Table of contents

Introduction

Azure Active Directory Integration

2.1.

Azure RBAC role

2.2.

IoT Service Hub APIs Permissions

2.3.

Azure AD access in Azure Portal

2.4.

Azure IoT extension for Azure CLI

Shared access signatures

3.1.

IoT hub-level shared access policies

3.1.1.

Service Connect

3.1.2.

DeviceConnect

3.1.3.

RegistryRead

3.1.4.

RegistryReadWrite

3.2.

SAS tokens

3.3.

Authenticating a device to IoT Hub

3.4.

Token service to integrate existing devices

Frequently Asked Questions

4.1.

How does Azure IoT Hub device provisioning service provide security credentials?

4.2.

What is an IoT Identity Registry?

4.3.

What are Per-device security credentials?

Conclusion

Last Updated: Mar 27, 2024

Control Access to Azure IoT Hub

Author Yashesvinee V

Do you think IIT Guwahati certified course can help you in your career?

Yes

Introduction

The Azure IoT Hub facilitates highly secure and reliable communication between IoT applications and their connected devices. It is a cloud-hosted solution that can connect to any device virtually. It offers per-device authentication, built-in device management and scaled provisioning to help developers build efficient IoT solutions. The access to Azure IoT Hub can be configured as per the user's choice. It provides various options to grant permissions and control the access to each IoT Hub endpoint. There are two main ways to control access to IoT Hub in Azure. The Azure Active Directory Integration and by using Shared Access Signatures.

Azure Active Directory Integration

Azure Active Directory is an enterprise identity service that provides multi-factor authentication, single sign-on and conditional access to guard against most cybersecurity attacks. Its identity control plane grants complete visibility of your environment and ensures that only the right people can access the resources when needed. Azure RBAC (Role-based access control) is an authorisation system built on the Azure Resource Manager to provide fine-grained access management of Azure resources. The integration between Azure AD and Azure RABC is supported only for IoT Hub service APIs.

Azure AD can authenticate requests to service APIs, not device APIs, on IoT Hub. When it receives an access request, the identity is first authenticated. The request needs to contain an OAuth 2.0 access token at runtime. Applications running in an Azure resource like an Azure VM or Azure App Service need not have credentials and can be represented as a managed service. Authentication is followed by authorisation. IoT Hub uses Azure AD’s role assignment service to determine the permissions granted to the identity. IoT Hub authorises the request if the permissions match the requested resource or API.

Azure RBAC role

Azure IoT Hub provides some in-built roles to allow access to its service APIs. They are as follows.

Assigning RABC roles requires one to know the resource scope the identity must be allowed to have. The levels of the scope of access, starting from the narrowest, are as follows.

The IoT hub is the smallest scope that can be offered to an identity.
The resource group - At this scope, the role has access to all IoT hubs in the resource group.
The subscription - In this level, the role has access to all IoT hubs in all resource groups under a subscription.
A management group - It is the largest scope offered. Roles can access all IoT hubs in all resource groups in all subscriptions in the management group.

IoT Service Hub APIs Permissions

Permissions can be set to specific roles to perform operations such as create, update, read, write or delete. All the following permissions are prefixed with Microsoft.Devices/IoTHubs/.

Azure AD access in Azure Portal

When requesting access to IoT Hub, the Azure portal first checks if the identity has already been assigned an Azure role with Microsoft.Devices/iotHubs/listkeys/action. If it does, the Azure portal uses keys from shared access policies to access IoT Hub. Otherwise, the Azure portal tries to access data using the identity’s Azure AD account.

Accessing IoT Hub from the Azure portal using an Azure AD account requires permissions to access IoT Hub data resources and to go to an IoT Hub resource in the Azure portal. The built-in roles provided by IoT Hub only grant access to resources like devices and twins and not to the IoT Hub resource. This requires the assignment of an Azure Resource Manager role like Reader. The Reader role is a restricted role that only allows navigation in the portal. It doesn't include the permission to access all IoT Hub data resources via shared access policies.

Azure IoT extension for Azure CLI

The type of authentication can be controlled and set using the --auth-type parameter, which accepts key or login values. The key value is the default.

The Azure CLI automatically discovers a suitable policy to interact with IoT Hub when- auth-type has a matching key value. If it is just another key value, an access token from the Azure CLI logged in by the identity is used for the operation.

Shared access signatures

IoT hub-level shared access policies

SAS lets users group permissions and grant them to applications via access keys or signed security tokens. Shared Access Policies grant a combination of permissions to access any IoT Hub endpoint. Some of the default policies are.

Service Connect

This permission grants access to cloud service-facing communication and monitoring endpoints.

It can receive and send device-to-cloud messages and retrieve the corresponding delivery acknowledgements. It has access to twins to update tags and desired properties. Back-end cloud services use this permission.

DeviceConnect

This permission grants access to device-facing endpoints. It can send device-to-cloud messages and receive cloud-to-device messages. It can also perform file uploading from a device.

It has the permission to receive device twin desired property notifications and update their reported properties. Devices use this permission.

RegistryRead

This permission grants read access to the identity registry and is used by back-end cloud services.

RegistryReadWrite

This permission grants read and write access to the identity registry and is used by back-end cloud services.

SAS tokens

Shared Access Signature Tokens can authenticate devices and services to avoid sending keys on the wire. They are limited in time validity and scope. Azure IoT SDKs can automatically generate tokens without any special configuration except in some cases.

SAS tokens can grant time-bounded access to devices and services specific to functionality in IoT Hub. Authorisation to connect to IoT Hub requires devices and services to send SAS tokens signed either with shared access or a symmetric key. Symmetric keys are stored in the identity registry.

A token signed with a shared access key grants access to all the associated functionality with the shared access policy permissions. A token signed with a device identity's symmetric key only grants DeviceConnect permission.

A SAS token follows the following format:

SharedAccessSignature sig = {signature-string}&se={expiry}&skn={policyName}&sr={URL-encoded-resourceURI}

Authenticating a device to IoT Hub

Any X.509 certificate is sufficient to authenticate a device with IoT Hub. For additional security, an IoT hub can be configured to disable SAS authentication for devices and modules, leaving X.509 as the only accepted authentication option. Another option is to obtain DeviceConnect permissions with IoT Hub with SAS tokens using a symmetric device key or a shared access key.

All functionality accessible from devices is exposed by design on endpoints with prefix /devices/{deviceId}.

Token service to integrate existing devices

The IoT Hub identity registry can be used to configure per-device/module security credentials and access control using tokens. If an IoT solution already has a custom identity registry, a token service to integrate this infrastructure with IoT Hub can be created. A token service is a custom cloud service that uses an IoT Hub shared access policy with DeviceConnect permission. These tokens can allow a device or module to connect to the IoT hub. The IoT hub disconnects the device/module connection when the token expires. The device must request a new token from the token service.

Check out this article - Components Of IOT

Frequently Asked Questions

How does Azure IoT Hub device provisioning service provide security credentials?

The app/device requesting access must include a token containing security credentials and the message it sends to the service. Azure IoT Hub Device Provisioning Service permits access to endpoints by verifying the token against the shared access policies. Security credentials are never sent over the wire.

What is an IoT Identity Registry?

Every IoT hub has an identity registry to create per-device resources in the service. It enables users to control access to the device-facing endpoints. For a device or module to connect to an IoT hub, there must be an entry in the IoT hub's identity registry.

What are Per-device security credentials?

Users can configure the security credentials that grant DeviceConnect permissions to the device endpoints for every device in an IoT Hub's identity registry.

Conclusion

This article has extensively discussed the different ways to control access to Azure IoT Hub. It explains the implementation of Azure AD Integration and Shared Access Signatures for controlling access to IoT Hubs in Azure.

Feeling curious? Coding Ninjas has you covered. Check out our articles on IoT with the Cloud, Azure IoT Hub, and Azure CLI.

Explore our Library on Coding Ninjas Studio to gain knowledge on Data Structures and Algorithms, Machine Learning, Deep Learning, and many more! Test your coding skills by solving our test series and participating in the contests hosted on Coding Ninjas Studio!

Looking for questions from tech giants like Amazon, Microsoft, Uber, etc.? Look at the problems, interview experiences, and interview bundle for placement preparations. Upvote our blogs if you find them insightful and engaging! Happy Coding!