Azure IoT

Step 1: Create an Azure IoT Hub Instance

Before setting up DPS, you need an existing Azure IoT Hub. If you don't have one, follow these instructions:

1. Navigate to the Azure portal.
2. Click Create a resource.
3. Search for "IoT Hub" and select it.
4. Click Create.
5. Fill in the required details: Subscription, Resource group, Region, and IoT Hub name. Choose a pricing tier appropriate for your needs.
6. Click Review + create, then Create.

Step 2: Create an Azure IoT Hub Device Provisioning Service Instance

1. In the Azure portal, click Create a resource.
2. Search for "Device Provisioning Service" and select it.
3. Click Create.
4. Configure the following:
   • Subscription: Select your Azure subscription.
   • Resource group: Choose an existing or create a new one.
   • Region: Select a region close to your IoT Hub.
   • Name: Provide a unique name for your DPS instance.
   • Service Mode: For initial setup, select Standard. You can link multiple IoT Hubs later.
5. Click Review + create, then Create.

Step 3: Link Your IoT Hub to the Device Provisioning Service

This step establishes the connection between your DPS instance and your IoT Hub, allowing devices provisioned via DPS to be automatically registered with your IoT Hub.

1. Navigate to your newly created Device Provisioning Service instance in the Azure portal.
2. Under Settings, select Linked IoT hubs.
3. Click + Add.
4. Select your existing IoT Hub from the dropdown list.
5. You can choose the desired Access policy for the link. For full management, 'iothubowner' is often used, but a more restricted policy like 'registryRead, registryWrite' is recommended for production environments.
6. Click Save.

Step 4: Configure Enrollment Groups or Individual Enrollments

DPS uses enrollments to manage how devices are provisioned. You can use Enrollment Groups for bulk provisioning (e.g., all devices of a certain type) or Individual Enrollments for specific devices.

4.1 Enrollment Groups (Recommended for Scale)

1. In your DPS instance, navigate to Manage enrollments.
2. Click + Add enrollment group.
3. Enrollment group ID: A unique identifier for this group (e.g., my-iot-devices).
4. Attestation mechanism:
   • Symmetric key: Easiest to start with. DPS generates a primary and secondary key for the group. Devices will use these keys (or derived keys) to authenticate.
   • X.509 Self-Signed: Devices present their own self-signed certificates.
   • X.509 CA Signed: Devices present certificates signed by a trusted Certificate Authority (CA) that you've registered with DPS.
5. Device(s) to provision:
   • Individual: Devices will be registered individually based on their unique ID.
   • Enrollment Group: All devices within this enrollment group will be provisioned.
6. Linking to IoT Hub: Ensure your IoT Hub is selected here.
7. Click Save.

4.2 Individual Enrollments

Use this for provisioning specific devices with unique identities. The process is similar to enrollment groups but applies to a single device.

1. Navigate to Manage enrollments and click + Add individual enrollment.
2. Provide a unique Registration ID (often the device's serial number or MAC address).
3. Configure the Attestation mechanism and select the target IoT Hub.
4. Click Save.

Step 5: Obtain the Scope ID and Symmetric Keys (if applicable)

For devices to connect and provision, they will need information from your DPS setup.

• Scope ID: Found on the Overview page of your DPS instance.
• Symmetric Keys (for Symmetric Key attestation): When you create an enrollment group or individual enrollment using symmetric keys, DPS will generate a primary and secondary key. You'll need to provide these (or derived versions) to your device's provisioning code. Click on the enrollment and then click the "eye" icon to reveal the keys.