Quickstart: Set up IoT Hub Device Provisioning Service with the Azure portal

In this quickstart, you learn how to set up Azure IoT Hub Device Provisioning Service in the Azure portal. Device Provisioning Service enables zero-touch, just-in-time device provisioning to any IoT hub. The Device Provisioning Service enables customers to provision millions of IoT devices in a secure and scalable manner, without requiring human intervention. Azure IoT Hub Device Provisioning Service supports IoT devices with TPM, symmetric key, and X.509 certificate authentications.

Before you can provision your devices, you first perform the following steps:

  • Use the Azure portal to create an IoT hub
  • Use the Azure portal to create an IoT Hub Device Provisioning Service instance
  • Link the IoT hub to the Device Provisioning Service instance

Prerequisites

If you don't have an Azure subscription, create a free Azure account before you begin.

Create an IoT hub

This section describes how to create an IoT hub using the Azure portal.

  1. Sign in to the Azure portal.

  2. On the Azure homepage, select the + Create a resource button.

  3. From the Categories menu, select Internet of Things, and then select IoT Hub.

  4. On the Basics tab, complete the fields as follows:

    Important

    Because the IoT hub will be publicly discoverable as a DNS endpoint, be sure to avoid entering any sensitive or personally identifiable information when you name it.

    Property Value
    Subscription Select the subscription to use for your hub.
    Resource group Select a resource group or create a new one. To create a new one, select Create new and fill in the name you want to use.
    IoT hub name Enter a name for your hub. This name must be globally unique, with a length between 3 and 50 alphanumeric characters. The name can also include the dash ('-') character.
    Region Select the region, closest to you, where you want your hub to be located. Some features, such as IoT Hub device streams, are only available in specific regions. For these limited features, you must select one of the supported regions.
    Tier Select the tier that you want to use for your hub. Tier selection depends on how many features you want and how many messages you send through your solution per day.

    The free tier is intended for testing and evaluation. The free tier allows 500 devices to be connected to the hub and up to 8,000 messages per day. Each Azure subscription can create one IoT hub in the free tier.

    To compare the features available to each tier, select Compare tiers. For more information, see Choose the right IoT Hub tier for your solution.
    Daily message limit Select the maximum daily quota of messages for your hub. The available options depend on the tier you've selected for your hub. To see the available messaging and pricing options, select See all options and select the option that best matches the needs of your hub. For more information, see IoT Hub quotas and throttling.

    Screen capture that shows how to create an IoT hub in the Azure portal.

    Note

    Prices shown are for example purposes only.

  5. Select Next: Networking to continue creating your hub.

  6. On the Networking tab, complete the fields as follows:

    Property Value
    Connectivity configuration Choose the endpoints that devices can use to connect to your IoT hub. Accept the default setting, Public access, for this example. You can change this setting after the IoT hub is created. For more information, see Managing public network access for your IoT hub.
    Minimum TLS Version Select the minimum TLS version to be supported by your IoT hub. Once the IoT hub is created, this value can't be changed. Accept the default setting, 1.0, for this example.

    Screen capture that shows how to choose the endpoints that can connect to a new IoT hub.

  7. Select Next: Management to continue creating your hub.

  8. On the Management tab, accept the default settings. If desired, you can modify any of the following fields:

    Property Value
    Permission model Part of role-based access control, this property decides how you manage access to your IoT hub. Allow shared access policies or choose only role-based access control. For more information, see Control access to IoT Hub by using Microsoft Entra ID.
    Assign me You may need access to IoT Hub data APIs to manage elements within an instance. If you have access to role assignments, select IoT Hub Data Contributor role to grant yourself full access to the data APIs.

    To assign Azure roles, you must have Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner.
    Device-to-cloud partitions This property relates the device-to-cloud messages to the number of simultaneous readers of the messages. Most IoT hubs need only four partitions.

    Screen capture that shows how to set the role-based access control and scale for a new IoT hub.

  9. Select Next: Add-ons to continue to the next screen.

  10. On the Add-ons tab, accept the default settings. If desired, you can modify any of the following fields:

    Property Value
    Enable Device Update for IoT Hub Turn on Device Update for IoT Hub to enable over-the-air updates for your devices. If you select this option, you're prompted to provide information to provision a Device Update for IoT Hub account and instance. For more information, see What is Device Update for IoT Hub?
    Enable Defender for IoT Turn Defender for IoT on to add an extra layer of protection to IoT and your devices. This option isn't available for hubs in the free tier. Learn more about security recommendations for IoT Hub in Defender for IoT.

    Screen capture that shows how to set the optional add-ons for a new IoT hub.

    Note

    Prices shown are for example purposes only.

  11. Select Next: Tags to continue to the next screen.

    Tags are name/value pairs. You can assign the same tag to multiple resources and resource groups to categorize resources and consolidate billing. In this document, you won't be adding any tags. For more information, see Use tags to organize your Azure resources.

    Screen capture that shows how to assign tags for a new IoT hub.

  12. Select Next: Review + create to review your choices.

  13. Select Create to start the deployment of your new hub. Your deployment will be in progress a few minutes while the hub is being created. Once the deployment is complete, select Go to resource to open the new hub.

Create a new IoT Hub Device Provisioning Service instance

  1. In the Azure portal, select Create a resource.

  2. From the Categories menu, select Internet of Things, and then select IoT Hub Device Provisioning Service.

  3. On the Basics tab, provide the following information:

    Property Value
    Subscription Select the subscription to use for your Device Provisioning Service instance.
    Resource group This field allows you to create a new resource group, or choose an existing one to contain the new instance. Choose the same resource group that contains the IoT hub that you created in the previous steps. By putting all related resources in a group together, you can manage them together.
    Name Provide a unique name for your new Device Provisioning Service instance. If the name you enter is available, a green check mark appears.
    Region Select a location that's close to your devices. For resiliency and reliability, we recommend deploying to one of the regions that support Availability Zones.

    Screenshot showing the Basics tab of the IoT Hub device provisioning service. Enter basic information about your Device Provisioning Service instance in the portal.

  4. Select Review + create to validate your provisioning service.

  5. Select Create to start the deployment of your Device Provisioning Service instance.

  6. After the deployment successfully completes, select Go to resource to view your Device Provisioning Service instance.

In this section, you add a configuration to the Device Provisioning Service instance. This configuration sets the IoT hub to which the instance provisions IoT devices.

  1. In the Settings menu of your Device Provisioning Service instance, select Linked IoT hubs.

  2. Select Add.

  3. On the Add link to IoT hub panel, provide the following information:

    Property Value
    Subscription Select the subscription containing the IoT hub that you want to link with your new Device Provisioning Service instance.
    IoT hub Select the IoT hub to link with your new Device Provisioning System instance.
    Access Policy Select iothubowner (RegistryWrite, ServiceConnect, DeviceConnect) as the credentials for establishing the link with the IoT hub.

    Screenshot showing how to link an IoT hub to the Device Provisioning Service instance in the portal.

  4. Select Save.

  5. Select Refresh. You should now see the selected hub under the list of Linked IoT hubs.

Clean up resources

The rest of the Device Provisioning Service quickstarts and tutorials use the resources that you created in this quickstart. However, if you don't plan on doing any more quickstarts or tutorials, delete these resources.

To clean up resources in the Azure portal:

  1. In the Azure portal, navigate to the resource group that you used in this quickstart.

  2. If you want to delete the resource group and all of the resources it contains, select Delete resource group.

    Otherwise, select your Device Provisioning Service instance and your IoT hub from the list of resources, then select Delete.

Next steps

In this quickstart, you deployed an IoT hub and a Device Provisioning Service instance, and then linked the two resources. To learn how to use this setup to provision a device, continue to the quickstart for creating a device.