| title | description | author | ms.author | ms.date | ms.topic | ms.service |
|---|---|---|---|---|---|---|
Configure Access Control in Device Update for IoT Hub |
Configure Access Control in Device Update for IoT Hub. |
eshashah-msft |
eshashah |
10/31/2022 |
how-to |
iot-hub-device-update |
In order for users to have access to Device Update, they must be granted access to the Device Update account, Instance and set the required access to the linked IoT hub.
-
In your Device Update account, select Access control (IAM) from the navigation menu.
:::image type="content" source="media/create-device-update-account/account-access-control.png" alt-text="Screenshot of access Control within Device Update account." lightbox="media/create-device-update-account/account-access-control.png":::
-
Select Add role assignments.
-
On the Role tab, select a Device Update role from the available options:
- Device Update Administrator
- Device Update Reader
- Device Update Content Administrator
- Device Update Content Reader
- Device Update Deployments Administrator
- Device Update Deployments Reader
For more information, Learn about Role-based access control in Device Update for IoT Hub.
:::image type="content" source="media/create-device-update-account/role-assignment.png" alt-text="Screenshot of access Control role assignments within Device Update account." lightbox="media/create-device-update-account/role-assignment.png":::
-
Select Next
-
On the Members tab, select the users or groups that you want to assign the role to.
:::image type="content" source="media/create-device-update-account/role-assignment-2.png" alt-text="Screenshot of access Control member selection within Device Update account." lightbox="media/create-device-update-account/role-assignment-2.png":::
-
Select Review + assign
-
Review the new role assignments and select Review + assign again
-
You're now ready to use Device Update from within your IoT Hub
The following roles are available for assigning access to Device Update:
- Device Update Administrator
- Device Update Reader
- Device Update Content Administrator
- Device Update Content Reader
- Device Update Deployments Administrator
- Device Update Deployments Reader
For more information, Learn about Role-based access control in Device Update for IoT Hub.
Use the az role assignment create command to configure access control for your Device Update account.
Replace the following placeholders with your own information:
- <role>: The Device Update role that you're assigning.
- <user_group>: The user or group that you want to assign the role to.
- <account_id>: The resource ID for the Device Update account that the user or group will get access to. You can retrieve the resource ID by using the az iot du account show command and querying for the ID value:
az iot du account show -n <account_name> --query id.
az role assignment create --role '<role>' --assignee <user_group> --scope <account_id>
Device Update for IoT Hub communicates with IoT Hub to manage deployments and updates and to get information about devices. To enable the access, you need to give the Azure Device Update service principal access with the IoT Hub Data Contributor role.
-
In the Azure portal, navigate to the IoT hub connected to your Device Update instance.
:::image type="content" source="media/create-device-update-account/navigate-to-iot-hub.png" alt-text="Screenshot of instance and linked IoT hub." lightbox="media/create-device-update-account/navigate-to-iot-hub.png":::
-
Select Access Control(IAM) from the navigation menu. Select Add > Add role assignment.
:::image type="content" source="media/create-device-update-account/iot-hub-access-control.png" alt-text="Screenshot of access Control within IoT Hub." lightbox="media/create-device-update-account/iot-hub-access-control.png":::
-
In the Role tab, select IoT Hub Data Contributor. Select Next.
:::image type="content" source="media/create-device-update-account/role-assignment-iot-hub.png" alt-text="Screenshot of access Control role assignment within IoT Hub." lightbox="media/create-device-update-account/role-assignment-iot-hub.png":::**
-
For Assign access to, select User, group, or service principal. Select Select Members and search for 'Azure Device Update'
:::image type="content" source="media/create-device-update-account/assign-role-to-du-service-principal.png" alt-text="Screenshot of access Control member selection for IoT Hub." lightbox="media/create-device-update-account/assign-role-to-du-service-principal.png":::
-
Select Next > Review + Assign
To validate that you've set permissions correctly:
- In the Azure portal, navigate to the IoT hub connected to your Device Update instance.
- Select Access Control(IAM) from the navigation menu.
- Select Check access.
- Select User, group, or service principal and search for 'Azure Device Update'
- After clicking on Azure Device Update, verify that the IoT Hub Data Contributor role is listed under Role assignments
Use the az role assignment create command to create a role assignment for the Azure Device Update service principal.
Replace <resource_id> with the resource ID of your IoT hub. You can retrieve the resource ID by using the az iot hub show command and querying for the ID value: az iot hub show -n <hub_name> --query id.
az role assignment create --role "IoT Hub Data Contributor" --assignee https://api.adu.microsoft.com/ --scope <resource_id>
Try updating a device using one of the following quick tutorials: