| title | description | author | ms.author | ms.date | ms.topic | ms.service |
|---|---|---|---|---|---|---|
Understand Device Update for IoT Hub authentication and authorization | Microsoft Docs |
Understand how Device Update for IoT Hub uses Azure RBAC to provide authentication and authorization for users and service APIs. |
vimeht |
vimeht |
2/11/2021 |
conceptual |
iot-hub-device-update |
Device Update uses Azure RBAC to provide authentication and authorization for users and service APIs.
In order for other users and applications to have access to Device Update, users or applications must be granted access to this resource. Here are the roles that are supported by Device Update:
| Role Name | Description |
|---|---|
| Device Update Administrator | Has access to all device update resources |
| Device Update Reader | Can view all updates and deployments |
| Device Update Content Administrator | Can view, import, and delete updates |
| Device Update Content Reader | Can view updates |
| Device Update Deployments Administrator | Can manage deployment of updates to devices |
| Device Update Deployments Reader | Can view deployments of updates to devices |
A combination of roles can be used to provide the right level of access. For example, a developer can import and manage updates using the Device Update Content Administrator role, but needs a Device Update Deployments Reader role to view the progress of an update. Conversely, a solution operator with the Device Update Reader role can view all updates, but needs to use the Device Update Deployments Administrator role to deploy a specific update to devices.
Device Update uses Azure Active Directory (AD) for authentication to its REST APIs. To get started, you need to create and configure a client application.
To integrate an application or service with Azure AD, first register a client application with Azure AD. Client application setup will vary depending on the authorization flow you'll need (users, applications or managed identities). For example, to call Device Update from:
- Mobile or desktop application, add
Mobile and desktop applicationsplatform with https://login.microsoftonline.com/common/oauth2/nativeclient for the Redirect URI. - Website with implicit sign-on, add
Webplatform and selectAccess tokens (used for implicit flows).
Next, add permissions for calling Device Update to your app:
- Go to
API permissionspage of your app and clickAdd a permission. - Go to
APIs my organization usesand search forAzure Device Update. - Select
user_impersonationpermission and clickAdd permissions.
Device Update REST API requires OAuth 2.0 authorization token in the request header. Following are some examples of various ways to request an authorization token.
az login
az account get-access-token --resource 'https://api.adu.microsoft.com/'
MSAL.PS PowerShell module is a wrapper over Microsoft Authentication Library for .NET (MSAL .NET). It supports various authentication methods.
Using user credentials:
$clientId = '<app_id>'
$tenantId = '<tenant_id>'
$authority = "https://login.microsoftonline.com/$tenantId/v2.0"
$Scope = 'https://api.adu.microsoft.com/user_impersonation'
Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $ScopeUsing user credentials with device code:
$clientId = '<app_id>’
$tenantId = '<tenant_id>’
$authority = "https://login.microsoftonline.com/$tenantId/v2.0"
$Scope = 'https://api.adu.microsoft.com/user_impersonation'
Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope -Interactive -DeviceCodeUsing app credentials:
$clientId = '<app_id>’
$tenantId = '<tenant_id>’
$cert = '<client_certificate>'
$authority = "https://login.microsoftonline.com/$tenantId/v2.0"
$Scope = 'https://api.adu.microsoft.com/.default'
Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope -ClientCertificate $cert- Create device update resources and configure access control roles](./create-device-update-account.md)