Azure IoT Security | Microsoft Docs

Azure IoT Security Overview

Azure IoT provides a comprehensive set of security features that protect your solution from device to cloud. This guide covers authentication, data protection, device lifecycle, and best practices.

Table of Contents

Device Authentication
Data Protection (TLS)
Access Control & IAM
Device Provisioning & Lifecycle
Monitoring & Auditing
Security Best Practices

Device Authentication

Azure IoT Hub supports symmetric key, X.509 certificates, and TPM-based authentication.

Symmetric Key (SAS)

Devices generate a Signature based on a shared access key.

import hmac, hashlib, base64, urllib.parse

def generate_sas(key, uri, expiry):
    ttl = str(int(expiry))
    sign_key = urllib.parse.quote_plus(key)
    raw = f"{uri}\n{ttl}"
    digest = hmac.new(base64.b64decode(sign_key), raw.encode('utf-8'), hashlib.sha256).digest()
    signature = urllib.parse.quote_plus(base64.b64encode(digest))
    return f"SharedAccessSignature sr={uri}&sig={signature}&se={ttl}"

X.509 Certificates

Provides asymmetric authentication using a certificate chain trusted by the IoT Hub.

# Example: Using OpenSSL to generate a self‑signed cert
openssl req -new -x509 -days 365 -nodes -out device_cert.pem -keyout device_key.pem

TPM (Hardware Security Module)

Leverages hardware backed keys for secure storage and attestation.

Data Protection (TLS)

All communication between devices and IoT Hub is encrypted using TLS 1.2 or higher.

Enforce tlsVersion=1.2 in connection strings.
Validate server certificates to prevent man‑in‑the‑middle attacks.
Use Azure Private Link for isolated networking.

Access Control & IAM

Azure Role‑Based Access Control (RBAC) governs who can manage IoT resources.

Role	Scope	Permissions
IoT Hub Owner	Resource Group	Full control
IoT Hub Data Contributor	IoT Hub	Send/receive telemetry
IoT Hub Reader	Subscription	Read‑only

Device Provisioning & Lifecycle

Use the Azure Device Provisioning Service (DPS) for zero‑touch enrollment.

Register enrollment groups with X.509 certificates.
Configure IoT Hub allocation policy (linked hub, custom).
Device obtains provisioning payload and securely connects.

Monitoring & Auditing

Enable Azure Monitor and Azure Security Center to track security events.

IoT Hub diagnostic logs → Log Analytics workspace.
Set alerts for suspicious authentication attempts.
Review audit logs for RBAC changes.

Security Best Practices

Rotate device keys and certificates regularly.
Prefer X.509 over symmetric keys for production deployments.
Use managed identities for backend services accessing IoT Hub.
Apply network isolation (VNET integration, private endpoints).
Enable IoT Hub device‑twin versioning to detect unexpected changes.