Cloud configuration tasks

After the product that contains the Azure Sphere device is finalized but before it is shipped, you must configure the device for network and cloud-loading. Cloud configuration requires the following information:

The PC that you use for cloud configuration must be connected to the internet, but it is not required to be connected to each chip.

The following steps are required for cloud configuration:

  1. Claim the chip
  2. Configure cloud software deployments
  3. Verify the cloud configuration

These steps are critical to the continued operation of the device at the customer site.

Claim the chip

Each Azure Sphere chip has a unique and immutable device identifier, called its device ID. The silicon manufacturer creates the device ID, stores it on the chip, and registers it with Microsoft. This device registration ensures that Microsoft is aware of all Azure Sphere chips and that only legitimate chips can be used in connected devices. As part of the factory-floor process, you should record the device IDs of all Azure Sphere chips that your company receives.

You must also claim the Azure Sphere chips in all your connected devices. Claiming involves moving the Azure Sphere chip to your organization's cloud tenant, so that both your organization and Microsoft can identify the chip's owner. Claiming ensures that all data associated with the chip resides in your tenant and is protected by your security policies. A chip must be claimed before it can communicate with Azure Sphere Security Service. Such communication, in turn, allows the chip to receive the software updates that you specify and to obtain certificates that are required for authentication to an Azure IoT Hub and other cloud-based services.

The Manufacturing Samples package contains sample scripts that claim multiple manufactured devices in parallel and assign them to a device group for cloud-loading, which is required before they ship. Please contact your Microsoft representative if you need this package.

Internet connectivity is not required to obtain device IDs but is required for claiming. You can record the device IDs, store them on the factory floor, and then transfer the IDs to a different computer later for claiming. To claim one or more chips, use the following command. On Windows, you must use an Azure Sphere Developer Command Prompt.

azsphere device claim --deviceid <GUID>

Replace <GUID> with the device ID of the chip you want to claim.


You may claim the Azure Sphere chip any time during the manufacturing process; the chip need not be incorporated into a connected device at the time of claiming. You must claim the Azure Sphere chip before you set up deployments, verify the cloud configuration, and ship the connected device.

Configure cloud deployments

Cloud deployments update the Azure Sphere device OS and your production application software.

To receive the correct software updates, the Azure Sphere device must have a product and belong to a device group that permits deployments. See Deployment basics to learn about products, device groups, and deployments. Assign both the product and the device group before shipping the connected device.

If you haven't already created a product for this model of connected device, create one as follows:

azsphere product create --name <product-name> --description <product description>

Replace <product-name> with an alphanumeric name for the product and <product-description> with a human-readable description. Enclose any strings that contain spaces in quotation marks. The product name must be unique within your Azure Sphere tenant. When you create a product, Azure Sphere creates default device groups for the product. You can use these device groups or create your own.

To assign the product to a device and a device group within that product, use the azsphere device update command. The following shows how to add a device to the default Production device group, which enables cloud updates and is appropriate for connected products at end-user sites. For example:

azsphere device update --devicegroupname Production --productname DW100

This command assigns a single attached device to the Production group for the DW100 product.


You must configure cloud application updates before you ship your product. If you sideload an application on the factory floor but do not configure cloud application update, the Azure Sphere Security Service will remotely erase the sideloaded application the first time the device connects to the internet. As a result, your customers will lose functionality. In addition, be sure to verify the configuration, as described in the next section.

Verify the cloud configuration

As a final step before shipping, verify the cloud configuration for each device. This step checks that the Azure Sphere Security Service targets the images you expect for this device. To find out which images will be downloaded for a particular device, use the azsphere device image list-targeted command:

azsphere device image list-targeted --deviceid <GUID>

Replace <GUID> with the device ID for the device you're checking. The targeted images should be the same as the production-signed images that you sideloaded during manufacturing. The output shows the image set ID and name along with the IDs of the individual images in the image set. For example:

Successfully retrieved the current image set for device with ID 'ABCDEF82513B529C45098884F882B2CA6D832587CAAE1A90B1CEC4A376EA2F22A96C4E7E1FC4D2AFF5633B68DB68FF4420A5588B420851EE4F3F1A7DC5ABCDEF' from your Azure Sphere tenant:
 --> ID:   [6e9cdc9d-c9ca-4080-9f95-b77599b4095a]
 --> Name: 'ImageSet-Mt3620Blink1-2018.07.19-18.15.42'
Images to be installed:
 --> [ID: 116c0bc5-be17-47f9-88af-8f3410fe7efa]
Command completed successfully in 00:00:04.2733444.