A comparison of the ability to script the setup of an Azure Sphere for direct IoT Hub-DPS interaction versus the IOT Central path. Can you get away with not using the IoT Central portal?

Of late I’ve had a sojourn into Blazor, including a Blazor services to which devices Http Post telemetry to a Blazor Service that then onforwards that to an IoT Hub. I have implemented it for RPis running a .NET Core app and for Arduino devices. It somewhat simplifies things as only the service needs to have IoT Hub credentials. It can act as an Edge device, sort of.

I’ve now refocused to IoT. I have been updating the content in my djaus2/az-iothub-ps GitHub repository for ‘recent’ Azure Cli API changes and to extend its functionality. az-iothub-ps is a menu driven set of PowerShell scripts with an aim to automate much of the Azure Portal IoT function as is possible. It can create, list, select, show and delete entities such as the IoT Hub, Device, DPS for a given Azure Subscription and selected Resource Group within that subscription. The suite of scripts uses Azure CLI IoT APIs coupled with PowerShell functionality. It can generate connectivity meta-data for the entities that can then be used with the Azure IoT SDK for .NET Core apps to send telemetry to an IoT Hub and to receive commands from the hub. That SDK’s sample apps have been incorporated into the suite, and extended, so the suite can directly pass the connectivity information to them via environment variables or an appsettings.json file.

The primary script is get-iothub.ps1. If launched without parameters, its launches with a menu to select an entity type to work with, generate environment variables, launch SDK samples as well as app housekeeping. There is also Azure Sphere and IoT Central submenus. Also, you can launch the primary script with names of entities to use or automatically generate. You can automatically create a new Group, Hub, Device and DPS… as a single action.

The suite has been extended to encompass the Azure Sphere SDK command line azsphere commands for setting up and running an Azure Sphere, again in a menu driven manner. The IoT Hub-DPS connectivity for an Azure Sphere can now be completely orchestrated from with the suite without needing to go to the Azure Portal. Azure IoT Central functionality has been added as alternative for the Azure Sphere but orchestration for this cannot at this stage be completely scripted. The stumbling block in the past has been the Tenant verification certificate exchanges. With API updates I can now fully script the required certification for an Azure Sphere when using DPS connectivity to an IoT Hub. I cannot at this stage to that in Az Cli - PowerShell for an Azure Sphere to IoT Central. The certification for Azure Sphere-IOT Hub-DPs using Az Cli in PowerShell is outlined as follows:

// Download CACertificate from azsphere
azsphere ca-certificate download 

// Create new DPS certificate locally
az iot dps certificate create

// Generate verification code from dps certificate, using certicate name and etag
az iot dps certificate generate-verification-code 

// Download proof using verification code
azsphere ca-certificate download-proof 

// Verify using etag
az iot dps certificate verify // using DPS Certication name, validation corticate contents, and  etag

So with Az Cli in PowerShell I can now completely script the Certification, which originally had some stumbling blocks. It would be nice to be able to do the same with IoT Central. Whilst the azsphere commands are identical for Azure Sphere - IoT Central, there are no matching Az Cli certificate commands as above for IoT Central. eg az iot central certificate create.

Azure IOT Central does use IOT Hub and DPS under the hood but these are not exposed via APIs. Whist the direct approach to Azure Sphere requires the creation of an IoT Hub and linked DPS, the IoT Central approach does this without their exposure, although the ID Scope of the DPS used for device connectivity is available in the portal. But there are no APIs to get it programmatically and none that can use it once know,

Azure CLI IoT References

I queried Olivier Bloch about this. His response is:

The IoT Central APIs are still limited for now (you can see the list here: Azure IoT Central REST API - Microsoft Docs)The CLI is using the REST APIs, so you won’t have the group attestations available in the CLI until IoT Central exposes them in its REST APIs. As of now you can work with individual device attestation, but AFAIK you can’t create group enrollments using the APIs.

Compare the API functionality in Microsoft Docs under IoT Hub REST API to IoT Central REST API. The IoT Hub API has Certificate functionality which IoT Central does not.

In az-iothub-ps I have scripted the azsphere calls as part of the IoT Central verification process but have to direct users to the Portal for the what are Az Cli calls in the DPS azsphere verification process.

My hope is that the scripting APIs will be extended as outlined above. Better still, it would be nice if the Tenant verification and overall setup for an Azure Sphere with IoT Central could be substaially simplified.


An aside: English spelling for Enrolment – US version enrollment, like colour and color etc.


Further: A comparison of Az Cli commands for DPS v IoT Central (Excel Spreadsheet)


 TopicSubtopic
  Next: >  
<  Prev:   Blazor-IoT
This Category:Azure Sphere
<  Prev:   az-iothub-ps