Set up an Azure IoT Hub for Azure Sphere

To use your Azure Sphere devices with the IoT, you can set up an Azure IoT Hub to work with your Azure Sphere tenant. After you have completed the tasks in this section, any device that is claimed by your Azure Sphere tenant will be automatically enrolled in your IoT hub when it first comes online and connects to the Device Provisioning Service (DPS). Therefore, you only need to complete these steps once.


The steps in this section assume that:

  • Your Azure Sphere device is connected to your PC by USB
  • You have an Azure subscription


Setting up an Azure IoT Hub to work with Azure Sphere devices requires a multi-step process:

  1. Create an Azure IoT Hub and DPS in your Azure subscription.
  2. Download the authentication CA certificate for your Azure Sphere tenant from the Azure Sphere Security Service.
  3. Upload the CA certificate to DPS to tell it that you own all devices whose certificates are signed by this CA. In return, the DPS presents a challenge code.
  4. Generate and download a validation certificate from the Azure Sphere Security Service, which signs the challenge code. Upload the validation certificate to prove to DPS that you own the CA.
  5. Create a device enrollment group, which will enroll any newly claimed Azure Sphere device whose certificate is signed by the validated tenant CA.


Although you can create an Azure subscription for no charge, the sign-up process requires you to enter a credit card number. Azure provides several levels of subscription service. By default, the Standard Tier, which requires a monthly service charge, is selected when you create an IoT hub. To avoid a monthly charge, select the Free tier. The Free tier includes the services required to use your device with an IoT hub, including the Device Twin.

If you choose to test an Azure IoT-based application that uses the Device Provisioning Service (DPS), be aware that DPS charges $0.10 per 1000 transactions (ten U.S. cents per one thousand transactions). We expect that the free credit that applies to many new subscriptions will cover any DPS charges, but we recommend that you check the details of your subscription agreement.

Create an Azure IoT Hub and DPS and link them. Do not clean up the resources created in that Quickstart.

Step 2. Download the tenant authentication CA certificate

  1. Open an Azure Sphere Developer Command Prompt, which is available in the Start menu under Azure Sphere.

  2. Sign in with the user for your Azure Active Directory:

    azsphere login

  3. Download the Certificate Authority (CA) certificate for your Azure Sphere tenant:

    azsphere tenant download-CA-certificate --output CAcertificate.cer

    The output file must have the .cer extension.

Step 3. Upload the tenant CA certificate to DPS and generate a verification code

  1. Open the Azure portal and navigate to the DPS you created in Step 1.

  2. Open Certificates from the menu. You might have to scroll down to find it.

    Certificates on DPS menu

  3. Click Add to add a new certificate and enter a friendly display name for your certificate.

  4. Browse to the .cer file you downloaded in Step 2. Click Upload.

  5. After you are notified that the certificate uploaded successfully, click Save.

    Upload certificate

  6. The Certificate Explorer list shows your certificates. Note that the STATUS of the certificate you just created is Unverified. Click on this certificate.

    Unverified CA certificate

  7. In Certificate Details, click Generate Verification Code. The DPS creates a Verification Code that you can use to validate the certificate ownership. Copy the code to your clipboard for use in the next step.

    Verify certificate

Step 4. Verify the tenant CA certificate

  1. Return to the Azure Sphere Developer Command Prompt. Download a validation certificate that proves that you own the tenant CA certificate. The Replace code in the command with the verification code from the previous step.

    azsphere tenant download-validation-certificate --output ValidationCertification.cer --verificationcode <code>

    The Azure Sphere Security Service signs the validation certificate with the verification code to prove to DPS that you own the CA.

  2. Return to the Azure Portal to upload the validation certificate to DPS. In Certificate Details on the Azure portal, use the File Explorer icon next to the Verification Certificate .pem or .cer file field to upload the signed verification certificate. When the certificate is successfully uploaded, click Verify.

    Upload certificate verification

  3. The STATUS of your certificate changes to Verified in the Certificate Explorer list. Click Refresh if it does not update automatically.

Step 5. Use the validation certificate to add your device to an enrollment group

  1. In the Azure portal, select Manage enrollments and then click Add enrollment group.

  2. In the Add Enrollment Group pane, create a name for your enrollment group, select CA Certificate as the Certificate type, and select the certificate that you validated in the previous step.

    Enrollment group in the portal

  3. Click Save. On successful creation of your enrollment group, you should see the group name appear under the Enrollment Groups tab.

Next steps

After you complete these steps, any device that is claimed into your Azure Sphere tenant will be automatically enrolled in your IoT hub when it first connects to your DPS.

You can now run the Azure IoT sample or build your own applications that use your IoT hub.