Device Update for IoT Hub resource management

An IoT hub. It's recommended that you use an S1 (Standard) tier or above.

• An IoT hub. It's recommended that you use an S1 (Standard) tier or above.

• An Azure CLI environment:

  • Use the Bash environment in Azure Cloud Shell.

    

  • Or, if you prefer to run CLI reference commands locally, install the Azure CLI

    • Sign in to the Azure CLI by using the az login command.

    • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

    • When prompted, install Azure CLI extensions on first use. The commands in this article use the azure-iot extension. Run az extension update --name azure-iot to make sure you're using the latest version of the extension.

1. In the Azure portal, select Create a Resource and search for "Device Update for IoT Hub"

   

2. Select Create > Device Update for IoT Hub

3. On the Basics tab, provide the following information for your Device Update account:

   • Subscription: The Azure subscription to be associated with your Device Update account.
   • Resource group: An existing or new resource group.
   • Name: A name for your account.
   • Location: The Azure region where your account will be located. For information about which regions support Device Update for IoT Hub, see Azure Products-by-region page.

   Note

   Your Device Update account doesn't need to be in the same region as your IoT hubs, but for better performance it is recommended that you keep them geographically close.

   

4. Optionally, you can check the box to assign the Device Update administrator role to yourself. You can also use the steps listed in the Configure access control roles section to provide a combination of roles to users and applications for the right level of access.

   You need to have Owner or User Access Administrator permissions in your subscription to manage roles.

5. Select Next: Instance

   An instance of Device Update is associated with a single IoT hub. Select the IoT hub that will be used with Device Update. When you link an IoT hub to a Device Update instance, a new shared access policy is automatically created give Device Update permissions to work with IoT Hub (registry write and service connect). This policy ensures that access is only limited to Device Update.

6. On the Instance tab, provide the following information for your Device Update instance:

   • Name: A name for your instance.
   • IoT Hub details: Select an IoT hub to link to this instance.

   

7. Select Next: Review + Create. After validation, select Create.

   

8. You'll see that your deployment is in progress. The deployment status will change to "complete" in a few minutes. When it does, select Go to resource

   

Use the az iot device-update account create command to create a new Device Update account.

Replace the following placeholders with your own information:

• <resource_group>: An existing resource group in your subscription.

• <account_name>: A name for your Device Update account.

• <region>: The Azure region where your account will be located. For information about which regions support Device Update for IoT Hub, see Azure Products-by-region page. If no region is provided, the resource group's location is used.

  Note

  Your Device Update account doesn't need to be in the same region as your IoT hubs, but for better performance it is recommended that you keep them geographically close.

az iot device-update account create --resource-group <resource_group> --account <account_name> --location <region>

Use the az iot device-update instance create command to create a Device Update instance.

An instance of Device Update is associated with a single IoT hub. Select the IoT hub that will be used with Device Update. When you link an IoT hub to a Device Update instance, a new shared access policy is automatically created give Device Update permissions to work with IoT Hub (registry write and service connect). This policy ensures that access is only limited to Device Update.

Replace the following placeholders with your own information:

• <account_name>: The name of the Device Update account that this instance will be associated with.
• <instance_name>: A name for this instance.
• <iothub_id>: The resource ID for the IoT hub that will be linked to this instance. You can retrieve your IoT hub resource ID by using the az iot hub show command and querying for the ID value: az iot hub show -n <iothub_name> --query id.

az iot device-update instance create --account <account_name> --instance <instance_name> --iothub-ids <iothub_id>

1. In your Device Update account, select Access control (IAM) from the navigation menu.

   

2. Select Add role assignments.

3. On the Role tab, select a Device Update role from the available options:

   • Device Update Administrator
   • Device Update Reader
   • Device Update Content Administrator
   • Device Update Content Reader
   • Device Update Deployments Administrator
   • Device Update Deployments Reader

   For more information, Learn about Role-based access control in Device Update for IoT Hub.

   

4. Select Next

5. On the Members tab, select the users or groups that you want to assign the role to.

   

6. Select Review + assign

7. Review the new role assignments and select Review + assign again

8. You're now ready to use Device Update from within your IoT Hub

The following roles are available for assigning access to Device Update:

• Device Update Administrator
• Device Update Reader
• Device Update Content Administrator
• Device Update Content Reader
• Device Update Deployments Administrator
• Device Update Deployments Reader

For more information, Learn about Role-based access control in Device Update for IoT Hub.

Use the az role assignment create command to configure access control for your Device Update account.

Replace the following placeholders with your own information:

• <role>: The Device Update role that you're assigning.
• <user_group>: The user or group that you want to assign the role to.
• <account_id>: The resource ID for the Device Update account that the user or group will get access to. You can retrieve the resource ID by using the az iot device-update account show command and querying for the ID value: az iot device-update account show -n <account_name> --query id.

az role assignment create --role '<role>' --assignee <user_group> --scope <account_id>

1. In the Azure portal, navigate to the IoT hub connected to your Device Update instance.
2. Select Access Control(IAM) from the navigation menu.
3. Select Add > Add role assignment.
4. In the Role tab, select IoT Hub Data Contributor. Select Next.
5. For Assign access to, select User, group, or service principal.
6. Select Select Members and search for 'Azure Device Update'
7. Select Next > Review + Assign

To validate that you've set permissions correctly:

1. In the Azure portal, navigate to the IoT hub connected to your Device Update instance.
2. Select Access Control(IAM) from the navigation menu.
3. Select Check access.
4. Select User, group, or service principal and search for 'Azure Device Update'
5. After clicking on Azure Device Update, verify that the IoT Hub Data Contributor role is listed under Role assignments

Use the az role assignment create command to create a role assignment for the Azure Device Update service principal.

Replace <resource_id> with the resource ID of your IoT hub. You can retrieve the resource ID by using the az iot hub show command and querying for the ID value: az iot hub show -n <hub_name> --query id.

az role assignment create --role "IoT Hub Data Contributor" --assignee https://api.adu.microsoft.com/ --scope <resource_id>

1. To view all Device Update accounts, use the Azure portal to search for the Device Update for IoT Hubs service.

   • Use the Grouping dropdown menu to group account by subscription, resource group, location, and other conditions.
   • Select Add filter to filter the list of accounts by resource group, location, tags, and other conditions.

2. To view all instances in an account, navigate to that account in the Azure portal. Select Instances from the Instance management section of the menu

   • Use the search box to filter instances.

To view all Device Update accounts, use the az iot device-update account list command.

az iot device-update account list 

To view all instances in an account, use the az iot device-update instance list command.

az iot device-update instance list --account <account_name>

Both list commands support additional grouping and filter operations. Use the --query argument to find accounts or instances based on conditions like tags. For example, --query "[?tags.env == 'test']". Use the --output argument to format the results. For example, --output table.