal, or a managed identity. Once you know the identity, open the IoT Hub in Azure portal and go to Access control. Make sure this identity is listed there.

    Second, verify the role assignment. The identity should have one of the IoT roles assigned at the IoT Hub scope. For example IoT Hub Data Contributor for sending and receiving device messages IoT Hub Registry Read or Write if you are managing devices If the role is applied only at subscription or resource group level, try assigning it directly on the IoT Hub to avoid permission inheritance issues.

    Third, allow some time after role changes. After assigning or changing a role, Azure permissions do not apply immediately. It can take a few minutes before access starts working. During this time, the insufficient permissions warning can still show up.

    Fourth, check the action you are trying to perform. For example, reading device telemetry, creating devices, using Azure Monitor, or connecting through SDKs all require different permissions. Even if you can see the IoT Hub in the portal, some operations will fail if the role does not match the action.

    Fifth, if you are using managed identity. Make sure the managed identity is enabled and that the correct identity is selected. Sometimes the wrong identity is attached to the service, which leads to permission errors.

    Here are official references that explain this clearly.

    Azure IoT Hub access control https://learn.microsoft.com/azure/iot-hub/iot-hub-dev-guide-sas?tabs=node

    Built in roles for IoT Hub https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#iot-hub

    In summary, this notification is not a service outage. It is an access issue caused by missing or incorrect role assignments. Once the correct role is applied at the IoT Hub level and permissions are fully propagated, the warning should go away.

    Hope this helps clarify the issue. Do let me know if you have any further queries.

    Thankyou!

    0 comments
  2. Q&A Assist
    2026-04-03T07:21:13.8533333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes, the Device Update instance can still work as long as the underlying role assignment is correct, even if the portal continues to show the notification for some time.

    For Device Update to function with the linked IoT hub, two conditions must be met:

    1. The Azure Device Update service principal must have IoT Hub Data Contributor on the linked IoT hub scope.
      • This can be configured either via the Azure portal or Azure CLI.
      • Portal path (already done in this case): IoT hub → Access Control (IAM)Add role assignment → role IoT Hub Data Contributor → member Azure Device Update.
      • CLI equivalent: 
             az role assignment create --role "IoT Hub Data Contributor" --assignee https://api.adu.microsoft.com/ --scope <resource_id>
    2. The Device Update instance must be correctly linked to that IoT hub (same subscription and resource group, and using the correct IoT hub resourceId).

    If both are true, Device Update will be able to:

    • Create, cancel, and retry deployments.
    • Get device information through IoT Hub.

    The notification in the ADU instance blade is a validation hint based on RBAC state and can lag behind actual role assignments due to propagation delays. As long as the role assignment exists on the correct IoT hub resource and for the Azure Device Update service principal, the instance will function even if the banner still appears temporarily.

    If functionality (deployments, device queries) fails despite the correct assignment, then verify:

    • The IoT hub in the role assignment is exactly the same one linked in the ADU instance.
    • The ADU account/instance and IoT hub are in the same subscription and resource group.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.