Deployment basics

Deployment involves grouping the Azure Sphere devices that should run the same applications and OS versions, packaging the applications you want to run on each group of devices, uploading the packages to the Azure Sphere Security Service, and assigning the deployment to a group of devices. This topic defines the fundamental elements involved in deployment.

Naming conventions

Names for products and device groups can only contain alphanumeric characters and spaces. It cannot exceed 50 characters. If you include spaces in names, enclose the names in double quotation marks when used in a command.

Device IDs

An Azure Sphere device ID uniquely identifies an individual Azure Sphere chip. The device ID is stored on the device itself. All the other elements of a deployment are stored with the Azure Sphere Security Service.

A device's ID can easily be spoofed, forged, or misused. As a result, you should only permit devices whose identities can be verified and validated to access your highly valuable data and connect to your services. See Device identity and security for more information and a recommendation for addressing this issue.


A product identifies an Azure Sphere MCU that is incorporated into a connected device to perform a specific function. As the manufacturer, you create a product for each model of a connected device, such as a dishwasher or coffeemaker. Every connected device has a single product, but a single product can be associated with many devices. For more information, see About Azure sphere products.

Device groups

A device group is a named collection of devices of the same product type. Device groups provide a way to scale application deployment to many devices. Each device belongs to exactly one device group, and each device group belongs to exactly one product. When you create a product, default device groups are created within the product to assist with basic functionality, such as testing and production deployment. For more information, see About Azure Sphere device groups.


An application is a program that performs tasks specific to certain connected devices. A deployment delivers the application to the products that are associated with those connected devices.

Images and image packages

An image is a binary file that represents a single version of an application or board configuration. Images are immutable: you cannot modify an image after it has been uploaded. For an application, the image includes the binaries for the application along with its image metadata. An image package is the combination of an image with its metadata that is produced by the build process. Every time the SDK builds or rebuilds an Azure Sphere image package, it uses a new unique image ID.

When Contoso develops an application for its DW100 dishwashers, the SDK creates an image package that can be deployed to any device groups.

Chip SKUs and system software

As a product manufacturer, you develop and manage applications, whereas Microsoft develops and manages system software components. System software components target chip SKUs. The chip SKU (stock keeping unit) identifies a particular type of Azure Sphere-compatible MCU. The chip SKU is assigned by Microsoft and cannot be changed. Microsoft uses this SKU to deliver the correct system software updates to each Azure Sphere device.


In the simplest terms, a deployment is the delivery of a set of image packages to one or more devices. You create a deployment by:

The topic Create a cloud deployment provides step-by-step instructions for creating cloud deployments.

The Azure Sphere Security Service targets all the members of a device group with the deployments that are associated with that group—and only those deployments. This means that if you assign a device from one group to another, the device will receive only the deployment that is associated with the new device group (if any); any other image packages (or board configurations) that are already on the device will be deleted. Thus, the Security Service ensures that each device has all the images that its deployment specifies, and no others.

Deployments cannot be removed or turned off for a device group, but you can update an existing deployment by creating a new deployment for the device group. If you want to remove a deployment from a particular device, you can move the device to another device group that does not have a deployment assigned.

Azure Sphere EU Data Boundary compliance

In keeping with Microsoft's mission to process and store EU customer data exclusively within the EU, Azure Sphere Security Services enables EU customers to protect potentially sensitive customer information in their application image files and Azure Sphere device crash dump files. Customers can ensure that their application images and crash dump files are processed and stored solely within the EU by selecting EU in the new Regional Data Boundary setting. The new Regional Data Boundary setting is an optional parameter,--regional-data-boundary, that can used with the [az sphere image] and az sphere device-group commands.

For more information on how to access the Regional Data Boundary setting, see Create a deployment and Configure crash dumps.