az iot dps enrollment-group
Note
This reference is part of the azure-iot extension for the Azure CLI (version 2.46.0 or higher). The extension will automatically install the first time you run an az iot dps enrollment-group command. Learn more about extensions.
Manage enrollment groups in an Azure IoT Hub Device Provisioning Service.
Commands
Name | Description | Type | Status |
---|---|---|---|
az iot dps enrollment-group compute-device-key |
Generate a derived device SAS key for an enrollment group in an Azure IoT Hub Device Provisioning Service. |
Extension | GA |
az iot dps enrollment-group create |
Create an enrollment group in an Azure IoT Hub Device Provisioning Service. |
Extension | GA |
az iot dps enrollment-group delete |
Delete an enrollment group in an Azure IoT Hub Device Provisioning Service. |
Extension | GA |
az iot dps enrollment-group list |
List enrollments groups in an Azure IoT Hub Device Provisioning Service. |
Extension | GA |
az iot dps enrollment-group registration |
Manage service-side device registrations for an enrollment group in an Azure IoT Hub Device Provisioning Service. |
Extension | GA |
az iot dps enrollment-group registration delete |
Delete a device registration for an enrollment group in an Azure IoT Hub Device Provisioning Service. |
Extension | GA |
az iot dps enrollment-group registration list |
List device registrations for an enrollment group in an Azure IoT Hub Device Provisioning Service. |
Extension | GA |
az iot dps enrollment-group registration show |
Get a device registration for an enrollment group in an Azure IoT Hub Device Provisioning Service. |
Extension | GA |
az iot dps enrollment-group show |
Get an enrollment group's details in an Azure IoT Hub Device Provisioning Service. |
Extension | GA |
az iot dps enrollment-group update |
Update an enrollment group in an Azure IoT Hub Device Provisioning Service. |
Extension | GA |
az iot dps enrollment-group compute-device-key
Generate a derived device SAS key for an enrollment group in an Azure IoT Hub Device Provisioning Service.
az iot dps enrollment-group compute-device-key --registration-id
[--auth-type {key, login}]
[--dps-name]
[--eid]
[--key]
[--login]
[--resource-group]
Examples
Compute the device key with the given symmetric key.
az iot dps enrollment-group compute-device-key --key {enrollement_group_symmetric_key} --registration-id {registration_id}
Compute the device key with the given enrollment group.
az iot dps enrollment-group compute-device-key -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --registration-id {registration_id}
Required Parameters
ID of device registration.
Optional Parameters
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}
.
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
Enrollment group ID.
The symmetric shared access key for the enrollment group. This bypasses the Device Provisioning Service registry and generates the SAS token directly from the supplied symmetric key without further validation. All other command parameters aside from registration ID will be ignored.
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot dps enrollment-group create
Create an enrollment group in an Azure IoT Hub Device Provisioning Service.
Please provide certificate format using Base64 ASCII encoding and the certificate should have matching BEGIN and END segments, for example: start with '-----BEGIN CERTIFICATE-----' and end with '-----END CERTIFICATE-----'.
az iot dps enrollment-group create --eid
[--allocation-policy {custom, geoLatency, hashed, static}]
[--api-version]
[--auth-type {key, login}]
[--ca-name]
[--certificate-path]
[--dps-name]
[--edge-enabled {false, true}]
[--hn]
[--ih]
[--initial-twin-properties]
[--initial-twin-tags]
[--login]
[--pk]
[--provisioning-status {disabled, enabled}]
[--reprovision-policy {never, reprovisionandmigratedata, reprovisionandresetdata}]
[--resource-group]
[--scn]
[--scp]
[--secondary-key]
[--webhook-url]
Examples
Create an enrollment group '{enrollment_id}' in the Azure IoT provisioning service '{dps_name}' in the resource group '{resource_group_name} using an intermediate certificate as primary certificate'.
az iot dps enrollment-group create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --certificate-path /certificates/Certificate.pem
Create an enrollment group '{enrollment_id}' in the Azure IoT provisioning service '{dps_name}' in the resource group '{resource_group_name} using a CA certificate {certificate_name} as secondary certificate'.
az iot dps enrollment-group create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --secondary-ca-name {certificate_name}
Create an enrollment group '{enrollment_id}' in the Azure IoT provisioning service 'MyDps' in the resource group '{resource_group_name}' with provisioning status 'enabled', initial twin properties '{"location":{"region":"US"}}' and initial twin tags '{"version_dps":"1"}' using an intermediate certificate as primary certificate.
az iot dps enrollment-group create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --certificate-path /certificates/Certificate.pem --provisioning-status enabled --initial-twin-properties "{'location':{'region':'US'}}" --initial-twin-tags "{'version_dps':'1'}"
Create an enrollment group '{enrollment_id}' in the Azure IoT provisioning service '{dps_name}' in the resource group '{resource_group_name} with attestation type 'symmetrickey'.
az iot dps enrollment-group create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --primary-key {primary_key} --secondary-key {secondary_key}
Create an enrollment group '{enrollment_id}' with custom allocation policy,
az iot dps enrollment-group create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --allocation-policy custom --webhook-url {webhook_url} --api-version {api_version}
Required Parameters
Enrollment group ID.
Optional Parameters
Type of allocation policy to determine how a device is assigned to an IoT Hub. If not provided, the allocation policy will be the current allocation policy default set for the Device Provisioning Service instance.
The API version of the provisioning service types sent in the custom allocation request. Minimum supported version: 2018-09-01-preview.
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}
.
The name of the primary root CA certificate. If attestation with a root CA certificate is desired then a root ca name must be provided.
The path to the file containing the primary certificate. If attestation with an intermediate certificate is desired then a certificate path must be provided.
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
Flag indicating edge enablement.
Argument 'iot_hub_host_name' has been deprecated and will be removed in a future release. Use '--iot-hubs' instead.
Host name of target IoT Hub. Allocation policy defaults to static if this parameter is provided.
Host name of target IoT Hub associated with the allocation policy. Use space-separated list for multiple IoT Hubs.
Initial device twin properties.
Initial device twin tags.
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
The primary symmetric shared access key stored in base64 format.
Enable or disable enrollment entry.
Policy to determine how device data should be handled on re-provision to a different IoT Hub.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
The name of the secondary root CA certificate. If attestation with a root CA certificate is desired then a root ca name must be provided.
The path to the file containing the secondary certificate. If attestation with an intermediate certificate is desired then a certificate path must be provided.
The secondary symmetric shared access key stored in base64 format.
The Azure Function webhook URL used for custom allocation requests.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot dps enrollment-group delete
Delete an enrollment group in an Azure IoT Hub Device Provisioning Service.
az iot dps enrollment-group delete --eid
[--auth-type {key, login}]
[--dps-name]
[--etag]
[--login]
[--resource-group]
Required Parameters
Enrollment group ID.
Optional Parameters
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}
.
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
Etag or entity tag corresponding to the last state of the resource. If no etag is provided the value '*' is used.
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot dps enrollment-group list
List enrollments groups in an Azure IoT Hub Device Provisioning Service.
az iot dps enrollment-group list [--auth-type {key, login}]
[--dps-name]
[--login]
[--resource-group]
[--top]
Optional Parameters
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}
.
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Maximum number of elements to return. Use -1 for unlimited.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot dps enrollment-group show
Get an enrollment group's details in an Azure IoT Hub Device Provisioning Service.
az iot dps enrollment-group show --eid
[--auth-type {key, login}]
[--dps-name]
[--keys {false, true}]
[--login]
[--resource-group]
Examples
Basic usage
az iot dps enrollment-group show --dps-name {dps_name} -g {resource_group} --enrollment-id {enrollment_id}
Include full attestation information in results for a symmetric key enrollment-group
az iot dps enrollment-group show --dps-name {dps_name} -g {resource_group} --enrollment-id {symmetric_key_enrollment_id} --show-keys
Required Parameters
Enrollment group ID.
Optional Parameters
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}
.
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
Include attestation keys and information in enrollment group results.
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az iot dps enrollment-group update
Update an enrollment group in an Azure IoT Hub Device Provisioning Service.
Please provide certificate format using Base64 ASCII encoding and the certificate should have matching BEGIN and END segments, for example: start with '-----BEGIN CERTIFICATE-----' and end with '-----END CERTIFICATE-----'.
az iot dps enrollment-group update --eid
[--allocation-policy {custom, geoLatency, hashed, static}]
[--api-version]
[--auth-type {key, login}]
[--ca-name]
[--certificate-path]
[--dps-name]
[--edge-enabled {false, true}]
[--etag]
[--hn]
[--ih]
[--initial-twin-properties]
[--initial-twin-tags]
[--login]
[--pk]
[--provisioning-status {disabled, enabled}]
[--rc {false, true}]
[--remove-secondary-certificate {false, true}]
[--reprovision-policy {never, reprovisionandmigratedata, reprovisionandresetdata}]
[--resource-group]
[--scn]
[--scp]
[--secondary-key]
[--webhook-url]
Examples
Update enrollment group '{enrollment_id}' in the Azure IoT provisioning service '{dps_name}' in the resource group '{resource_group_name}' with initial twin properties and initial twin tags.
az iot dps enrollment-group update -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --initial-twin-properties "{'location':{'region':'USA'}}" --initial-twin-tags "{'version_dps':'2'}" --etag AAAAAAAAAAA=
Update enrollment group '{enrollment_id}' in the Azure IoT provisioning service '{dps_name}' in the resource group '{resource_group_name}' with new primary intermediate certificate and remove existing secondary intermediate certificate.
az iot dps enrollment-group update -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --certificate-path /certificates/NewCertificate.pem --remove-secondary-certificate --etag AAAAAAAAAAA=
Update enrollment group '{enrollment_id}' in the Azure IoT provisioning service '{dps_name}' in the resource group '{resource_group_name}' with new secondary CA certificate '{certificate_name}' and remove existing primary CA certificate.
az iot dps enrollment-group update -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --secondary-ca-name {certificate_name} --remove-certificate --etag AAAAAAAAAAA=
Update enrollment group '{enrollment_id}' in the Azure IoT provisioning service '{dps_name}' in the resource group '{resource_group_name}' with new primary key.
az iot dps enrollment-group update -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --primary-key {new_primary_key} --etag AAAAAAAAAAA=
Required Parameters
Enrollment group ID.
Optional Parameters
Type of allocation policy to determine how a device is assigned to an IoT Hub. If not provided, the allocation policy will be the current allocation policy default set for the Device Provisioning Service instance.
The API version of the provisioning service types sent in the custom allocation request. Minimum supported version: 2018-09-01-preview.
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}
.
The name of the primary root CA certificate. If attestation with a root CA certificate is desired then a root ca name must be provided.
The path to the file containing the primary certificate. If attestation with an intermediate certificate is desired then a certificate path must be provided.
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
Flag indicating edge enablement.
Etag or entity tag corresponding to the last state of the resource. If no etag is provided the value '*' is used.
Argument 'iot_hub_host_name' has been deprecated and will be removed in a future release. Use '--iot-hubs' instead.
Host name of target IoT Hub. Allocation policy defaults to static if this parameter is provided.
Host name of target IoT Hub associated with the allocation policy. Use space-separated list for multiple IoT Hubs.
Initial device twin properties.
Initial device twin tags.
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
The primary symmetric shared access key stored in base64 format.
Enable or disable enrollment entry.
Flag to remove current primary certificate.
Flag to remove current secondary certificate.
Policy to determine how device data should be handled on re-provision to a different IoT Hub.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
The name of the secondary root CA certificate. If attestation with a root CA certificate is desired then a root ca name must be provided.
The path to the file containing the secondary certificate. If attestation with an intermediate certificate is desired then a certificate path must be provided.
The secondary symmetric shared access key stored in base64 format.
The Azure Function webhook URL used for custom allocation requests.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.