Share via


Microsoft.Devices IotHubs 2023-06-30

Choose a deployment language

Bicep resource definition

The IotHubs resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Devices/IotHubs resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Devices/IotHubs@2023-06-30' = {
  etag: 'string'
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    allowedFqdnList: [
      'string'
    ]
    authorizationPolicies: [
      {
        keyName: 'string'
        primaryKey: 'string'
        rights: 'string'
        secondaryKey: 'string'
      }
    ]
    cloudToDevice: {
      defaultTtlAsIso8601: 'string'
      feedback: {
        lockDurationAsIso8601: 'string'
        maxDeliveryCount: int
        ttlAsIso8601: 'string'
      }
      maxDeliveryCount: int
    }
    comments: 'string'
    disableDeviceSAS: bool
    disableLocalAuth: bool
    disableModuleSAS: bool
    enableDataResidency: bool
    enableFileUploadNotifications: bool
    eventHubEndpoints: {
      {customized property}: {
        partitionCount: int
        retentionTimeInDays: int
      }
    }
    features: 'string'
    ipFilterRules: [
      {
        action: 'string'
        filterName: 'string'
        ipMask: 'string'
      }
    ]
    messagingEndpoints: {
      {customized property}: {
        lockDurationAsIso8601: 'string'
        maxDeliveryCount: int
        ttlAsIso8601: 'string'
      }
    }
    minTlsVersion: 'string'
    networkRuleSets: {
      applyToBuiltInEventHubEndpoint: bool
      defaultAction: 'string'
      ipRules: [
        {
          action: 'string'
          filterName: 'string'
          ipMask: 'string'
        }
      ]
    }
    privateEndpointConnections: [
      {
        properties: {
          privateEndpoint: {}
          privateLinkServiceConnectionState: {
            actionsRequired: 'string'
            description: 'string'
            status: 'string'
          }
        }
      }
    ]
    publicNetworkAccess: 'string'
    restrictOutboundNetworkAccess: bool
    routing: {
      endpoints: {
        cosmosDBSqlContainers: [
          {
            authenticationType: 'string'
            containerName: 'string'
            databaseName: 'string'
            endpointUri: 'string'
            identity: {
              userAssignedIdentity: 'string'
            }
            name: 'string'
            partitionKeyName: 'string'
            partitionKeyTemplate: 'string'
            primaryKey: 'string'
            resourceGroup: 'string'
            secondaryKey: 'string'
            subscriptionId: 'string'
          }
        ]
        eventHubs: [
          {
            authenticationType: 'string'
            connectionString: 'string'
            endpointUri: 'string'
            entityPath: 'string'
            id: 'string'
            identity: {
              userAssignedIdentity: 'string'
            }
            name: 'string'
            resourceGroup: 'string'
            subscriptionId: 'string'
          }
        ]
        serviceBusQueues: [
          {
            authenticationType: 'string'
            connectionString: 'string'
            endpointUri: 'string'
            entityPath: 'string'
            id: 'string'
            identity: {
              userAssignedIdentity: 'string'
            }
            name: 'string'
            resourceGroup: 'string'
            subscriptionId: 'string'
          }
        ]
        serviceBusTopics: [
          {
            authenticationType: 'string'
            connectionString: 'string'
            endpointUri: 'string'
            entityPath: 'string'
            id: 'string'
            identity: {
              userAssignedIdentity: 'string'
            }
            name: 'string'
            resourceGroup: 'string'
            subscriptionId: 'string'
          }
        ]
        storageContainers: [
          {
            authenticationType: 'string'
            batchFrequencyInSeconds: int
            connectionString: 'string'
            containerName: 'string'
            encoding: 'string'
            endpointUri: 'string'
            fileNameFormat: 'string'
            id: 'string'
            identity: {
              userAssignedIdentity: 'string'
            }
            maxChunkSizeInBytes: int
            name: 'string'
            resourceGroup: 'string'
            subscriptionId: 'string'
          }
        ]
      }
      enrichments: [
        {
          endpointNames: [
            'string'
          ]
          key: 'string'
          value: 'string'
        }
      ]
      fallbackRoute: {
        condition: 'string'
        endpointNames: [
          'string'
        ]
        isEnabled: bool
        name: 'string'
        source: 'string'
      }
      routes: [
        {
          condition: 'string'
          endpointNames: [
            'string'
          ]
          isEnabled: bool
          name: 'string'
          source: 'string'
        }
      ]
    }
    storageEndpoints: {
      {customized property}: {
        authenticationType: 'string'
        connectionString: 'string'
        containerName: 'string'
        identity: {
          userAssignedIdentity: 'string'
        }
        sasTtlAsIso8601: 'string'
      }
    }
  }
  sku: {
    capacity: int
    name: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

ArmIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities Dictionary of <ArmUserIdentity> ArmIdentityUserAssignedIdentities

ArmIdentityUserAssignedIdentities

Name Description Value

ArmUserIdentity

Name Description Value

CloudToDeviceProperties

Name Description Value
defaultTtlAsIso8601 The default time to live for cloud-to-device messages in the device queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. string
feedback The properties of the feedback queue for cloud-to-device messages. FeedbackProperties
maxDeliveryCount The max delivery count for cloud-to-device messages in the device queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. int

Constraints:
Min value = 1
Max value = 100

EnrichmentProperties

Name Description Value
endpointNames The list of endpoints for which the enrichment is applied to the message. string[] (required)
key The key or name for the enrichment property. string (required)
value The value for the enrichment property. string (required)

EventHubProperties

Name Description Value
partitionCount The number of partitions for receiving device-to-cloud messages in the Event Hub-compatible endpoint. See: /azure/iot-hub/iot-hub-devguide-messaging#device-to-cloud-messages. int
retentionTimeInDays The retention time for device-to-cloud messages in days. See: /azure/iot-hub/iot-hub-devguide-messaging#device-to-cloud-messages int

FallbackRouteProperties

Name Description Value
condition The condition which is evaluated in order to apply the fallback route. If the condition is not provided it will evaluate to true by default. For grammar, See: /azure/iot-hub/iot-hub-devguide-query-language string
endpointNames The list of endpoints to which the messages that satisfy the condition are routed to. Currently only 1 endpoint is allowed. string[] (required)
isEnabled Used to specify whether the fallback route is enabled. bool (required)
name The name of the route. The name can only include alphanumeric characters, periods, underscores, hyphens, has a maximum length of 64 characters, and must be unique. string
source The source to which the routing rule is to be applied to. For example, DeviceMessages 'DeviceConnectionStateEvents'
'DeviceJobLifecycleEvents'
'DeviceLifecycleEvents'
'DeviceMessages'
'Invalid'
'TwinChangeEvents' (required)

FeedbackProperties

Name Description Value
lockDurationAsIso8601 The lock duration for the feedback queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. string
maxDeliveryCount The number of times the IoT hub attempts to deliver a message on the feedback queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. int

Constraints:
Min value = 1
Max value = 100
ttlAsIso8601 The period of time for which a message is available to consume before it is expired by the IoT hub. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. string

IotHubProperties

Name Description Value
allowedFqdnList List of allowed FQDNs(Fully Qualified Domain Name) for egress from Iot Hub. string[]
authorizationPolicies The shared access policies you can use to secure a connection to the IoT hub. SharedAccessSignatureAuthorizationRule[]
cloudToDevice The IoT hub cloud-to-device messaging properties. CloudToDeviceProperties
comments IoT hub comments. string
disableDeviceSAS If true, all device(including Edge devices but excluding modules) scoped SAS keys cannot be used for authentication. bool
disableLocalAuth If true, SAS tokens with Iot hub scoped SAS keys cannot be used for authentication. bool
disableModuleSAS If true, all module scoped SAS keys cannot be used for authentication. bool
enableDataResidency This property when set to true, will enable data residency, thus, disabling disaster recovery. bool
enableFileUploadNotifications If True, file upload notifications are enabled. bool
eventHubEndpoints The Event Hub-compatible endpoint properties. The only possible keys to this dictionary is events. This key has to be present in the dictionary while making create or update calls for the IoT hub. IotHubPropertiesEventHubEndpoints
features The capabilities and features enabled for the IoT hub. 'DeviceManagement'
'None'
ipFilterRules The IP filter rules. IpFilterRule[]
messagingEndpoints The messaging endpoint properties for the file upload notification queue. IotHubPropertiesMessagingEndpoints
minTlsVersion Specifies the minimum TLS version to support for this hub. Can be set to "1.2" to have clients that use a TLS version below 1.2 to be rejected. string
networkRuleSets Network Rule Set Properties of IotHub NetworkRuleSetProperties
privateEndpointConnections Private endpoint connections created on this IotHub PrivateEndpointConnection[]
publicNetworkAccess Whether requests from Public Network are allowed 'Disabled'
'Enabled'
restrictOutboundNetworkAccess If true, egress from IotHub will be restricted to only the allowed FQDNs that are configured via allowedFqdnList. bool
routing The routing related properties of the IoT hub. See: /azure/iot-hub/iot-hub-devguide-messaging RoutingProperties
storageEndpoints The list of Azure Storage endpoints where you can upload files. Currently you can configure only one Azure Storage account and that MUST have its key as $default. Specifying more than one storage account causes an error to be thrown. Not specifying a value for this property when the enableFileUploadNotifications property is set to True, causes an error to be thrown. IotHubPropertiesStorageEndpoints

IotHubPropertiesEventHubEndpoints

Name Description Value

IotHubPropertiesMessagingEndpoints

Name Description Value

IotHubPropertiesStorageEndpoints

Name Description Value

IotHubSkuInfo

Name Description Value
capacity The number of provisioned IoT Hub units. See: /azure/azure-subscription-service-limits#iot-hub-limits. int
name The name of the SKU. 'B1'
'B2'
'B3'
'F1'
'S1'
'S2'
'S3' (required)

IpFilterRule

Name Description Value
action The desired action for requests captured by this rule. 'Accept'
'Reject' (required)
filterName The name of the IP filter rule. string (required)
ipMask A string that contains the IP address range in CIDR notation for the rule. string (required)

ManagedIdentity

Name Description Value
userAssignedIdentity The user assigned identity. string

MessagingEndpointProperties

Name Description Value
lockDurationAsIso8601 The lock duration. See: /azure/iot-hub/iot-hub-devguide-file-upload. string
maxDeliveryCount The number of times the IoT hub attempts to deliver a message. See: /azure/iot-hub/iot-hub-devguide-file-upload. int

Constraints:
Min value = 1
Max value = 100
ttlAsIso8601 The period of time for which a message is available to consume before it is expired by the IoT hub. See: /azure/iot-hub/iot-hub-devguide-file-upload. string

Microsoft.Devices/IotHubs

Name Description Value
etag The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. string
identity The managed identities for the IotHub. ArmIdentity
location The resource location. string (required)
name The resource name string (required)
properties IotHub properties IotHubProperties
sku IotHub SKU info IotHubSkuInfo (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates

NetworkRuleSetIpRule

Name Description Value
action IP Filter Action 'Allow'
filterName Name of the IP filter rule. string (required)
ipMask A string that contains the IP address range in CIDR notation for the rule. string (required)

NetworkRuleSetProperties

Name Description Value
applyToBuiltInEventHubEndpoint If True, then Network Rule Set is also applied to BuiltIn EventHub EndPoint of IotHub bool (required)
defaultAction Default Action for Network Rule Set 'Allow'
'Deny'
ipRules List of IP Rules NetworkRuleSetIpRule[] (required)

PrivateEndpoint

Name Description Value

PrivateEndpointConnection

Name Description Value
properties The properties of a private endpoint connection PrivateEndpointConnectionProperties (required)

PrivateEndpointConnectionProperties

Name Description Value
privateEndpoint The private endpoint property of a private endpoint connection PrivateEndpoint
privateLinkServiceConnectionState The current state of a private endpoint connection PrivateLinkServiceConnectionState (required)

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired Actions required for a private endpoint connection string
description The description for the current state of a private endpoint connection string (required)
status The status of a private endpoint connection 'Approved'
'Disconnected'
'Pending'
'Rejected' (required)

ResourceTags

Name Description Value

RouteProperties

Name Description Value
condition The condition that is evaluated to apply the routing rule. If no condition is provided, it evaluates to true by default. For grammar, see: /azure/iot-hub/iot-hub-devguide-query-language string
endpointNames The list of endpoints to which messages that satisfy the condition are routed. Currently only one endpoint is allowed. string[] (required)
isEnabled Used to specify whether a route is enabled. bool (required)
name The name of the route. The name can only include alphanumeric characters, periods, underscores, hyphens, has a maximum length of 64 characters, and must be unique. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
source The source that the routing rule is to be applied to, such as DeviceMessages. 'DeviceConnectionStateEvents'
'DeviceJobLifecycleEvents'
'DeviceLifecycleEvents'
'DeviceMessages'
'Invalid'
'TwinChangeEvents' (required)

RoutingCosmosDBSqlApiProperties

Name Description Value
authenticationType Method used to authenticate against the cosmos DB sql container endpoint 'identityBased'
'keyBased'
containerName The name of the cosmos DB sql container in the cosmos DB database. string (required)
databaseName The name of the cosmos DB database in the cosmos DB account. string (required)
endpointUri The url of the cosmos DB account. It must include the protocol https:// string (required)
identity Managed identity properties of routing cosmos DB container endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
partitionKeyName The name of the partition key associated with this cosmos DB sql container if one exists. This is an optional parameter. string
partitionKeyTemplate The template for generating a synthetic partition key value for use with this cosmos DB sql container. The template must include at least one of the following placeholders: {iothub}, {deviceid}, {DD}, {MM}, and {YYYY}. Any one placeholder may be specified at most once, but order and non-placeholder components are arbitrary. This parameter is only required if PartitionKeyName is specified. string
primaryKey The primary key of the cosmos DB account. string

Constraints:
Sensitive value. Pass in as a secure parameter.
resourceGroup The name of the resource group of the cosmos DB account. string
secondaryKey The secondary key of the cosmos DB account. string

Constraints:
Sensitive value. Pass in as a secure parameter.
subscriptionId The subscription identifier of the cosmos DB account. string

RoutingEndpoints

Name Description Value
cosmosDBSqlContainers The list of Cosmos DB container endpoints that IoT hub routes messages to, based on the routing rules. RoutingCosmosDBSqlApiProperties[]
eventHubs The list of Event Hubs endpoints that IoT hub routes messages to, based on the routing rules. This list does not include the built-in Event Hubs endpoint. RoutingEventHubProperties[]
serviceBusQueues The list of Service Bus queue endpoints that IoT hub routes the messages to, based on the routing rules. RoutingServiceBusQueueEndpointProperties[]
serviceBusTopics The list of Service Bus topic endpoints that the IoT hub routes the messages to, based on the routing rules. RoutingServiceBusTopicEndpointProperties[]
storageContainers The list of storage container endpoints that IoT hub routes messages to, based on the routing rules. RoutingStorageContainerProperties[]

RoutingEventHubProperties

Name Description Value
authenticationType Method used to authenticate against the event hub endpoint 'identityBased'
'keyBased'
connectionString The connection string of the event hub endpoint. string
endpointUri The url of the event hub endpoint. It must include the protocol sb:// string
entityPath Event hub name on the event hub namespace string
id Id of the event hub endpoint string
identity Managed identity properties of routing event hub endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the event hub endpoint. string
subscriptionId The subscription identifier of the event hub endpoint. string

RoutingProperties

Name Description Value
endpoints The properties related to the custom endpoints to which your IoT hub routes messages based on the routing rules. A maximum of 10 custom endpoints are allowed across all endpoint types for paid hubs and only 1 custom endpoint is allowed across all endpoint types for free hubs. RoutingEndpoints
enrichments The list of user-provided enrichments that the IoT hub applies to messages to be delivered to built-in and custom endpoints. See: https://aka.ms/telemetryoneventgrid EnrichmentProperties[]
fallbackRoute The properties of the route that is used as a fall-back route when none of the conditions specified in the 'routes' section are met. This is an optional parameter. When this property is not present in the template, the fallback route is disabled by default. FallbackRouteProperties
routes The list of user-provided routing rules that the IoT hub uses to route messages to built-in and custom endpoints. A maximum of 100 routing rules are allowed for paid hubs and a maximum of 5 routing rules are allowed for free hubs. RouteProperties[]

RoutingServiceBusQueueEndpointProperties

Name Description Value
authenticationType Method used to authenticate against the service bus queue endpoint 'identityBased'
'keyBased'
connectionString The connection string of the service bus queue endpoint. string
endpointUri The url of the service bus queue endpoint. It must include the protocol sb:// string
entityPath Queue name on the service bus namespace string
id Id of the service bus queue endpoint string
identity Managed identity properties of routing service bus queue endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. The name need not be the same as the actual queue name. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the service bus queue endpoint. string
subscriptionId The subscription identifier of the service bus queue endpoint. string

RoutingServiceBusTopicEndpointProperties

Name Description Value
authenticationType Method used to authenticate against the service bus topic endpoint 'identityBased'
'keyBased'
connectionString The connection string of the service bus topic endpoint. string
endpointUri The url of the service bus topic endpoint. It must include the protocol sb:// string
entityPath Queue name on the service bus topic string
id Id of the service bus topic endpoint string
identity Managed identity properties of routing service bus topic endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. The name need not be the same as the actual topic name. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the service bus topic endpoint. string
subscriptionId The subscription identifier of the service bus topic endpoint. string

RoutingStorageContainerProperties

Name Description Value
authenticationType Method used to authenticate against the storage endpoint 'identityBased'
'keyBased'
batchFrequencyInSeconds Time interval at which blobs are written to storage. Value should be between 60 and 720 seconds. Default value is 300 seconds. int

Constraints:
Min value = 60
Max value = 720
connectionString The connection string of the storage account. string
containerName The name of storage container in the storage account. string (required)
encoding Encoding that is used to serialize messages to blobs. Supported values are 'avro', 'avrodeflate', and 'JSON'. Default value is 'avro'. 'Avro'
'AvroDeflate'
'JSON'
endpointUri The url of the storage endpoint. It must include the protocol https:// string
fileNameFormat File name format for the blob. Default format is {iothub}/{partition}/{YYYY}/{MM}/{DD}/{HH}/{mm}. All parameters are mandatory but can be reordered. string
id Id of the storage container endpoint string
identity Managed identity properties of routing storage endpoint. ManagedIdentity
maxChunkSizeInBytes Maximum number of bytes for each blob written to storage. Value should be between 10485760(10MB) and 524288000(500MB). Default value is 314572800(300MB). int

Constraints:
Min value = 10485760
Max value = 524288000
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the storage account. string
subscriptionId The subscription identifier of the storage account. string

SharedAccessSignatureAuthorizationRule

Name Description Value
keyName The name of the shared access policy. string (required)
primaryKey The primary key. string
rights The permissions assigned to the shared access policy. 'DeviceConnect'
'RegistryRead'
'RegistryRead, DeviceConnect'
'RegistryRead, RegistryWrite'
'RegistryRead, RegistryWrite, DeviceConnect'
'RegistryRead, RegistryWrite, ServiceConnect'
'RegistryRead, RegistryWrite, ServiceConnect, DeviceConnect'
'RegistryRead, ServiceConnect'
'RegistryRead, ServiceConnect, DeviceConnect'
'RegistryWrite'
'RegistryWrite, DeviceConnect'
'RegistryWrite, ServiceConnect'
'RegistryWrite, ServiceConnect, DeviceConnect'
'ServiceConnect'
'ServiceConnect, DeviceConnect' (required)
secondaryKey The secondary key. string

StorageEndpointProperties

Name Description Value
authenticationType Specifies authentication type being used for connecting to the storage account. 'identityBased'
'keyBased'
connectionString The connection string for the Azure Storage account to which files are uploaded. string (required)
containerName The name of the root container where you upload files. The container need not exist but should be creatable using the connectionString specified. string (required)
identity Managed identity properties of storage endpoint for file upload. ManagedIdentity
sasTtlAsIso8601 The period of time for which the SAS URI generated by IoT Hub for file upload is valid. See: /azure/iot-hub/iot-hub-devguide-file-upload#file-upload-notification-configuration-options. string

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Create an IoT Hub and a Device to Cloud Consumer Group This template enables you to deploy an IoT Hub instance with device to cloud and cloud to device messaging configurations and a device to cloud consumer group.
Create an IoT Hub Device Provisioning Service This template enables you to create an IoT hub and an IoT Hub Device Provisioning Service, and link the two services together.
Create Device Update for IoT Hub account, instance, IoT Hub This template creates an account, and an instance and a hub to link the instance with. It configures the hub with the necessary access polices, routes, and consumer group.
Deploy the MedTech service including an Azure IoT Hub The MedTech service is one of the Azure Health Data Services designed to ingest device data from multiple devices, transform the device data into FHIR Observations, which are then persisted in the Azure Health Data Services FHIR service.
Use ARM template to create IoT Hub, route and view messages Use this template to deploy an IoT Hub and a storage account. Run an app to send messages to the hub that are routed to storage, then view the results.

ARM template resource definition

The IotHubs resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Devices/IotHubs resource, add the following JSON to your template.

{
  "type": "Microsoft.Devices/IotHubs",
  "apiVersion": "2023-06-30",
  "name": "string",
  "etag": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "allowedFqdnList": [ "string" ],
    "authorizationPolicies": [
      {
        "keyName": "string",
        "primaryKey": "string",
        "rights": "string",
        "secondaryKey": "string"
      }
    ],
    "cloudToDevice": {
      "defaultTtlAsIso8601": "string",
      "feedback": {
        "lockDurationAsIso8601": "string",
        "maxDeliveryCount": "int",
        "ttlAsIso8601": "string"
      },
      "maxDeliveryCount": "int"
    },
    "comments": "string",
    "disableDeviceSAS": "bool",
    "disableLocalAuth": "bool",
    "disableModuleSAS": "bool",
    "enableDataResidency": "bool",
    "enableFileUploadNotifications": "bool",
    "eventHubEndpoints": {
      "{customized property}": {
        "partitionCount": "int",
        "retentionTimeInDays": "int"
      }
    },
    "features": "string",
    "ipFilterRules": [
      {
        "action": "string",
        "filterName": "string",
        "ipMask": "string"
      }
    ],
    "messagingEndpoints": {
      "{customized property}": {
        "lockDurationAsIso8601": "string",
        "maxDeliveryCount": "int",
        "ttlAsIso8601": "string"
      }
    },
    "minTlsVersion": "string",
    "networkRuleSets": {
      "applyToBuiltInEventHubEndpoint": "bool",
      "defaultAction": "string",
      "ipRules": [
        {
          "action": "string",
          "filterName": "string",
          "ipMask": "string"
        }
      ]
    },
    "privateEndpointConnections": [
      {
        "properties": {
          "privateEndpoint": {
          },
          "privateLinkServiceConnectionState": {
            "actionsRequired": "string",
            "description": "string",
            "status": "string"
          }
        }
      }
    ],
    "publicNetworkAccess": "string",
    "restrictOutboundNetworkAccess": "bool",
    "routing": {
      "endpoints": {
        "cosmosDBSqlContainers": [
          {
            "authenticationType": "string",
            "containerName": "string",
            "databaseName": "string",
            "endpointUri": "string",
            "identity": {
              "userAssignedIdentity": "string"
            },
            "name": "string",
            "partitionKeyName": "string",
            "partitionKeyTemplate": "string",
            "primaryKey": "string",
            "resourceGroup": "string",
            "secondaryKey": "string",
            "subscriptionId": "string"
          }
        ],
        "eventHubs": [
          {
            "authenticationType": "string",
            "connectionString": "string",
            "endpointUri": "string",
            "entityPath": "string",
            "id": "string",
            "identity": {
              "userAssignedIdentity": "string"
            },
            "name": "string",
            "resourceGroup": "string",
            "subscriptionId": "string"
          }
        ],
        "serviceBusQueues": [
          {
            "authenticationType": "string",
            "connectionString": "string",
            "endpointUri": "string",
            "entityPath": "string",
            "id": "string",
            "identity": {
              "userAssignedIdentity": "string"
            },
            "name": "string",
            "resourceGroup": "string",
            "subscriptionId": "string"
          }
        ],
        "serviceBusTopics": [
          {
            "authenticationType": "string",
            "connectionString": "string",
            "endpointUri": "string",
            "entityPath": "string",
            "id": "string",
            "identity": {
              "userAssignedIdentity": "string"
            },
            "name": "string",
            "resourceGroup": "string",
            "subscriptionId": "string"
          }
        ],
        "storageContainers": [
          {
            "authenticationType": "string",
            "batchFrequencyInSeconds": "int",
            "connectionString": "string",
            "containerName": "string",
            "encoding": "string",
            "endpointUri": "string",
            "fileNameFormat": "string",
            "id": "string",
            "identity": {
              "userAssignedIdentity": "string"
            },
            "maxChunkSizeInBytes": "int",
            "name": "string",
            "resourceGroup": "string",
            "subscriptionId": "string"
          }
        ]
      },
      "enrichments": [
        {
          "endpointNames": [ "string" ],
          "key": "string",
          "value": "string"
        }
      ],
      "fallbackRoute": {
        "condition": "string",
        "endpointNames": [ "string" ],
        "isEnabled": "bool",
        "name": "string",
        "source": "string"
      },
      "routes": [
        {
          "condition": "string",
          "endpointNames": [ "string" ],
          "isEnabled": "bool",
          "name": "string",
          "source": "string"
        }
      ]
    },
    "storageEndpoints": {
      "{customized property}": {
        "authenticationType": "string",
        "connectionString": "string",
        "containerName": "string",
        "identity": {
          "userAssignedIdentity": "string"
        },
        "sasTtlAsIso8601": "string"
      }
    }
  },
  "sku": {
    "capacity": "int",
    "name": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

ArmIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities Dictionary of <ArmUserIdentity> ArmIdentityUserAssignedIdentities

ArmIdentityUserAssignedIdentities

Name Description Value

ArmUserIdentity

Name Description Value

CloudToDeviceProperties

Name Description Value
defaultTtlAsIso8601 The default time to live for cloud-to-device messages in the device queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. string
feedback The properties of the feedback queue for cloud-to-device messages. FeedbackProperties
maxDeliveryCount The max delivery count for cloud-to-device messages in the device queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. int

Constraints:
Min value = 1
Max value = 100

EnrichmentProperties

Name Description Value
endpointNames The list of endpoints for which the enrichment is applied to the message. string[] (required)
key The key or name for the enrichment property. string (required)
value The value for the enrichment property. string (required)

EventHubProperties

Name Description Value
partitionCount The number of partitions for receiving device-to-cloud messages in the Event Hub-compatible endpoint. See: /azure/iot-hub/iot-hub-devguide-messaging#device-to-cloud-messages. int
retentionTimeInDays The retention time for device-to-cloud messages in days. See: /azure/iot-hub/iot-hub-devguide-messaging#device-to-cloud-messages int

FallbackRouteProperties

Name Description Value
condition The condition which is evaluated in order to apply the fallback route. If the condition is not provided it will evaluate to true by default. For grammar, See: /azure/iot-hub/iot-hub-devguide-query-language string
endpointNames The list of endpoints to which the messages that satisfy the condition are routed to. Currently only 1 endpoint is allowed. string[] (required)
isEnabled Used to specify whether the fallback route is enabled. bool (required)
name The name of the route. The name can only include alphanumeric characters, periods, underscores, hyphens, has a maximum length of 64 characters, and must be unique. string
source The source to which the routing rule is to be applied to. For example, DeviceMessages 'DeviceConnectionStateEvents'
'DeviceJobLifecycleEvents'
'DeviceLifecycleEvents'
'DeviceMessages'
'Invalid'
'TwinChangeEvents' (required)

FeedbackProperties

Name Description Value
lockDurationAsIso8601 The lock duration for the feedback queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. string
maxDeliveryCount The number of times the IoT hub attempts to deliver a message on the feedback queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. int

Constraints:
Min value = 1
Max value = 100
ttlAsIso8601 The period of time for which a message is available to consume before it is expired by the IoT hub. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. string

IotHubProperties

Name Description Value
allowedFqdnList List of allowed FQDNs(Fully Qualified Domain Name) for egress from Iot Hub. string[]
authorizationPolicies The shared access policies you can use to secure a connection to the IoT hub. SharedAccessSignatureAuthorizationRule[]
cloudToDevice The IoT hub cloud-to-device messaging properties. CloudToDeviceProperties
comments IoT hub comments. string
disableDeviceSAS If true, all device(including Edge devices but excluding modules) scoped SAS keys cannot be used for authentication. bool
disableLocalAuth If true, SAS tokens with Iot hub scoped SAS keys cannot be used for authentication. bool
disableModuleSAS If true, all module scoped SAS keys cannot be used for authentication. bool
enableDataResidency This property when set to true, will enable data residency, thus, disabling disaster recovery. bool
enableFileUploadNotifications If True, file upload notifications are enabled. bool
eventHubEndpoints The Event Hub-compatible endpoint properties. The only possible keys to this dictionary is events. This key has to be present in the dictionary while making create or update calls for the IoT hub. IotHubPropertiesEventHubEndpoints
features The capabilities and features enabled for the IoT hub. 'DeviceManagement'
'None'
ipFilterRules The IP filter rules. IpFilterRule[]
messagingEndpoints The messaging endpoint properties for the file upload notification queue. IotHubPropertiesMessagingEndpoints
minTlsVersion Specifies the minimum TLS version to support for this hub. Can be set to "1.2" to have clients that use a TLS version below 1.2 to be rejected. string
networkRuleSets Network Rule Set Properties of IotHub NetworkRuleSetProperties
privateEndpointConnections Private endpoint connections created on this IotHub PrivateEndpointConnection[]
publicNetworkAccess Whether requests from Public Network are allowed 'Disabled'
'Enabled'
restrictOutboundNetworkAccess If true, egress from IotHub will be restricted to only the allowed FQDNs that are configured via allowedFqdnList. bool
routing The routing related properties of the IoT hub. See: /azure/iot-hub/iot-hub-devguide-messaging RoutingProperties
storageEndpoints The list of Azure Storage endpoints where you can upload files. Currently you can configure only one Azure Storage account and that MUST have its key as $default. Specifying more than one storage account causes an error to be thrown. Not specifying a value for this property when the enableFileUploadNotifications property is set to True, causes an error to be thrown. IotHubPropertiesStorageEndpoints

IotHubPropertiesEventHubEndpoints

Name Description Value

IotHubPropertiesMessagingEndpoints

Name Description Value

IotHubPropertiesStorageEndpoints

Name Description Value

IotHubSkuInfo

Name Description Value
capacity The number of provisioned IoT Hub units. See: /azure/azure-subscription-service-limits#iot-hub-limits. int
name The name of the SKU. 'B1'
'B2'
'B3'
'F1'
'S1'
'S2'
'S3' (required)

IpFilterRule

Name Description Value
action The desired action for requests captured by this rule. 'Accept'
'Reject' (required)
filterName The name of the IP filter rule. string (required)
ipMask A string that contains the IP address range in CIDR notation for the rule. string (required)

ManagedIdentity

Name Description Value
userAssignedIdentity The user assigned identity. string

MessagingEndpointProperties

Name Description Value
lockDurationAsIso8601 The lock duration. See: /azure/iot-hub/iot-hub-devguide-file-upload. string
maxDeliveryCount The number of times the IoT hub attempts to deliver a message. See: /azure/iot-hub/iot-hub-devguide-file-upload. int

Constraints:
Min value = 1
Max value = 100
ttlAsIso8601 The period of time for which a message is available to consume before it is expired by the IoT hub. See: /azure/iot-hub/iot-hub-devguide-file-upload. string

Microsoft.Devices/IotHubs

Name Description Value
apiVersion The api version '2023-06-30'
etag The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. string
identity The managed identities for the IotHub. ArmIdentity
location The resource location. string (required)
name The resource name string (required)
properties IotHub properties IotHubProperties
sku IotHub SKU info IotHubSkuInfo (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Devices/IotHubs'

NetworkRuleSetIpRule

Name Description Value
action IP Filter Action 'Allow'
filterName Name of the IP filter rule. string (required)
ipMask A string that contains the IP address range in CIDR notation for the rule. string (required)

NetworkRuleSetProperties

Name Description Value
applyToBuiltInEventHubEndpoint If True, then Network Rule Set is also applied to BuiltIn EventHub EndPoint of IotHub bool (required)
defaultAction Default Action for Network Rule Set 'Allow'
'Deny'
ipRules List of IP Rules NetworkRuleSetIpRule[] (required)

PrivateEndpoint

Name Description Value

PrivateEndpointConnection

Name Description Value
properties The properties of a private endpoint connection PrivateEndpointConnectionProperties (required)

PrivateEndpointConnectionProperties

Name Description Value
privateEndpoint The private endpoint property of a private endpoint connection PrivateEndpoint
privateLinkServiceConnectionState The current state of a private endpoint connection PrivateLinkServiceConnectionState (required)

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired Actions required for a private endpoint connection string
description The description for the current state of a private endpoint connection string (required)
status The status of a private endpoint connection 'Approved'
'Disconnected'
'Pending'
'Rejected' (required)

ResourceTags

Name Description Value

RouteProperties

Name Description Value
condition The condition that is evaluated to apply the routing rule. If no condition is provided, it evaluates to true by default. For grammar, see: /azure/iot-hub/iot-hub-devguide-query-language string
endpointNames The list of endpoints to which messages that satisfy the condition are routed. Currently only one endpoint is allowed. string[] (required)
isEnabled Used to specify whether a route is enabled. bool (required)
name The name of the route. The name can only include alphanumeric characters, periods, underscores, hyphens, has a maximum length of 64 characters, and must be unique. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
source The source that the routing rule is to be applied to, such as DeviceMessages. 'DeviceConnectionStateEvents'
'DeviceJobLifecycleEvents'
'DeviceLifecycleEvents'
'DeviceMessages'
'Invalid'
'TwinChangeEvents' (required)

RoutingCosmosDBSqlApiProperties

Name Description Value
authenticationType Method used to authenticate against the cosmos DB sql container endpoint 'identityBased'
'keyBased'
containerName The name of the cosmos DB sql container in the cosmos DB database. string (required)
databaseName The name of the cosmos DB database in the cosmos DB account. string (required)
endpointUri The url of the cosmos DB account. It must include the protocol https:// string (required)
identity Managed identity properties of routing cosmos DB container endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
partitionKeyName The name of the partition key associated with this cosmos DB sql container if one exists. This is an optional parameter. string
partitionKeyTemplate The template for generating a synthetic partition key value for use with this cosmos DB sql container. The template must include at least one of the following placeholders: {iothub}, {deviceid}, {DD}, {MM}, and {YYYY}. Any one placeholder may be specified at most once, but order and non-placeholder components are arbitrary. This parameter is only required if PartitionKeyName is specified. string
primaryKey The primary key of the cosmos DB account. string

Constraints:
Sensitive value. Pass in as a secure parameter.
resourceGroup The name of the resource group of the cosmos DB account. string
secondaryKey The secondary key of the cosmos DB account. string

Constraints:
Sensitive value. Pass in as a secure parameter.
subscriptionId The subscription identifier of the cosmos DB account. string

RoutingEndpoints

Name Description Value
cosmosDBSqlContainers The list of Cosmos DB container endpoints that IoT hub routes messages to, based on the routing rules. RoutingCosmosDBSqlApiProperties[]
eventHubs The list of Event Hubs endpoints that IoT hub routes messages to, based on the routing rules. This list does not include the built-in Event Hubs endpoint. RoutingEventHubProperties[]
serviceBusQueues The list of Service Bus queue endpoints that IoT hub routes the messages to, based on the routing rules. RoutingServiceBusQueueEndpointProperties[]
serviceBusTopics The list of Service Bus topic endpoints that the IoT hub routes the messages to, based on the routing rules. RoutingServiceBusTopicEndpointProperties[]
storageContainers The list of storage container endpoints that IoT hub routes messages to, based on the routing rules. RoutingStorageContainerProperties[]

RoutingEventHubProperties

Name Description Value
authenticationType Method used to authenticate against the event hub endpoint 'identityBased'
'keyBased'
connectionString The connection string of the event hub endpoint. string
endpointUri The url of the event hub endpoint. It must include the protocol sb:// string
entityPath Event hub name on the event hub namespace string
id Id of the event hub endpoint string
identity Managed identity properties of routing event hub endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the event hub endpoint. string
subscriptionId The subscription identifier of the event hub endpoint. string

RoutingProperties

Name Description Value
endpoints The properties related to the custom endpoints to which your IoT hub routes messages based on the routing rules. A maximum of 10 custom endpoints are allowed across all endpoint types for paid hubs and only 1 custom endpoint is allowed across all endpoint types for free hubs. RoutingEndpoints
enrichments The list of user-provided enrichments that the IoT hub applies to messages to be delivered to built-in and custom endpoints. See: https://aka.ms/telemetryoneventgrid EnrichmentProperties[]
fallbackRoute The properties of the route that is used as a fall-back route when none of the conditions specified in the 'routes' section are met. This is an optional parameter. When this property is not present in the template, the fallback route is disabled by default. FallbackRouteProperties
routes The list of user-provided routing rules that the IoT hub uses to route messages to built-in and custom endpoints. A maximum of 100 routing rules are allowed for paid hubs and a maximum of 5 routing rules are allowed for free hubs. RouteProperties[]

RoutingServiceBusQueueEndpointProperties

Name Description Value
authenticationType Method used to authenticate against the service bus queue endpoint 'identityBased'
'keyBased'
connectionString The connection string of the service bus queue endpoint. string
endpointUri The url of the service bus queue endpoint. It must include the protocol sb:// string
entityPath Queue name on the service bus namespace string
id Id of the service bus queue endpoint string
identity Managed identity properties of routing service bus queue endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. The name need not be the same as the actual queue name. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the service bus queue endpoint. string
subscriptionId The subscription identifier of the service bus queue endpoint. string

RoutingServiceBusTopicEndpointProperties

Name Description Value
authenticationType Method used to authenticate against the service bus topic endpoint 'identityBased'
'keyBased'
connectionString The connection string of the service bus topic endpoint. string
endpointUri The url of the service bus topic endpoint. It must include the protocol sb:// string
entityPath Queue name on the service bus topic string
id Id of the service bus topic endpoint string
identity Managed identity properties of routing service bus topic endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. The name need not be the same as the actual topic name. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the service bus topic endpoint. string
subscriptionId The subscription identifier of the service bus topic endpoint. string

RoutingStorageContainerProperties

Name Description Value
authenticationType Method used to authenticate against the storage endpoint 'identityBased'
'keyBased'
batchFrequencyInSeconds Time interval at which blobs are written to storage. Value should be between 60 and 720 seconds. Default value is 300 seconds. int

Constraints:
Min value = 60
Max value = 720
connectionString The connection string of the storage account. string
containerName The name of storage container in the storage account. string (required)
encoding Encoding that is used to serialize messages to blobs. Supported values are 'avro', 'avrodeflate', and 'JSON'. Default value is 'avro'. 'Avro'
'AvroDeflate'
'JSON'
endpointUri The url of the storage endpoint. It must include the protocol https:// string
fileNameFormat File name format for the blob. Default format is {iothub}/{partition}/{YYYY}/{MM}/{DD}/{HH}/{mm}. All parameters are mandatory but can be reordered. string
id Id of the storage container endpoint string
identity Managed identity properties of routing storage endpoint. ManagedIdentity
maxChunkSizeInBytes Maximum number of bytes for each blob written to storage. Value should be between 10485760(10MB) and 524288000(500MB). Default value is 314572800(300MB). int

Constraints:
Min value = 10485760
Max value = 524288000
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the storage account. string
subscriptionId The subscription identifier of the storage account. string

SharedAccessSignatureAuthorizationRule

Name Description Value
keyName The name of the shared access policy. string (required)
primaryKey The primary key. string
rights The permissions assigned to the shared access policy. 'DeviceConnect'
'RegistryRead'
'RegistryRead, DeviceConnect'
'RegistryRead, RegistryWrite'
'RegistryRead, RegistryWrite, DeviceConnect'
'RegistryRead, RegistryWrite, ServiceConnect'
'RegistryRead, RegistryWrite, ServiceConnect, DeviceConnect'
'RegistryRead, ServiceConnect'
'RegistryRead, ServiceConnect, DeviceConnect'
'RegistryWrite'
'RegistryWrite, DeviceConnect'
'RegistryWrite, ServiceConnect'
'RegistryWrite, ServiceConnect, DeviceConnect'
'ServiceConnect'
'ServiceConnect, DeviceConnect' (required)
secondaryKey The secondary key. string

StorageEndpointProperties

Name Description Value
authenticationType Specifies authentication type being used for connecting to the storage account. 'identityBased'
'keyBased'
connectionString The connection string for the Azure Storage account to which files are uploaded. string (required)
containerName The name of the root container where you upload files. The container need not exist but should be creatable using the connectionString specified. string (required)
identity Managed identity properties of storage endpoint for file upload. ManagedIdentity
sasTtlAsIso8601 The period of time for which the SAS URI generated by IoT Hub for file upload is valid. See: /azure/iot-hub/iot-hub-devguide-file-upload#file-upload-notification-configuration-options. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create a Pay As You Go (PAYG) Environment with an IoT Hub

Deploy to Azure
This template enables you to deploy a Pay As You Go (PAYG) Time Series Insights environment that is configured to consume events from an IoT Hub.
Create an IoT Hub and a Device to Cloud Consumer Group

Deploy to Azure
This template enables you to deploy an IoT Hub instance with device to cloud and cloud to device messaging configurations and a device to cloud consumer group.
Create an IOT Hub and Ubuntu edge simulator

Deploy to Azure
This template creates an IOT Hub and Virtual Machine Ubuntu edge simulator.
Create an IoT Hub Device Provisioning Service

Deploy to Azure
This template enables you to create an IoT hub and an IoT Hub Device Provisioning Service, and link the two services together.
Create Device Update for IoT Hub account, instance, IoT Hub

Deploy to Azure
This template creates an account, and an instance and a hub to link the instance with. It configures the hub with the necessary access polices, routes, and consumer group.
Deploy the MedTech service including an Azure IoT Hub

Deploy to Azure
The MedTech service is one of the Azure Health Data Services designed to ingest device data from multiple devices, transform the device data into FHIR Observations, which are then persisted in the Azure Health Data Services FHIR service.
Use ARM template to create IoT Hub, route and view messages

Deploy to Azure
Use this template to deploy an IoT Hub and a storage account. Run an app to send messages to the hub that are routed to storage, then view the results.

Terraform (AzAPI provider) resource definition

The IotHubs resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Devices/IotHubs resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Devices/IotHubs@2023-06-30"
  name = "string"
  etag = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  location = "string"
  sku = {
    capacity = int
    name = "string"
  }
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    properties = {
      allowedFqdnList = [
        "string"
      ]
      authorizationPolicies = [
        {
          keyName = "string"
          primaryKey = "string"
          rights = "string"
          secondaryKey = "string"
        }
      ]
      cloudToDevice = {
        defaultTtlAsIso8601 = "string"
        feedback = {
          lockDurationAsIso8601 = "string"
          maxDeliveryCount = int
          ttlAsIso8601 = "string"
        }
        maxDeliveryCount = int
      }
      comments = "string"
      disableDeviceSAS = bool
      disableLocalAuth = bool
      disableModuleSAS = bool
      enableDataResidency = bool
      enableFileUploadNotifications = bool
      eventHubEndpoints = {
        {customized property} = {
          partitionCount = int
          retentionTimeInDays = int
        }
      }
      features = "string"
      ipFilterRules = [
        {
          action = "string"
          filterName = "string"
          ipMask = "string"
        }
      ]
      messagingEndpoints = {
        {customized property} = {
          lockDurationAsIso8601 = "string"
          maxDeliveryCount = int
          ttlAsIso8601 = "string"
        }
      }
      minTlsVersion = "string"
      networkRuleSets = {
        applyToBuiltInEventHubEndpoint = bool
        defaultAction = "string"
        ipRules = [
          {
            action = "string"
            filterName = "string"
            ipMask = "string"
          }
        ]
      }
      privateEndpointConnections = [
        {
          properties = {
            privateEndpoint = {
            }
            privateLinkServiceConnectionState = {
              actionsRequired = "string"
              description = "string"
              status = "string"
            }
          }
        }
      ]
      publicNetworkAccess = "string"
      restrictOutboundNetworkAccess = bool
      routing = {
        endpoints = {
          cosmosDBSqlContainers = [
            {
              authenticationType = "string"
              containerName = "string"
              databaseName = "string"
              endpointUri = "string"
              identity = {
                userAssignedIdentity = "string"
              }
              name = "string"
              partitionKeyName = "string"
              partitionKeyTemplate = "string"
              primaryKey = "string"
              resourceGroup = "string"
              secondaryKey = "string"
              subscriptionId = "string"
            }
          ]
          eventHubs = [
            {
              authenticationType = "string"
              connectionString = "string"
              endpointUri = "string"
              entityPath = "string"
              id = "string"
              identity = {
                userAssignedIdentity = "string"
              }
              name = "string"
              resourceGroup = "string"
              subscriptionId = "string"
            }
          ]
          serviceBusQueues = [
            {
              authenticationType = "string"
              connectionString = "string"
              endpointUri = "string"
              entityPath = "string"
              id = "string"
              identity = {
                userAssignedIdentity = "string"
              }
              name = "string"
              resourceGroup = "string"
              subscriptionId = "string"
            }
          ]
          serviceBusTopics = [
            {
              authenticationType = "string"
              connectionString = "string"
              endpointUri = "string"
              entityPath = "string"
              id = "string"
              identity = {
                userAssignedIdentity = "string"
              }
              name = "string"
              resourceGroup = "string"
              subscriptionId = "string"
            }
          ]
          storageContainers = [
            {
              authenticationType = "string"
              batchFrequencyInSeconds = int
              connectionString = "string"
              containerName = "string"
              encoding = "string"
              endpointUri = "string"
              fileNameFormat = "string"
              id = "string"
              identity = {
                userAssignedIdentity = "string"
              }
              maxChunkSizeInBytes = int
              name = "string"
              resourceGroup = "string"
              subscriptionId = "string"
            }
          ]
        }
        enrichments = [
          {
            endpointNames = [
              "string"
            ]
            key = "string"
            value = "string"
          }
        ]
        fallbackRoute = {
          condition = "string"
          endpointNames = [
            "string"
          ]
          isEnabled = bool
          name = "string"
          source = "string"
        }
        routes = [
          {
            condition = "string"
            endpointNames = [
              "string"
            ]
            isEnabled = bool
            name = "string"
            source = "string"
          }
        ]
      }
      storageEndpoints = {
        {customized property} = {
          authenticationType = "string"
          connectionString = "string"
          containerName = "string"
          identity = {
            userAssignedIdentity = "string"
          }
          sasTtlAsIso8601 = "string"
        }
      }
    }
  })
}

Property values

ArmIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities Dictionary of <ArmUserIdentity> ArmIdentityUserAssignedIdentities

ArmIdentityUserAssignedIdentities

Name Description Value

ArmUserIdentity

Name Description Value

CloudToDeviceProperties

Name Description Value
defaultTtlAsIso8601 The default time to live for cloud-to-device messages in the device queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. string
feedback The properties of the feedback queue for cloud-to-device messages. FeedbackProperties
maxDeliveryCount The max delivery count for cloud-to-device messages in the device queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. int

Constraints:
Min value = 1
Max value = 100

EnrichmentProperties

Name Description Value
endpointNames The list of endpoints for which the enrichment is applied to the message. string[] (required)
key The key or name for the enrichment property. string (required)
value The value for the enrichment property. string (required)

EventHubProperties

Name Description Value
partitionCount The number of partitions for receiving device-to-cloud messages in the Event Hub-compatible endpoint. See: /azure/iot-hub/iot-hub-devguide-messaging#device-to-cloud-messages. int
retentionTimeInDays The retention time for device-to-cloud messages in days. See: /azure/iot-hub/iot-hub-devguide-messaging#device-to-cloud-messages int

FallbackRouteProperties

Name Description Value
condition The condition which is evaluated in order to apply the fallback route. If the condition is not provided it will evaluate to true by default. For grammar, See: /azure/iot-hub/iot-hub-devguide-query-language string
endpointNames The list of endpoints to which the messages that satisfy the condition are routed to. Currently only 1 endpoint is allowed. string[] (required)
isEnabled Used to specify whether the fallback route is enabled. bool (required)
name The name of the route. The name can only include alphanumeric characters, periods, underscores, hyphens, has a maximum length of 64 characters, and must be unique. string
source The source to which the routing rule is to be applied to. For example, DeviceMessages 'DeviceConnectionStateEvents'
'DeviceJobLifecycleEvents'
'DeviceLifecycleEvents'
'DeviceMessages'
'Invalid'
'TwinChangeEvents' (required)

FeedbackProperties

Name Description Value
lockDurationAsIso8601 The lock duration for the feedback queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. string
maxDeliveryCount The number of times the IoT hub attempts to deliver a message on the feedback queue. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. int

Constraints:
Min value = 1
Max value = 100
ttlAsIso8601 The period of time for which a message is available to consume before it is expired by the IoT hub. See: /azure/iot-hub/iot-hub-devguide-messaging#cloud-to-device-messages. string

IotHubProperties

Name Description Value
allowedFqdnList List of allowed FQDNs(Fully Qualified Domain Name) for egress from Iot Hub. string[]
authorizationPolicies The shared access policies you can use to secure a connection to the IoT hub. SharedAccessSignatureAuthorizationRule[]
cloudToDevice The IoT hub cloud-to-device messaging properties. CloudToDeviceProperties
comments IoT hub comments. string
disableDeviceSAS If true, all device(including Edge devices but excluding modules) scoped SAS keys cannot be used for authentication. bool
disableLocalAuth If true, SAS tokens with Iot hub scoped SAS keys cannot be used for authentication. bool
disableModuleSAS If true, all module scoped SAS keys cannot be used for authentication. bool
enableDataResidency This property when set to true, will enable data residency, thus, disabling disaster recovery. bool
enableFileUploadNotifications If True, file upload notifications are enabled. bool
eventHubEndpoints The Event Hub-compatible endpoint properties. The only possible keys to this dictionary is events. This key has to be present in the dictionary while making create or update calls for the IoT hub. IotHubPropertiesEventHubEndpoints
features The capabilities and features enabled for the IoT hub. 'DeviceManagement'
'None'
ipFilterRules The IP filter rules. IpFilterRule[]
messagingEndpoints The messaging endpoint properties for the file upload notification queue. IotHubPropertiesMessagingEndpoints
minTlsVersion Specifies the minimum TLS version to support for this hub. Can be set to "1.2" to have clients that use a TLS version below 1.2 to be rejected. string
networkRuleSets Network Rule Set Properties of IotHub NetworkRuleSetProperties
privateEndpointConnections Private endpoint connections created on this IotHub PrivateEndpointConnection[]
publicNetworkAccess Whether requests from Public Network are allowed 'Disabled'
'Enabled'
restrictOutboundNetworkAccess If true, egress from IotHub will be restricted to only the allowed FQDNs that are configured via allowedFqdnList. bool
routing The routing related properties of the IoT hub. See: /azure/iot-hub/iot-hub-devguide-messaging RoutingProperties
storageEndpoints The list of Azure Storage endpoints where you can upload files. Currently you can configure only one Azure Storage account and that MUST have its key as $default. Specifying more than one storage account causes an error to be thrown. Not specifying a value for this property when the enableFileUploadNotifications property is set to True, causes an error to be thrown. IotHubPropertiesStorageEndpoints

IotHubPropertiesEventHubEndpoints

Name Description Value

IotHubPropertiesMessagingEndpoints

Name Description Value

IotHubPropertiesStorageEndpoints

Name Description Value

IotHubSkuInfo

Name Description Value
capacity The number of provisioned IoT Hub units. See: /azure/azure-subscription-service-limits#iot-hub-limits. int
name The name of the SKU. 'B1'
'B2'
'B3'
'F1'
'S1'
'S2'
'S3' (required)

IpFilterRule

Name Description Value
action The desired action for requests captured by this rule. 'Accept'
'Reject' (required)
filterName The name of the IP filter rule. string (required)
ipMask A string that contains the IP address range in CIDR notation for the rule. string (required)

ManagedIdentity

Name Description Value
userAssignedIdentity The user assigned identity. string

MessagingEndpointProperties

Name Description Value
lockDurationAsIso8601 The lock duration. See: /azure/iot-hub/iot-hub-devguide-file-upload. string
maxDeliveryCount The number of times the IoT hub attempts to deliver a message. See: /azure/iot-hub/iot-hub-devguide-file-upload. int

Constraints:
Min value = 1
Max value = 100
ttlAsIso8601 The period of time for which a message is available to consume before it is expired by the IoT hub. See: /azure/iot-hub/iot-hub-devguide-file-upload. string

Microsoft.Devices/IotHubs

Name Description Value
etag The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. string
identity The managed identities for the IotHub. ArmIdentity
location The resource location. string (required)
name The resource name string (required)
properties IotHub properties IotHubProperties
sku IotHub SKU info IotHubSkuInfo (required)
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Devices/IotHubs@2023-06-30"

NetworkRuleSetIpRule

Name Description Value
action IP Filter Action 'Allow'
filterName Name of the IP filter rule. string (required)
ipMask A string that contains the IP address range in CIDR notation for the rule. string (required)

NetworkRuleSetProperties

Name Description Value
applyToBuiltInEventHubEndpoint If True, then Network Rule Set is also applied to BuiltIn EventHub EndPoint of IotHub bool (required)
defaultAction Default Action for Network Rule Set 'Allow'
'Deny'
ipRules List of IP Rules NetworkRuleSetIpRule[] (required)

PrivateEndpoint

Name Description Value

PrivateEndpointConnection

Name Description Value
properties The properties of a private endpoint connection PrivateEndpointConnectionProperties (required)

PrivateEndpointConnectionProperties

Name Description Value
privateEndpoint The private endpoint property of a private endpoint connection PrivateEndpoint
privateLinkServiceConnectionState The current state of a private endpoint connection PrivateLinkServiceConnectionState (required)

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired Actions required for a private endpoint connection string
description The description for the current state of a private endpoint connection string (required)
status The status of a private endpoint connection 'Approved'
'Disconnected'
'Pending'
'Rejected' (required)

ResourceTags

Name Description Value

RouteProperties

Name Description Value
condition The condition that is evaluated to apply the routing rule. If no condition is provided, it evaluates to true by default. For grammar, see: /azure/iot-hub/iot-hub-devguide-query-language string
endpointNames The list of endpoints to which messages that satisfy the condition are routed. Currently only one endpoint is allowed. string[] (required)
isEnabled Used to specify whether a route is enabled. bool (required)
name The name of the route. The name can only include alphanumeric characters, periods, underscores, hyphens, has a maximum length of 64 characters, and must be unique. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
source The source that the routing rule is to be applied to, such as DeviceMessages. 'DeviceConnectionStateEvents'
'DeviceJobLifecycleEvents'
'DeviceLifecycleEvents'
'DeviceMessages'
'Invalid'
'TwinChangeEvents' (required)

RoutingCosmosDBSqlApiProperties

Name Description Value
authenticationType Method used to authenticate against the cosmos DB sql container endpoint 'identityBased'
'keyBased'
containerName The name of the cosmos DB sql container in the cosmos DB database. string (required)
databaseName The name of the cosmos DB database in the cosmos DB account. string (required)
endpointUri The url of the cosmos DB account. It must include the protocol https:// string (required)
identity Managed identity properties of routing cosmos DB container endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
partitionKeyName The name of the partition key associated with this cosmos DB sql container if one exists. This is an optional parameter. string
partitionKeyTemplate The template for generating a synthetic partition key value for use with this cosmos DB sql container. The template must include at least one of the following placeholders: {iothub}, {deviceid}, {DD}, {MM}, and {YYYY}. Any one placeholder may be specified at most once, but order and non-placeholder components are arbitrary. This parameter is only required if PartitionKeyName is specified. string
primaryKey The primary key of the cosmos DB account. string

Constraints:
Sensitive value. Pass in as a secure parameter.
resourceGroup The name of the resource group of the cosmos DB account. string
secondaryKey The secondary key of the cosmos DB account. string

Constraints:
Sensitive value. Pass in as a secure parameter.
subscriptionId The subscription identifier of the cosmos DB account. string

RoutingEndpoints

Name Description Value
cosmosDBSqlContainers The list of Cosmos DB container endpoints that IoT hub routes messages to, based on the routing rules. RoutingCosmosDBSqlApiProperties[]
eventHubs The list of Event Hubs endpoints that IoT hub routes messages to, based on the routing rules. This list does not include the built-in Event Hubs endpoint. RoutingEventHubProperties[]
serviceBusQueues The list of Service Bus queue endpoints that IoT hub routes the messages to, based on the routing rules. RoutingServiceBusQueueEndpointProperties[]
serviceBusTopics The list of Service Bus topic endpoints that the IoT hub routes the messages to, based on the routing rules. RoutingServiceBusTopicEndpointProperties[]
storageContainers The list of storage container endpoints that IoT hub routes messages to, based on the routing rules. RoutingStorageContainerProperties[]

RoutingEventHubProperties

Name Description Value
authenticationType Method used to authenticate against the event hub endpoint 'identityBased'
'keyBased'
connectionString The connection string of the event hub endpoint. string
endpointUri The url of the event hub endpoint. It must include the protocol sb:// string
entityPath Event hub name on the event hub namespace string
id Id of the event hub endpoint string
identity Managed identity properties of routing event hub endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the event hub endpoint. string
subscriptionId The subscription identifier of the event hub endpoint. string

RoutingProperties

Name Description Value
endpoints The properties related to the custom endpoints to which your IoT hub routes messages based on the routing rules. A maximum of 10 custom endpoints are allowed across all endpoint types for paid hubs and only 1 custom endpoint is allowed across all endpoint types for free hubs. RoutingEndpoints
enrichments The list of user-provided enrichments that the IoT hub applies to messages to be delivered to built-in and custom endpoints. See: https://aka.ms/telemetryoneventgrid EnrichmentProperties[]
fallbackRoute The properties of the route that is used as a fall-back route when none of the conditions specified in the 'routes' section are met. This is an optional parameter. When this property is not present in the template, the fallback route is disabled by default. FallbackRouteProperties
routes The list of user-provided routing rules that the IoT hub uses to route messages to built-in and custom endpoints. A maximum of 100 routing rules are allowed for paid hubs and a maximum of 5 routing rules are allowed for free hubs. RouteProperties[]

RoutingServiceBusQueueEndpointProperties

Name Description Value
authenticationType Method used to authenticate against the service bus queue endpoint 'identityBased'
'keyBased'
connectionString The connection string of the service bus queue endpoint. string
endpointUri The url of the service bus queue endpoint. It must include the protocol sb:// string
entityPath Queue name on the service bus namespace string
id Id of the service bus queue endpoint string
identity Managed identity properties of routing service bus queue endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. The name need not be the same as the actual queue name. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the service bus queue endpoint. string
subscriptionId The subscription identifier of the service bus queue endpoint. string

RoutingServiceBusTopicEndpointProperties

Name Description Value
authenticationType Method used to authenticate against the service bus topic endpoint 'identityBased'
'keyBased'
connectionString The connection string of the service bus topic endpoint. string
endpointUri The url of the service bus topic endpoint. It must include the protocol sb:// string
entityPath Queue name on the service bus topic string
id Id of the service bus topic endpoint string
identity Managed identity properties of routing service bus topic endpoint. ManagedIdentity
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. The name need not be the same as the actual topic name. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the service bus topic endpoint. string
subscriptionId The subscription identifier of the service bus topic endpoint. string

RoutingStorageContainerProperties

Name Description Value
authenticationType Method used to authenticate against the storage endpoint 'identityBased'
'keyBased'
batchFrequencyInSeconds Time interval at which blobs are written to storage. Value should be between 60 and 720 seconds. Default value is 300 seconds. int

Constraints:
Min value = 60
Max value = 720
connectionString The connection string of the storage account. string
containerName The name of storage container in the storage account. string (required)
encoding Encoding that is used to serialize messages to blobs. Supported values are 'avro', 'avrodeflate', and 'JSON'. Default value is 'avro'. 'Avro'
'AvroDeflate'
'JSON'
endpointUri The url of the storage endpoint. It must include the protocol https:// string
fileNameFormat File name format for the blob. Default format is {iothub}/{partition}/{YYYY}/{MM}/{DD}/{HH}/{mm}. All parameters are mandatory but can be reordered. string
id Id of the storage container endpoint string
identity Managed identity properties of routing storage endpoint. ManagedIdentity
maxChunkSizeInBytes Maximum number of bytes for each blob written to storage. Value should be between 10485760(10MB) and 524288000(500MB). Default value is 314572800(300MB). int

Constraints:
Min value = 10485760
Max value = 524288000
name The name that identifies this endpoint. The name can only include alphanumeric characters, periods, underscores, hyphens and has a maximum length of 64 characters. The following names are reserved: events, fileNotifications, $default. Endpoint names must be unique across endpoint types. string

Constraints:
Pattern = ^[A-Za-z0-9-._]{1,64}$ (required)
resourceGroup The name of the resource group of the storage account. string
subscriptionId The subscription identifier of the storage account. string

SharedAccessSignatureAuthorizationRule

Name Description Value
keyName The name of the shared access policy. string (required)
primaryKey The primary key. string
rights The permissions assigned to the shared access policy. 'DeviceConnect'
'RegistryRead'
'RegistryRead, DeviceConnect'
'RegistryRead, RegistryWrite'
'RegistryRead, RegistryWrite, DeviceConnect'
'RegistryRead, RegistryWrite, ServiceConnect'
'RegistryRead, RegistryWrite, ServiceConnect, DeviceConnect'
'RegistryRead, ServiceConnect'
'RegistryRead, ServiceConnect, DeviceConnect'
'RegistryWrite'
'RegistryWrite, DeviceConnect'
'RegistryWrite, ServiceConnect'
'RegistryWrite, ServiceConnect, DeviceConnect'
'ServiceConnect'
'ServiceConnect, DeviceConnect' (required)
secondaryKey The secondary key. string

StorageEndpointProperties

Name Description Value
authenticationType Specifies authentication type being used for connecting to the storage account. 'identityBased'
'keyBased'
connectionString The connection string for the Azure Storage account to which files are uploaded. string (required)
containerName The name of the root container where you upload files. The container need not exist but should be creatable using the connectionString specified. string (required)
identity Managed identity properties of storage endpoint for file upload. ManagedIdentity
sasTtlAsIso8601 The period of time for which the SAS URI generated by IoT Hub for file upload is valid. See: /azure/iot-hub/iot-hub-devguide-file-upload#file-upload-notification-configuration-options. string