Azure Device Provisioning Service (DPS) is a cloud-based service provided by Microsoft Azure that enables the automatic registration and provisioning of devices to an IoT solution. Azure DPS simplifies the task of configuring and deploying IoT devices at scale. With Azure DPS, developers can easily manage the entire life cycle of their IoT devices, from initial provisioning to updates and maintenance.

The service works by providing a secure and scalable way to authenticate and authorize devices before they can connect to an IoT hub. Azure DPS uses industry-standard security protocols such as X.509 certificates and symmetric keys to provide secure communication between devices and the cloud.

In this chapter, you will discover the features of DPS and how to use it to automate your device provisioning. We will be covering the following key topics:

• Device provisioning at scale
• Managing device provisioning security...

As you saw in Chapter 2, device provisioning is fairly easy when you are provisioning a few devices through IoT Hub. You just need to provide a unique ID and some kind of attestation. Attestation is proof that you are who you say you are and can be implemented using a key or certificate. Once a connection has been established, it is configured to its initial state. If this process is manually repeated for many devices, it becomes error-prone and inefficient.

Fortunately, Microsoft has provided DPS to make this process more efficient and reliable. It includes features such as secure attestation, enrollment lists, allocation policies, monitoring, logging, encryption, multi-hub support, and cross-regional support. It also supports open source SDKs in various languages to program against its APIs.

To get started with DPS, you can provision one through the Azure portal or use the CLI. The following figure shows how to provision DPS in the Azure portal...

There are many IoT device provisioning security concerns that must be managed. However, DPS offers a comprehensive solution to manage and secure device provisioning in IoT scenarios:

• Secure boot:
  • Concern: Ensuring that only authenticated and authorized firmware can be run on the device during bootup
  • Solution: DPS supports secure boot using X.509 certificates, which ensures that only authenticated and authorized firmware can be run on the device during bootup
• Strong device authentication:
  • Concern: Using secure methods such as certificates or secure key pairs to authenticate devices before allowing them to connect to a network or system
  • Solution: Azure DPS uses X.509 certificates for device authentication and can also integrate with Azure Active Directory (AD) for authentication and authorization
• Device management:
  • Concern: Implementing a system for remotely managing and updating devices, including the ability to revoke access...

Allocation policies in DPS determine how devices are assigned to IoT Hub. There are four policies you can choose from:

• Evenly weighted distribution: The policy uses a weighted hash where all IoT hubs have the same weight assigned to them. You can adjust the weighted hash of a hub so that it gets more or fewer devices allocated to it.
• Lowest latency: Devices are assigned according to the shortest communication time with the IoT device.
• Static configuration: Devices are provisioned to a hub specified in the enrolment.
• Custom, using an Azure function: This option provides any type of policy in a function that uses a custom webhook that gets called when provisioning the device.

The default policy is Evenly weighted distribution. The following figure shows how to set the allocation policy in the portal:

Figure 3.4 – Setting the allocation policy

A common practice when working with IoT devices is the need...

When a device has reached the end of its lifetime, we need to deprovision it. Deprovisioning is a two-step process:

1. First, it needs to be disenrolled from DPS; then, you need to deregister the device in IoT Hub.
2. Next, the device needs to be deleted or disabled:
   • For individual enrollments, delete or disable the device on the device provisioning service. If the device uses an X.509 certificate and an enrollment group exists for a signing certificate in that device’s certificate chain, the device can be re-enrolled. Next, delete or disable the device in the identity in IoT Hub.
   • If the device was provisioned through an enrollment group, disable the device in DPS. Disabling the device revokes access but allows other devices in the group access. Do not delete the device. Deleting the device from a group will allow the device to re-enroll with the group. Once the device has been disabled, you can use the list of provisioned devices...

Although working in the Azure portal is a good way to learn how to set up a DPS service and register devices, when working with a large number of devices and performing automation, it is more convenient to use code and the various SDKs that are available. There is an SDK you can use for each programming language (C, C#, Python, and Java). To provision a device using the SDK, first, create your IoT Hub and your DPS and link your IoT Hub to your DPS. You can do this using the Azure portal, the CLI, or any of the supported language’s SDKs. The following code snippet uses the Microsoft.Azure.Devices SDK to provision a device using symmetric key attestation:

var security = new SecurityProviderSymmetricKey(registrationId,
                                   individualEnrollmentPrimaryKey...

Let’s say you have a fleet of refrigerated trucks you need to track. For example, you need to know the location, temperature, and humidity of the trucks. In the context of this use case, you will learn how to do the following:

• Create a new individual enrollment in DPS
• Create a group enrollment

Let’s get started.

Adding an individual enrollment

The following steps describe how we can create an individual enrollment in DPS:

1. In Azure, create a resource group. In the resource group, create an IoT Hub and a DPS service.
2. In the DPS service, link to IoT Hub.
3. Open your DPS service in the Azure portal. In the left-hand side menu, locate Manage enrollments under the Settings header.
4. On the Manage enrollments page, select Add individual enrollments. Use Symmetric Key under Mechanism. Select Auto-generate keys and specify device01 for Registration ID and IoT Hub Device ID:

In this chapter, you explored the features of DPS. Although we only used a few devices in the examples provided, DPS allows you to provision millions of devices in a secure and scalable manner.

You learned some important concepts alongside device provisioning and saw how security is an integral part of the process. You have the option to use keys, certificates, or TPM. You also saw how allocation policies work and how to create custom allocation policies through functions. Last but not least, you learned how to implement group enrollments.

Now that you can effectively deploy thousands of devices, you need to learn how to monitor and manage them. In Chapter 4, Device Management and Monitoring, you will learn about what tools and processes you can use to monitor and manage your devices at scale.