Azure RBAC and Azure Device Update for IoT Hub
For users and applications to access Azure Device Update for IoT Hub, they must be granted access to the Device Update resource. The Device Update service principal must also get access to its associated IoT hub to deploy updates and manage devices.
This article explains how Device Update and Azure IoT Hub use Azure role-based access control (Azure RBAC) to provide authentication and authorization for users and service APIs. The article also describes Microsoft Entra ID authentication for Device Update REST APIs, and support for managed identities in Device Update and Azure IoT Hub.
Device Update access control roles
Device Update supports the following RBAC roles. For more information, see Configure access control to the Device Update account.
| Role Name | Description |
|---|---|
| Device Update Administrator | Has access to all Device Update resources |
| Device Update Reader | Can view all updates and deployments |
| Device Update Content Administrator | Can view, import, and delete updates |
| Device Update Content Reader | Can view updates |
| Device Update Deployments Administrator | Can manage deployments of updates to devices |
| Device Update Deployments Reader | Can view deployments of updates to devices |
You can assign a combination of roles to provide the right level of access. For example, you can use the Device Update Content Administrator role to import and manage updates, but you need the Device Update Deployments Reader role to view the progress of an update. Conversely, with the Device Update Reader role you can view all updates, but you need the Device Update Deployments Administrator role to deploy an update to devices.
Device Update service principal access to IoT Hub
Device Update communicates with its associated IoT hub to deploy and manage updates at scale. To enable this communication, you need to grant the Device Update service principal access to the IoT hub with IoT Hub Data Contributor role.
Granting this permission allows the following deployment, device and update management, and diagnostic actions:
- Create deployment
- Cancel deployment
- Retry deployment
- Get device
You can set this permission from the IoT hub Access Control (IAM) page. For more information, see Configure IoT hub access for the Device Update service principal.
Device Update REST APIs
Device Update uses Microsoft Entra ID for authentication to its REST APIs. To get started, you need to create and configure a client application.
Create a client Microsoft Entra app
To integrate an application or service with Microsoft Entra ID, first register a client application with Microsoft Entra ID. Client application setup varies depending on the authorization flow you need: users, applications, or managed identities. For example:
To call Device Update from a mobile or desktop application, select Public client/native (mobile & desktop) in Select a platform and enter
https://login.microsoftonline.com/common/oauth2/nativeclientfor the Redirect URI.To call Device Update from a website with implicit sign-on, use Web platform. Under Implicit grant and hybrid flows, select Access tokens (used for implicit flows).
Note
Use the most secure authentication flow available. Implicit flow authentication requires a high degree of trust in the application, and carries risks that aren't present in other flows. You should use this flow only when other more secure flows, such as managed identities, aren't viable.
Configure permissions
Next, grant permissions to your app to call Device Update.
- Go to the API permissions page of your app and select Add a permission.
- Go to APIs my organization uses and search for Azure Device Update.
- Select user_impersonation permission and select Add permissions.
Request authorization token
The Device Update REST API requires an OAuth 2.0 authorization token in the request header. The following sections show examples of some ways to request an authorization token.
Azure CLI
az login
az account get-access-token --resource 'https://api.adu.microsoft.com/'
PowerShell MSAL Library
MSAL.PS PowerShell module is a wrapper over Microsoft Authentication Library for .NET (MSAL .NET) that supports various authentication methods.
User credentials:
$clientId = '<app_id>' $tenantId = '<tenant_id>' $authority = "https://login.microsoftonline.com/$tenantId/v2.0" $Scope = 'https://api.adu.microsoft.com/user_impersonation' Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $ScopeUser credentials with device code:
$clientId = '<app_id>’ $tenantId = '<tenant_id>’ $authority = "https://login.microsoftonline.com/$tenantId/v2.0" $Scope = 'https://api.adu.microsoft.com/user_impersonation' Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope -Interactive -DeviceCodeApp credentials:
$clientId = '<app_id>’ $tenantId = '<tenant_id>’ $cert = '<client_certificate>' $authority = "https://login.microsoftonline.com/$tenantId/v2.0" $Scope = 'https://api.adu.microsoft.com/.default' Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope -ClientCertificate $cert
Support for managed identities
Managed identities provide Azure services with secure, automatically managed Microsoft Entra ID identities. Managed identities eliminate the need for developers to manage credentials by providing identities. Device Update supports system-assigned managed identities.
To add a system-assigned managed identity for Device Update:
- In the Azure portal, go to your Device Update account.
- In the left navigation, select Settings > Identity.
- Under System assigned on the Identity page, set Status to On.
- Select Save, and then select Yes.
To add a system-assigned managed identity for IoT Hub:
- In the Azure portal, go to your IoT hub.
- In the left navigation, select Security settings > Identity.
- Under System-assigned on the Identity page, select On under Status.
- Select Save, and then select Yes.
To remove system-assigned managed identity from a Device Update account or IoT hub, set or select Off on the Identity page, and then select Save.