Azure Documentation

Internet of Things

Azure IoT Hub Device Provisioning Service (DPS)

The Azure IoT Hub Device Provisioning Service (DPS) is a helper service for IoT Hub that enables zero-touch, just-in-time provisioning of devices. It allows you to securely provision devices at scale without manual intervention. DPS handles the connection of devices to the correct IoT hub and registers them with minimal or no human intervention.

DPS Overview

DPS acts as a broker, enabling you to manage the provisioning of devices to one or more IoT hubs. Key features include:

  • Scalability: Provision millions of devices efficiently.
  • Security: Securely authenticate devices using certificates or keys.
  • Flexibility: Distribute devices across multiple IoT hubs for load balancing or geographic distribution.
  • Automation: Enable zero-touch provisioning for devices.
DPS Architecture Diagram

Getting Started

To start using DPS, you need to:

  1. Create an Azure IoT Hub instance.
  2. Create a Device Provisioning Service instance in the Azure portal.
  3. Link your DPS instance to your IoT Hub(s).
  4. Configure enrollment(s) for your devices.
  5. Configure your devices to connect to the DPS endpoint.

Prerequisites

  • An Azure subscription.
  • An Azure IoT Hub.

Device Provisioning Workflows

DPS supports several provisioning workflows to cater to different device scenarios:

  • Individual Device Enrollment: Register specific devices with unique IDs and credentials. This is useful for devices that have unique identities.
  • Group Enrollment: Register a group of devices under a common set of policies. This simplifies provisioning for fleets of similar devices.

Enrollment Types

DPS supports two primary enrollment types:

  • Individual Enrollments:
    • Symmetric Keys: Devices authenticate using a shared symmetric key.
    • X.509 Certificates: Devices authenticate using X.509 certificates.
  • Enrollment Groups:
    • Symmetric Keys: Devices in the group share a root symmetric key.
    • X.509 Certificates: Devices authenticate using certificates issued by a common root CA.

Authentication Methods

DPS uses secure authentication methods to verify device identities before provisioning:

  • Symmetric Keys: A secret key is shared between the device and DPS. The device proves its identity by generating a signature using this key.
  • X.509 Certificates: Devices present a client certificate signed by a trusted root certificate authority (CA). DPS verifies the certificate chain.

Operations

The DPS service exposes several key operations:

Operation Description
Register Device A device requests registration with DPS.
Assign Device to IoT Hub DPS assigns the device to a suitable IoT Hub based on configured policies.
Create Enrollment Registering devices or groups with DPS.
Update Enrollment Modifying existing enrollment configurations.
Delete Enrollment Removing devices or groups from DPS.

Monitoring

Monitor your DPS operations and device provisioning status through the Azure portal, Azure Monitor, and by enabling diagnostic logs. This helps in tracking device onboarding and identifying potential issues.

Troubleshooting

Common issues include incorrect connection strings, certificate validation failures, and incorrect enrollment configurations. Review the DPS logs and device logs for detailed error messages. Ensure that your devices are configured with the correct DPS endpoint and identity credentials.

Common Error Codes

  • 401003: Invalid credentials provided.
  • 401004: Device ID not found.
  • 401005: Enrollment not found.