Microsoft.Devices provisioningServices

Bicep resource definition

The provisioningServices resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Devices/provisioningServices resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Devices/provisioningServices@2025-02-01-preview' = {
  etag: 'string'
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    allocationPolicy: 'string'
    authorizationPolicies: [
      {
        keyName: 'string'
        primaryKey: 'string'
        rights: 'string'
        secondaryKey: 'string'
      }
    ]
    enableDataResidency: bool
    iotHubs: [
      {
        allocationWeight: int
        applyAllocationPolicy: bool
        authenticationType: 'string'
        connectionString: 'string'
        location: 'string'
        selectedUserAssignedIdentityResourceId: 'string'
      }
    ]
    ipFilterRules: [
      {
        action: 'string'
        filterName: 'string'
        ipMask: 'string'
        target: 'string'
      }
    ]
    portalOperationsHostName: 'string'
    privateEndpointConnections: [
      {
        properties: {
          privateEndpoint: {}
          privateLinkServiceConnectionState: {
            actionsRequired: 'string'
            description: 'string'
            status: 'string'
          }
        }
      }
    ]
    provisioningState: 'string'
    publicNetworkAccess: 'string'
    state: 'string'
  }
  resourcegroup: 'string'
  sku: {
    capacity: int
    name: 'string'
  }
  subscriptionid: 'string'
  tags: {
    {customized property}: 'string'
  }
}

Property values

IotDpsPropertiesDescription

Name Description Value
allocationPolicy Allocation policy to be used by this provisioning service. 'GeoLatency'
'Hashed'
'Static'
authorizationPolicies List of authorization keys for a provisioning service. SharedAccessSignatureAuthorizationRuleAccessRightsDescription[]
enableDataResidency Optional.
Indicates if the DPS instance has Data Residency enabled, removing the cross geo-pair disaster recovery.
bool
iotHubs List of IoT hubs associated with this provisioning service. IotHubDefinitionDescription[]
ipFilterRules The IP filter rules. IpFilterRule[]
portalOperationsHostName Portal endpoint to enable CORS for this provisioning service. string
privateEndpointConnections Private endpoint connections created on this IotHub PrivateEndpointConnection[]
provisioningState The ARM provisioning state of the provisioning service. string
publicNetworkAccess Whether requests from Public Network are allowed 'Disabled'
'Enabled'
state Current state of the provisioning service. 'Activating'
'ActivationFailed'
'Active'
'Deleted'
'Deleting'
'DeletionFailed'
'FailingOver'
'FailoverFailed'
'Resuming'
'Suspended'
'Suspending'
'Transitioning'

IotDpsSkuInfo

Name Description Value
capacity The number of units to provision int
name Sku name. 'S1'

IotHubDefinitionDescription

Name Description Value
allocationWeight weight to apply for a given iot h. int
applyAllocationPolicy flag for applying allocationPolicy or not for a given iot hub. bool
authenticationType IotHub MI authentication type: KeyBased, UserAssigned, SystemAssigned. 'KeyBased'
'SystemAssigned'
'UserAssigned'
connectionString Connection string of the IoT hub. string
location ARM region of the IoT hub. string (required)
selectedUserAssignedIdentityResourceId The selected user-assigned identity resource Id associated with IoT Hub. This is required when authenticationType is UserAssigned. string

IpFilterRule

Name Description Value
action The desired action for requests captured by this rule. 'Accept'
'Reject' (required)
filterName The name of the IP filter rule. string (required)
ipMask A string that contains the IP address range in CIDR notation for the rule. string (required)
target Target for requests captured by this rule. 'all'
'deviceApi'
'serviceApi'

ManagedServiceIdentity

Name Description Value
type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. UserAssignedIdentities

Microsoft.Devices/provisioningServices

Name Description Value
etag The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. string
identity The managed identities for a provisioning service. ManagedServiceIdentity
location The resource location. string (required)
name The resource name string (required)
properties Service specific properties for a provisioning service IotDpsPropertiesDescription (required)
resourcegroup The resource group of the resource. string
sku Sku info for a provisioning Service. IotDpsSkuInfo (required)
subscriptionid The subscription id of the resource. string
tags Resource tags Dictionary of tag names and values. See Tags in templates

PrivateEndpoint

Name Description Value

PrivateEndpointConnection

Name Description Value
properties The properties of a private endpoint connection PrivateEndpointConnectionProperties (required)

PrivateEndpointConnectionProperties

Name Description Value
privateEndpoint The private endpoint property of a private endpoint connection PrivateEndpoint
privateLinkServiceConnectionState The current state of a private endpoint connection PrivateLinkServiceConnectionState (required)

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired Actions required for a private endpoint connection string
description The description for the current state of a private endpoint connection string (required)
status The status of a private endpoint connection 'Approved'
'Disconnected'
'Pending'
'Rejected' (required)

ResourceTags

Name Description Value

SharedAccessSignatureAuthorizationRuleAccessRightsDescription

Name Description Value
keyName Name of the key. string (required)
primaryKey Primary SAS key value. string
rights Rights that this key has. 'DeviceConnect'
'EnrollmentRead'
'EnrollmentWrite'
'RegistrationStatusRead'
'RegistrationStatusWrite'
'ServiceConfig' (required)
secondaryKey Secondary SAS key value. string

UserAssignedIdentities

Name Description Value

UserAssignedIdentity

Name Description Value

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Create an IoT Hub Device Provisioning Service This template enables you to create an IoT hub and an IoT Hub Device Provisioning Service, and link the two services together.

ARM template resource definition

The provisioningServices resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Devices/provisioningServices resource, add the following JSON to your template.

{
  "type": "Microsoft.Devices/provisioningServices",
  "apiVersion": "2025-02-01-preview",
  "name": "string",
  "etag": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "allocationPolicy": "string",
    "authorizationPolicies": [
      {
        "keyName": "string",
        "primaryKey": "string",
        "rights": "string",
        "secondaryKey": "string"
      }
    ],
    "enableDataResidency": "bool",
    "iotHubs": [
      {
        "allocationWeight": "int",
        "applyAllocationPolicy": "bool",
        "authenticationType": "string",
        "connectionString": "string",
        "location": "string",
        "selectedUserAssignedIdentityResourceId": "string"
      }
    ],
    "ipFilterRules": [
      {
        "action": "string",
        "filterName": "string",
        "ipMask": "string",
        "target": "string"
      }
    ],
    "portalOperationsHostName": "string",
    "privateEndpointConnections": [
      {
        "properties": {
          "privateEndpoint": {
          },
          "privateLinkServiceConnectionState": {
            "actionsRequired": "string",
            "description": "string",
            "status": "string"
          }
        }
      }
    ],
    "provisioningState": "string",
    "publicNetworkAccess": "string",
    "state": "string"
  },
  "resourcegroup": "string",
  "sku": {
    "capacity": "int",
    "name": "string"
  },
  "subscriptionid": "string",
  "tags": {
    "{customized property}": "string"
  }
}

Property values

IotDpsPropertiesDescription

Name Description Value
allocationPolicy Allocation policy to be used by this provisioning service. 'GeoLatency'
'Hashed'
'Static'
authorizationPolicies List of authorization keys for a provisioning service. SharedAccessSignatureAuthorizationRuleAccessRightsDescription[]
enableDataResidency Optional.
Indicates if the DPS instance has Data Residency enabled, removing the cross geo-pair disaster recovery.
bool
iotHubs List of IoT hubs associated with this provisioning service. IotHubDefinitionDescription[]
ipFilterRules The IP filter rules. IpFilterRule[]
portalOperationsHostName Portal endpoint to enable CORS for this provisioning service. string
privateEndpointConnections Private endpoint connections created on this IotHub PrivateEndpointConnection[]
provisioningState The ARM provisioning state of the provisioning service. string
publicNetworkAccess Whether requests from Public Network are allowed 'Disabled'
'Enabled'
state Current state of the provisioning service. 'Activating'
'ActivationFailed'
'Active'
'Deleted'
'Deleting'
'DeletionFailed'
'FailingOver'
'FailoverFailed'
'Resuming'
'Suspended'
'Suspending'
'Transitioning'

IotDpsSkuInfo

Name Description Value
capacity The number of units to provision int
name Sku name. 'S1'

IotHubDefinitionDescription

Name Description Value
allocationWeight weight to apply for a given iot h. int
applyAllocationPolicy flag for applying allocationPolicy or not for a given iot hub. bool
authenticationType IotHub MI authentication type: KeyBased, UserAssigned, SystemAssigned. 'KeyBased'
'SystemAssigned'
'UserAssigned'
connectionString Connection string of the IoT hub. string
location ARM region of the IoT hub. string (required)
selectedUserAssignedIdentityResourceId The selected user-assigned identity resource Id associated with IoT Hub. This is required when authenticationType is UserAssigned. string

IpFilterRule

Name Description Value
action The desired action for requests captured by this rule. 'Accept'
'Reject' (required)
filterName The name of the IP filter rule. string (required)
ipMask A string that contains the IP address range in CIDR notation for the rule. string (required)
target Target for requests captured by this rule. 'all'
'deviceApi'
'serviceApi'

ManagedServiceIdentity

Name Description Value
type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. UserAssignedIdentities

Microsoft.Devices/provisioningServices

Name Description Value
apiVersion The api version '2025-02-01-preview'
etag The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. string
identity The managed identities for a provisioning service. ManagedServiceIdentity
location The resource location. string (required)
name The resource name string (required)
properties Service specific properties for a provisioning service IotDpsPropertiesDescription (required)
resourcegroup The resource group of the resource. string
sku Sku info for a provisioning Service. IotDpsSkuInfo (required)
subscriptionid The subscription id of the resource. string
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Devices/provisioningServices'

PrivateEndpoint

Name Description Value

PrivateEndpointConnection

Name Description Value
properties The properties of a private endpoint connection PrivateEndpointConnectionProperties (required)

PrivateEndpointConnectionProperties

Name Description Value
privateEndpoint The private endpoint property of a private endpoint connection PrivateEndpoint
privateLinkServiceConnectionState The current state of a private endpoint connection PrivateLinkServiceConnectionState (required)

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired Actions required for a private endpoint connection string
description The description for the current state of a private endpoint connection string (required)
status The status of a private endpoint connection 'Approved'
'Disconnected'
'Pending'
'Rejected' (required)

ResourceTags

Name Description Value

SharedAccessSignatureAuthorizationRuleAccessRightsDescription

Name Description Value
keyName Name of the key. string (required)
primaryKey Primary SAS key value. string
rights Rights that this key has. 'DeviceConnect'
'EnrollmentRead'
'EnrollmentWrite'
'RegistrationStatusRead'
'RegistrationStatusWrite'
'ServiceConfig' (required)
secondaryKey Secondary SAS key value. string

UserAssignedIdentities

Name Description Value

UserAssignedIdentity

Name Description Value

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an IOT Hub and Ubuntu edge simulator

Deploy to Azure
This template creates an IOT Hub and Virtual Machine Ubuntu edge simulator.
Create an IoT Hub Device Provisioning Service

Deploy to Azure
This template enables you to create an IoT hub and an IoT Hub Device Provisioning Service, and link the two services together.

Terraform (AzAPI provider) resource definition

The provisioningServices resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Devices/provisioningServices resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Devices/provisioningServices@2025-02-01-preview"
  name = "string"
  etag = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  location = "string"
  body = jsonencode({
    properties = {
      allocationPolicy = "string"
      authorizationPolicies = [
        {
          keyName = "string"
          primaryKey = "string"
          rights = "string"
          secondaryKey = "string"
        }
      ]
      enableDataResidency = bool
      iotHubs = [
        {
          allocationWeight = int
          applyAllocationPolicy = bool
          authenticationType = "string"
          connectionString = "string"
          location = "string"
          selectedUserAssignedIdentityResourceId = "string"
        }
      ]
      ipFilterRules = [
        {
          action = "string"
          filterName = "string"
          ipMask = "string"
          target = "string"
        }
      ]
      portalOperationsHostName = "string"
      privateEndpointConnections = [
        {
          properties = {
            privateEndpoint = {
            }
            privateLinkServiceConnectionState = {
              actionsRequired = "string"
              description = "string"
              status = "string"
            }
          }
        }
      ]
      provisioningState = "string"
      publicNetworkAccess = "string"
      state = "string"
    }
  })
  resourcegroup = "string"
  sku = {
    capacity = int
    name = "string"
  }
  subscriptionid = "string"
  tags = {
    {customized property} = "string"
  }
}

Property values

IotDpsPropertiesDescription

Name Description Value
allocationPolicy Allocation policy to be used by this provisioning service. 'GeoLatency'
'Hashed'
'Static'
authorizationPolicies List of authorization keys for a provisioning service. SharedAccessSignatureAuthorizationRuleAccessRightsDescription[]
enableDataResidency Optional.
Indicates if the DPS instance has Data Residency enabled, removing the cross geo-pair disaster recovery.
bool
iotHubs List of IoT hubs associated with this provisioning service. IotHubDefinitionDescription[]
ipFilterRules The IP filter rules. IpFilterRule[]
portalOperationsHostName Portal endpoint to enable CORS for this provisioning service. string
privateEndpointConnections Private endpoint connections created on this IotHub PrivateEndpointConnection[]
provisioningState The ARM provisioning state of the provisioning service. string
publicNetworkAccess Whether requests from Public Network are allowed 'Disabled'
'Enabled'
state Current state of the provisioning service. 'Activating'
'ActivationFailed'
'Active'
'Deleted'
'Deleting'
'DeletionFailed'
'FailingOver'
'FailoverFailed'
'Resuming'
'Suspended'
'Suspending'
'Transitioning'

IotDpsSkuInfo

Name Description Value
capacity The number of units to provision int
name Sku name. 'S1'

IotHubDefinitionDescription

Name Description Value
allocationWeight weight to apply for a given iot h. int
applyAllocationPolicy flag for applying allocationPolicy or not for a given iot hub. bool
authenticationType IotHub MI authentication type: KeyBased, UserAssigned, SystemAssigned. 'KeyBased'
'SystemAssigned'
'UserAssigned'
connectionString Connection string of the IoT hub. string
location ARM region of the IoT hub. string (required)
selectedUserAssignedIdentityResourceId The selected user-assigned identity resource Id associated with IoT Hub. This is required when authenticationType is UserAssigned. string

IpFilterRule

Name Description Value
action The desired action for requests captured by this rule. 'Accept'
'Reject' (required)
filterName The name of the IP filter rule. string (required)
ipMask A string that contains the IP address range in CIDR notation for the rule. string (required)
target Target for requests captured by this rule. 'all'
'deviceApi'
'serviceApi'

ManagedServiceIdentity

Name Description Value
type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. UserAssignedIdentities

Microsoft.Devices/provisioningServices

Name Description Value
etag The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. string
identity The managed identities for a provisioning service. ManagedServiceIdentity
location The resource location. string (required)
name The resource name string (required)
properties Service specific properties for a provisioning service IotDpsPropertiesDescription (required)
resourcegroup The resource group of the resource. string
sku Sku info for a provisioning Service. IotDpsSkuInfo (required)
subscriptionid The subscription id of the resource. string
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Devices/provisioningServices@2025-02-01-preview"

PrivateEndpoint

Name Description Value

PrivateEndpointConnection

Name Description Value
properties The properties of a private endpoint connection PrivateEndpointConnectionProperties (required)

PrivateEndpointConnectionProperties

Name Description Value
privateEndpoint The private endpoint property of a private endpoint connection PrivateEndpoint
privateLinkServiceConnectionState The current state of a private endpoint connection PrivateLinkServiceConnectionState (required)

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired Actions required for a private endpoint connection string
description The description for the current state of a private endpoint connection string (required)
status The status of a private endpoint connection 'Approved'
'Disconnected'
'Pending'
'Rejected' (required)

ResourceTags

Name Description Value

SharedAccessSignatureAuthorizationRuleAccessRightsDescription

Name Description Value
keyName Name of the key. string (required)
primaryKey Primary SAS key value. string
rights Rights that this key has. 'DeviceConnect'
'EnrollmentRead'
'EnrollmentWrite'
'RegistrationStatusRead'
'RegistrationStatusWrite'
'ServiceConfig' (required)
secondaryKey Secondary SAS key value. string

UserAssignedIdentities

Name Description Value

UserAssignedIdentity

Name Description Value