Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The provisioningServices resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Devices/provisioningServices resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Devices/provisioningServices@2025-02-01-preview' = {
scope: resourceSymbolicName or scope
etag: 'string'
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
location: 'string'
name: 'string'
properties: {
allocationPolicy: 'string'
authorizationPolicies: [
{
keyName: 'string'
primaryKey: 'string'
rights: 'string'
secondaryKey: 'string'
}
]
deviceRegistryNamespace: {
authenticationType: 'string'
resourceId: 'string'
selectedUserAssignedIdentityResourceId: 'string'
}
enableDataResidency: bool
iotHubs: [
{
allocationWeight: int
applyAllocationPolicy: bool
connectionString: 'string'
location: 'string'
}
]
ipFilterRules: [
{
action: 'string'
filterName: 'string'
ipMask: 'string'
target: 'string'
}
]
portalOperationsHostName: 'string'
privateEndpointConnections: [
{
properties: {
privateEndpoint: {}
privateLinkServiceConnectionState: {
actionsRequired: 'string'
description: 'string'
status: 'string'
}
}
}
]
provisioningState: 'string'
publicNetworkAccess: 'string'
state: 'string'
}
resourcegroup: 'string'
sku: {
capacity: int
name: 'string'
}
subscriptionid: 'string'
tags: {
{customized property}: 'string'
}
}
Property Values
Microsoft.Devices/provisioningServices
| Name | Description | Value |
|---|---|---|
| etag | The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. | string |
| identity | The managed service identities assigned to this resource. | ManagedServiceIdentity |
| location | The geo-location where the resource lives | string (required) |
| name | The resource name | string (required) |
| properties | Service specific properties for a provisioning service | IotDpsPropertiesDescription (required) |
| resourcegroup | The resource group of the resource. | string |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
| sku | Sku info for a provisioning Service. | IotDpsSkuInfo (required) |
| subscriptionid | The subscription id of the resource. | string |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
DeviceRegistryNamespaceDescription
| Name | Description | Value |
|---|---|---|
| authenticationType | Device Registry Namespace MI authentication type: UserAssigned, SystemAssigned. | 'SystemAssigned' 'UserAssigned' (required) |
| resourceId | The ARM resource ID of the Device Registry namespace. | string (required) |
| selectedUserAssignedIdentityResourceId | The selected user-assigned identity resource Id associated with Device Registry namespace. This is required when authenticationType is UserAssigned. | string |
IotDpsPropertiesDescription
| Name | Description | Value |
|---|---|---|
| allocationPolicy | Allocation policy to be used by this provisioning service. | 'GeoLatency' 'Hashed' 'Static' |
| authorizationPolicies | List of authorization keys for a provisioning service. | SharedAccessSignatureAuthorizationRuleAccessRightsDescription[] |
| deviceRegistryNamespace | The Device Registry namespace that is linked to the provisioning service. | DeviceRegistryNamespaceDescription |
| enableDataResidency | Optional. Indicates if the DPS instance has Data Residency enabled, removing the cross geo-pair disaster recovery. |
bool |
| iotHubs | List of IoT hubs associated with this provisioning service. | IotHubDefinitionDescription[] |
| ipFilterRules | The IP filter rules. | IpFilterRule[] |
| portalOperationsHostName | Portal endpoint to enable CORS for this provisioning service. | string |
| privateEndpointConnections | Private endpoint connections created on this IotHub | PrivateEndpointConnection[] |
| provisioningState | The ARM provisioning state of the provisioning service. | string |
| publicNetworkAccess | Whether requests from Public Network are allowed | 'Disabled' 'Enabled' |
| state | Current state of the provisioning service. | 'Activating' 'ActivationFailed' 'Active' 'Deleted' 'Deleting' 'DeletionFailed' 'FailingOver' 'FailoverFailed' 'Resuming' 'Suspended' 'Suspending' 'Transitioning' |
IotDpsSkuInfo
| Name | Description | Value |
|---|---|---|
| capacity | The number of units to provision | int |
| name | Sku name. | 'S1' |
IotHubDefinitionDescription
| Name | Description | Value |
|---|---|---|
| allocationWeight | weight to apply for a given iot h. | int |
| applyAllocationPolicy | flag for applying allocationPolicy or not for a given iot hub. | bool |
| connectionString | Connection string of the IoT hub. | string (required) |
| location | ARM region of the IoT hub. | string (required) |
IpFilterRule
| Name | Description | Value |
|---|---|---|
| action | The desired action for requests captured by this rule. | 'Accept' 'Reject' (required) |
| filterName | The name of the IP filter rule. | string (required) |
| ipMask | A string that contains the IP address range in CIDR notation for the rule. | string (required) |
| target | Target for requests captured by this rule. | 'all' 'deviceApi' 'serviceApi' |
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
PrivateEndpoint
| Name | Description | Value |
|---|
PrivateEndpointConnection
| Name | Description | Value |
|---|---|---|
| properties | The properties of a private endpoint connection | PrivateEndpointConnectionProperties (required) |
PrivateEndpointConnectionProperties
| Name | Description | Value |
|---|---|---|
| privateEndpoint | The private endpoint property of a private endpoint connection | PrivateEndpoint |
| privateLinkServiceConnectionState | The current state of a private endpoint connection | PrivateLinkServiceConnectionState (required) |
PrivateLinkServiceConnectionState
| Name | Description | Value |
|---|---|---|
| actionsRequired | Actions required for a private endpoint connection | string |
| description | The description for the current state of a private endpoint connection | string (required) |
| status | The status of a private endpoint connection | 'Approved' 'Disconnected' 'Pending' 'Rejected' (required) |
SharedAccessSignatureAuthorizationRuleAccessRightsDescription
| Name | Description | Value |
|---|---|---|
| keyName | Name of the key. | string (required) |
| primaryKey | Primary SAS key value. | string |
| rights | Rights that this key has. | 'DeviceConnect' 'EnrollmentRead' 'EnrollmentWrite' 'RegistrationStatusRead' 'RegistrationStatusWrite' 'ServiceConfig' (required) |
| secondaryKey | Secondary SAS key value. | string |
TrackedResourceTags
| Name | Description | Value |
|---|
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentity
| Name | Description | Value |
|---|
Usage Examples
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Create an IoT Hub Device Provisioning Service | This template enables you to create an IoT hub and an IoT Hub Device Provisioning Service, and link the two services together. |
ARM template resource definition
The provisioningServices resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Devices/provisioningServices resource, add the following JSON to your template.
{
"type": "Microsoft.Devices/provisioningServices",
"apiVersion": "2025-02-01-preview",
"name": "string",
"etag": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"location": "string",
"properties": {
"allocationPolicy": "string",
"authorizationPolicies": [
{
"keyName": "string",
"primaryKey": "string",
"rights": "string",
"secondaryKey": "string"
}
],
"deviceRegistryNamespace": {
"authenticationType": "string",
"resourceId": "string",
"selectedUserAssignedIdentityResourceId": "string"
},
"enableDataResidency": "bool",
"iotHubs": [
{
"allocationWeight": "int",
"applyAllocationPolicy": "bool",
"connectionString": "string",
"location": "string"
}
],
"ipFilterRules": [
{
"action": "string",
"filterName": "string",
"ipMask": "string",
"target": "string"
}
],
"portalOperationsHostName": "string",
"privateEndpointConnections": [
{
"properties": {
"privateEndpoint": {
},
"privateLinkServiceConnectionState": {
"actionsRequired": "string",
"description": "string",
"status": "string"
}
}
}
],
"provisioningState": "string",
"publicNetworkAccess": "string",
"state": "string"
},
"resourcegroup": "string",
"sku": {
"capacity": "int",
"name": "string"
},
"subscriptionid": "string",
"tags": {
"{customized property}": "string"
}
}
Property Values
Microsoft.Devices/provisioningServices
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2025-02-01-preview' |
| etag | The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. | string |
| identity | The managed service identities assigned to this resource. | ManagedServiceIdentity |
| location | The geo-location where the resource lives | string (required) |
| name | The resource name | string (required) |
| properties | Service specific properties for a provisioning service | IotDpsPropertiesDescription (required) |
| resourcegroup | The resource group of the resource. | string |
| sku | Sku info for a provisioning Service. | IotDpsSkuInfo (required) |
| subscriptionid | The subscription id of the resource. | string |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.Devices/provisioningServices' |
DeviceRegistryNamespaceDescription
| Name | Description | Value |
|---|---|---|
| authenticationType | Device Registry Namespace MI authentication type: UserAssigned, SystemAssigned. | 'SystemAssigned' 'UserAssigned' (required) |
| resourceId | The ARM resource ID of the Device Registry namespace. | string (required) |
| selectedUserAssignedIdentityResourceId | The selected user-assigned identity resource Id associated with Device Registry namespace. This is required when authenticationType is UserAssigned. | string |
IotDpsPropertiesDescription
| Name | Description | Value |
|---|---|---|
| allocationPolicy | Allocation policy to be used by this provisioning service. | 'GeoLatency' 'Hashed' 'Static' |
| authorizationPolicies | List of authorization keys for a provisioning service. | SharedAccessSignatureAuthorizationRuleAccessRightsDescription[] |
| deviceRegistryNamespace | The Device Registry namespace that is linked to the provisioning service. | DeviceRegistryNamespaceDescription |
| enableDataResidency | Optional. Indicates if the DPS instance has Data Residency enabled, removing the cross geo-pair disaster recovery. |
bool |
| iotHubs | List of IoT hubs associated with this provisioning service. | IotHubDefinitionDescription[] |
| ipFilterRules | The IP filter rules. | IpFilterRule[] |
| portalOperationsHostName | Portal endpoint to enable CORS for this provisioning service. | string |
| privateEndpointConnections | Private endpoint connections created on this IotHub | PrivateEndpointConnection[] |
| provisioningState | The ARM provisioning state of the provisioning service. | string |
| publicNetworkAccess | Whether requests from Public Network are allowed | 'Disabled' 'Enabled' |
| state | Current state of the provisioning service. | 'Activating' 'ActivationFailed' 'Active' 'Deleted' 'Deleting' 'DeletionFailed' 'FailingOver' 'FailoverFailed' 'Resuming' 'Suspended' 'Suspending' 'Transitioning' |
IotDpsSkuInfo
| Name | Description | Value |
|---|---|---|
| capacity | The number of units to provision | int |
| name | Sku name. | 'S1' |
IotHubDefinitionDescription
| Name | Description | Value |
|---|---|---|
| allocationWeight | weight to apply for a given iot h. | int |
| applyAllocationPolicy | flag for applying allocationPolicy or not for a given iot hub. | bool |
| connectionString | Connection string of the IoT hub. | string (required) |
| location | ARM region of the IoT hub. | string (required) |
IpFilterRule
| Name | Description | Value |
|---|---|---|
| action | The desired action for requests captured by this rule. | 'Accept' 'Reject' (required) |
| filterName | The name of the IP filter rule. | string (required) |
| ipMask | A string that contains the IP address range in CIDR notation for the rule. | string (required) |
| target | Target for requests captured by this rule. | 'all' 'deviceApi' 'serviceApi' |
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
PrivateEndpoint
| Name | Description | Value |
|---|
PrivateEndpointConnection
| Name | Description | Value |
|---|---|---|
| properties | The properties of a private endpoint connection | PrivateEndpointConnectionProperties (required) |
PrivateEndpointConnectionProperties
| Name | Description | Value |
|---|---|---|
| privateEndpoint | The private endpoint property of a private endpoint connection | PrivateEndpoint |
| privateLinkServiceConnectionState | The current state of a private endpoint connection | PrivateLinkServiceConnectionState (required) |
PrivateLinkServiceConnectionState
| Name | Description | Value |
|---|---|---|
| actionsRequired | Actions required for a private endpoint connection | string |
| description | The description for the current state of a private endpoint connection | string (required) |
| status | The status of a private endpoint connection | 'Approved' 'Disconnected' 'Pending' 'Rejected' (required) |
SharedAccessSignatureAuthorizationRuleAccessRightsDescription
| Name | Description | Value |
|---|---|---|
| keyName | Name of the key. | string (required) |
| primaryKey | Primary SAS key value. | string |
| rights | Rights that this key has. | 'DeviceConnect' 'EnrollmentRead' 'EnrollmentWrite' 'RegistrationStatusRead' 'RegistrationStatusWrite' 'ServiceConfig' (required) |
| secondaryKey | Secondary SAS key value. | string |
TrackedResourceTags
| Name | Description | Value |
|---|
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentity
| Name | Description | Value |
|---|
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Create an IOT Hub and Ubuntu edge simulator |
This template creates an IOT Hub and Virtual Machine Ubuntu edge simulator. |
| Create an IoT Hub Device Provisioning Service |
This template enables you to create an IoT hub and an IoT Hub Device Provisioning Service, and link the two services together. |
Terraform (AzAPI provider) resource definition
The provisioningServices resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Devices/provisioningServices resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Devices/provisioningServices@2025-02-01-preview"
name = "string"
parent_id = "string"
identity {
type = "string"
identity_ids = [
"string"
]
}
location = "string"
tags = {
{customized property} = "string"
}
body = {
etag = "string"
properties = {
allocationPolicy = "string"
authorizationPolicies = [
{
keyName = "string"
primaryKey = "string"
rights = "string"
secondaryKey = "string"
}
]
deviceRegistryNamespace = {
authenticationType = "string"
resourceId = "string"
selectedUserAssignedIdentityResourceId = "string"
}
enableDataResidency = bool
iotHubs = [
{
allocationWeight = int
applyAllocationPolicy = bool
connectionString = "string"
location = "string"
}
]
ipFilterRules = [
{
action = "string"
filterName = "string"
ipMask = "string"
target = "string"
}
]
portalOperationsHostName = "string"
privateEndpointConnections = [
{
properties = {
privateEndpoint = {
}
privateLinkServiceConnectionState = {
actionsRequired = "string"
description = "string"
status = "string"
}
}
}
]
provisioningState = "string"
publicNetworkAccess = "string"
state = "string"
}
resourcegroup = "string"
sku = {
capacity = int
name = "string"
}
subscriptionid = "string"
}
}
Property Values
Microsoft.Devices/provisioningServices
| Name | Description | Value |
|---|---|---|
| etag | The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. | string |
| identity | The managed service identities assigned to this resource. | ManagedServiceIdentity |
| location | The geo-location where the resource lives | string (required) |
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | Service specific properties for a provisioning service | IotDpsPropertiesDescription (required) |
| resourcegroup | The resource group of the resource. | string |
| sku | Sku info for a provisioning Service. | IotDpsSkuInfo (required) |
| subscriptionid | The subscription id of the resource. | string |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.Devices/provisioningServices@2025-02-01-preview" |
DeviceRegistryNamespaceDescription
| Name | Description | Value |
|---|---|---|
| authenticationType | Device Registry Namespace MI authentication type: UserAssigned, SystemAssigned. | 'SystemAssigned' 'UserAssigned' (required) |
| resourceId | The ARM resource ID of the Device Registry namespace. | string (required) |
| selectedUserAssignedIdentityResourceId | The selected user-assigned identity resource Id associated with Device Registry namespace. This is required when authenticationType is UserAssigned. | string |
IotDpsPropertiesDescription
| Name | Description | Value |
|---|---|---|
| allocationPolicy | Allocation policy to be used by this provisioning service. | 'GeoLatency' 'Hashed' 'Static' |
| authorizationPolicies | List of authorization keys for a provisioning service. | SharedAccessSignatureAuthorizationRuleAccessRightsDescription[] |
| deviceRegistryNamespace | The Device Registry namespace that is linked to the provisioning service. | DeviceRegistryNamespaceDescription |
| enableDataResidency | Optional. Indicates if the DPS instance has Data Residency enabled, removing the cross geo-pair disaster recovery. |
bool |
| iotHubs | List of IoT hubs associated with this provisioning service. | IotHubDefinitionDescription[] |
| ipFilterRules | The IP filter rules. | IpFilterRule[] |
| portalOperationsHostName | Portal endpoint to enable CORS for this provisioning service. | string |
| privateEndpointConnections | Private endpoint connections created on this IotHub | PrivateEndpointConnection[] |
| provisioningState | The ARM provisioning state of the provisioning service. | string |
| publicNetworkAccess | Whether requests from Public Network are allowed | 'Disabled' 'Enabled' |
| state | Current state of the provisioning service. | 'Activating' 'ActivationFailed' 'Active' 'Deleted' 'Deleting' 'DeletionFailed' 'FailingOver' 'FailoverFailed' 'Resuming' 'Suspended' 'Suspending' 'Transitioning' |
IotDpsSkuInfo
| Name | Description | Value |
|---|---|---|
| capacity | The number of units to provision | int |
| name | Sku name. | 'S1' |
IotHubDefinitionDescription
| Name | Description | Value |
|---|---|---|
| allocationWeight | weight to apply for a given iot h. | int |
| applyAllocationPolicy | flag for applying allocationPolicy or not for a given iot hub. | bool |
| connectionString | Connection string of the IoT hub. | string (required) |
| location | ARM region of the IoT hub. | string (required) |
IpFilterRule
| Name | Description | Value |
|---|---|---|
| action | The desired action for requests captured by this rule. | 'Accept' 'Reject' (required) |
| filterName | The name of the IP filter rule. | string (required) |
| ipMask | A string that contains the IP address range in CIDR notation for the rule. | string (required) |
| target | Target for requests captured by this rule. | 'all' 'deviceApi' 'serviceApi' |
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
PrivateEndpoint
| Name | Description | Value |
|---|
PrivateEndpointConnection
| Name | Description | Value |
|---|---|---|
| properties | The properties of a private endpoint connection | PrivateEndpointConnectionProperties (required) |
PrivateEndpointConnectionProperties
| Name | Description | Value |
|---|---|---|
| privateEndpoint | The private endpoint property of a private endpoint connection | PrivateEndpoint |
| privateLinkServiceConnectionState | The current state of a private endpoint connection | PrivateLinkServiceConnectionState (required) |
PrivateLinkServiceConnectionState
| Name | Description | Value |
|---|---|---|
| actionsRequired | Actions required for a private endpoint connection | string |
| description | The description for the current state of a private endpoint connection | string (required) |
| status | The status of a private endpoint connection | 'Approved' 'Disconnected' 'Pending' 'Rejected' (required) |
SharedAccessSignatureAuthorizationRuleAccessRightsDescription
| Name | Description | Value |
|---|---|---|
| keyName | Name of the key. | string (required) |
| primaryKey | Primary SAS key value. | string |
| rights | Rights that this key has. | 'DeviceConnect' 'EnrollmentRead' 'EnrollmentWrite' 'RegistrationStatusRead' 'RegistrationStatusWrite' 'ServiceConfig' (required) |
| secondaryKey | Secondary SAS key value. | string |
TrackedResourceTags
| Name | Description | Value |
|---|
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentity
| Name | Description | Value |
|---|
Usage Examples
Terraform Samples
A basic example of deploying IoT Device Provisioning Service.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "provisioningService" {
type = "Microsoft.Devices/provisioningServices@2022-02-05"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
properties = {
allocationPolicy = "Hashed"
enableDataResidency = false
iotHubs = [
]
publicNetworkAccess = "Enabled"
}
sku = {
capacity = 1
name = "S1"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}