az iot dps enrollment
Note
This reference is part of the azure-iot extension for the Azure CLI (version 2.59.0 or higher). The extension will automatically install the first time you run an az iot dps enrollment command. Learn more about extensions.
Manage individual device enrollments in an Azure IoT Hub Device Provisioning Service.
Commands
| Name | Description | Type | Status | 
|---|---|---|---|
| az iot dps enrollment create | Create an individual device enrollment in an Azure IoT Hub Device Provisioning Service. | Extension | GA | 
| az iot dps enrollment delete | Delete an individual device enrollment in an Azure IoT Hub Device Provisioning Service. | Extension | GA | 
| az iot dps enrollment list | List individual device enrollments in an Azure IoT Hub Device Provisioning Service. | Extension | GA | 
| az iot dps enrollment registration | Manage service-side device registrations for an individual enrollment in an Azure IoT Hub Device Provisioning Service. | Extension | GA | 
| az iot dps enrollment registration delete | Delete a device registration for an individual enrollment in an Azure IoT Hub Device Provisioning Service. | Extension | GA | 
| az iot dps enrollment registration show | Get a device registration for an individual enrollment in an Azure IoT Hub Device Provisioning Service. | Extension | GA | 
| az iot dps enrollment show | Get individual device enrollment details in an Azure IoT Hub Device Provisioning Service. | Extension | GA | 
| az iot dps enrollment update | Update an individual device enrollment in an Azure IoT Hub Device Provisioning Service. | Extension | GA | 
az iot dps enrollment create
Create an individual device enrollment in an Azure IoT Hub Device Provisioning Service.
Please provide certificate format using Base64 ASCII encoding and the certificate should have matching BEGIN and END segments, for example: start with '-----BEGIN CERTIFICATE-----' and end with '-----END CERTIFICATE-----'.
az iot dps enrollment create --at --attestation-type {symmetricKey, tpm, x509}
                             --eid --enrollment-id
                             [--allocation-policy --ap {custom, geoLatency, hashed, static}]
                             [--api-version --av]
                             [--auth-type {key, login}]
                             [--certificate-path --cp]
                             [--device-id]
                             [--device-information --info]
                             [--dps-name]
                             [--edge-enabled --ee {false, true}]
                             [--ek --endorsement-key]
                             [--ih --iot-hubs]
                             [--initial-twin-properties --props]
                             [--initial-twin-tags --tags]
                             [--login]
                             [--pk --primary-key]
                             [--provisioning-status --ps {disabled, enabled}]
                             [--reprovision-policy --rp {never, reprovisionandmigratedata, reprovisionandresetdata}]
                             [--resource-group]
                             [--scp --secondary-certificate-path]
                             [--secondary-key --sk]
                             [--webhook-url --wh]Examples
Create an enrollment '{enrollment_id}' with attestation type 'x509' in the Azure IoT Device Provisioning Service '{dps_name}' in the resource group '{resource_group_name}' with provisioning status 'disabled', device id '{device_id}', initial twin properties '{"location":{"region":"US"}}', initial twin tags '{"version":"1"}', and device information '{"color":"red"}'.
az iot dps enrollment create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --attestation-type x509 --certificate-path /certificates/Certificate.pem --provisioning-status disabled --initial-twin-properties "{'location':{'region':'US'}}" --initial-twin-tags "{'version':'1'}" --device-information "{'color':'red'}" --device-id {device_id}Create an enrollment 'MyEnrollment' with attestation type 'tpm' in the Azure IoT Device Provisioning Service '{dps_name}' in the resource group '{resource_group_name}'.
az iot dps enrollment create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --attestation-type tpm --endorsement-key 14963E8F3BA5B3984110B3C1CA8E8B89Create an enrollment 'MyEnrollment' with attestation type 'symmetrickey' in the Azure IoT Device Provisioning service '{dps_name}' in the resource group '{resource_group_name}'.
az iot dps enrollment create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --attestation-type symmetrickey --primary-key {primary_key} --secondary-key {secondary_key}Create an enrollment 'MyEnrollment' with reprovision in the Azure IoT Device Provisioning service '{dps_name}' in the resource group '{resource_group_name}'.
az iot dps enrollment create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --attestation-type tpm --reprovision-policy {reprovision_type} --endorsement-key 14963E8F3BA5B3984110B3C1CA8E8B89Create an enrollment 'MyEnrollment' with static allocation policy in the Azure IoT Device Provisioning service '{dps_name}' in the resource group '{resource_group_name}'.
az iot dps enrollment create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --attestation-type tpm --allocation-policy static --endorsement-key 14963E8F3BA5B3984110B3C1CA8E8B89 --iot-hubs {iot_hub_host_name}Create an enrollment 'MyEnrollment' with hashed allocation policy and multiple hubs in the Azure IoT Device Provisioning service '{dps_name}' in the resource group '{resource_group_name}'.
az iot dps enrollment create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --attestation-type tpm --allocation-policy hashed --endorsement-key 14963E8F3BA5B3984110B3C1CA8E8B89 --iot-hubs {iot_hub_host_name1} {iot_hub_host_name2}Create an enrollment 'MyEnrollment' with custom allocation policy,
az iot dps enrollment create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --attestation-type symmetrickey --allocation-policy custom --webhook-url {webhook_url} --api-version {api_version}Required Parameters
Attestation Mechanism used for authentication to the DPS.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
| Accepted values: | symmetricKey, tpm, x509 | 
Individual device enrollment ID.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Type of allocation policy to determine how a device is assigned to an IoT Hub. If not provided, the allocation policy will be the current allocation policy default set for the Device Provisioning Service instance.
| Property | Value | 
|---|---|
| Parameter group: | Allocation Policy Arguments | 
| Accepted values: | custom, geoLatency, hashed, static | 
The API version of the provisioning service types sent in the custom allocation request. Minimum supported version: 2018-09-01-preview.
| Property | Value | 
|---|---|
| Parameter group: | Allocation Policy Arguments | 
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}.
| Property | Value | 
|---|---|
| Parameter group: | Access Control Arguments | 
| Default value: | key | 
| Accepted values: | key, login | 
The path to the file containing the primary certificate. Required when choosing x509 as attestation type and the secondary certificate path is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
Device ID registered in the IoT Hub.
Optional device information.
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Device Provisioning Service Identifier Arguments | 
Flag indicating edge enablement.
| Property | Value | 
|---|---|
| Default value: | False | 
| Accepted values: | false, true | 
TPM endorsement key for a TPM device. When choosing tpm as attestation type, endorsement key is required.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
Host name of target IoT Hub associated with the allocation policy. Use space-separated list for multiple IoT Hubs.
| Property | Value | 
|---|---|
| Parameter group: | Allocation Policy Arguments | 
Initial device twin properties.
Initial device twin tags.
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Device Provisioning Service Identifier Arguments | 
The primary symmetric shared access key stored in base64 format.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
Enable or disable enrollment entry.
| Property | Value | 
|---|---|
| Accepted values: | disabled, enabled | 
Policy to determine how device data should be handled on re-provision to a different IoT Hub.
| Property | Value | 
|---|---|
| Accepted values: | never, reprovisionandmigratedata, reprovisionandresetdata | 
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The path to the file containing the secondary certificate. Required when choosing x509 as attestation type and the primary certificate path is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
The secondary symmetric shared access key stored in base64 format.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
The Azure Function webhook URL used for custom allocation requests.
| Property | Value | 
|---|---|
| Parameter group: | Allocation Policy Arguments | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az iot dps enrollment delete
Delete an individual device enrollment in an Azure IoT Hub Device Provisioning Service.
az iot dps enrollment delete --eid --enrollment-id
                             [--auth-type {key, login}]
                             [--dps-name]
                             [--etag]
                             [--login]
                             [--resource-group]Required Parameters
Individual device enrollment ID.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}.
| Property | Value | 
|---|---|
| Parameter group: | Access Control Arguments | 
| Default value: | key | 
| Accepted values: | key, login | 
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Device Provisioning Service Identifier Arguments | 
Etag or entity tag corresponding to the last state of the resource. If no etag is provided the value '*' is used.
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Device Provisioning Service Identifier Arguments | 
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az iot dps enrollment list
List individual device enrollments in an Azure IoT Hub Device Provisioning Service.
az iot dps enrollment list [--auth-type {key, login}]
                           [--dps-name]
                           [--login]
                           [--resource-group]
                           [--top]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}.
| Property | Value | 
|---|---|
| Parameter group: | Access Control Arguments | 
| Default value: | key | 
| Accepted values: | key, login | 
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Device Provisioning Service Identifier Arguments | 
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Device Provisioning Service Identifier Arguments | 
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Maximum number of elements to return. Use -1 for unlimited.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az iot dps enrollment show
Get individual device enrollment details in an Azure IoT Hub Device Provisioning Service.
az iot dps enrollment show --eid --enrollment-id
                           [--auth-type {key, login}]
                           [--dps-name]
                           [--keys --show-keys {false, true}]
                           [--login]
                           [--resource-group]Examples
Basic usage
az iot dps enrollment show --dps-name {dps_name} -g {resource_group} --enrollment-id {enrollment_id}Include full attestation information in results for a symmetric key enrollment
az iot dps enrollment show --dps-name {dps_name} -g {resource_group} --enrollment-id {symmetric_key_enrollment_id} --show-keysRequired Parameters
Individual device enrollment ID.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}.
| Property | Value | 
|---|---|
| Parameter group: | Access Control Arguments | 
| Default value: | key | 
| Accepted values: | key, login | 
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Device Provisioning Service Identifier Arguments | 
Include attestation keys and information in enrollment results.
| Property | Value | 
|---|---|
| Accepted values: | false, true | 
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Device Provisioning Service Identifier Arguments | 
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az iot dps enrollment update
Update an individual device enrollment in an Azure IoT Hub Device Provisioning Service.
Please provide certificate format using Base64 ASCII encoding and the certificate should have matching BEGIN and END segments, for example: start with '-----BEGIN CERTIFICATE-----' and end with '-----END CERTIFICATE-----'.
az iot dps enrollment update --eid --enrollment-id
                             [--allocation-policy --ap {custom, geoLatency, hashed, static}]
                             [--api-version --av]
                             [--auth-type {key, login}]
                             [--certificate-path --cp]
                             [--device-id]
                             [--device-information --info]
                             [--dps-name]
                             [--edge-enabled --ee {false, true}]
                             [--ek --endorsement-key]
                             [--etag]
                             [--ih --iot-hubs]
                             [--initial-twin-properties --props]
                             [--initial-twin-tags --tags]
                             [--login]
                             [--pk --primary-key]
                             [--provisioning-status --ps {disabled, enabled}]
                             [--rc --remove-certificate {false, true}]
                             [--remove-secondary-certificate --rsc {false, true}]
                             [--reprovision-policy --rp {never, reprovisionandmigratedata, reprovisionandresetdata}]
                             [--resource-group]
                             [--scp --secondary-certificate-path]
                             [--secondary-key --sk]
                             [--webhook-url --wh]Examples
Update enrollment '{enrollment_id}' with a new x509 certificate in the Azure IoT Device Provisioning Service '{dps_name}' in the resource group '{resource_group_name}'.
az iot dps enrollment update -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --certificate-path /certificates/NewCertificate.pem --etag AAAAAAAAAAA=Update enrollment '{enrollment_id}' with a new endorsement key in the Azure IoT Device Provisioning Service '{dps_name}' in the resource group '{resource_group_name}'.
az iot dps enrollment update -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --endorsement-key 14963E8F3BA5B3984110B3C1CA8E8B89 --etag AAAAAAAAAAA=Update enrollment '{enrollment_id}' with a new primary key in the Azure IoT Device Provisioning Service '{dps_name}' in the resource group '{resource_group_name}'.
az iot dps enrollment update -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --primary-key {new_primary_key} --etag AAAAAAAAAAA=Update enrollment '{enrollment_id}' with a new reprovision type in the Azure IoT Device Provisioning Service '{dps_name}' in the resource group '{resource_group_name}'.
az iot dps enrollment update -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --reprovision-policy {reprovision_type} --etag AAAAAAAAAAA=Update enrollment '{enrollment_id}' with a new allocation policy in the Azure IoT Device Provisioning Service '{dps_name}' in the resource group '{resource_group_name}'.
az iot dps enrollment update -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --allocation-policy geolatency --etag AAAAAAAAAAA= --iot-hubs {iot_hub_host_name1} {iot_hub_host_name2} {iot_hub_host_name3}Update enrollment '{enrollment_id}' in the Azure IoT Device Provisioning Service '{dps_name}' in the resource group '{resource_group_name}' with initial twin properties '{"location":{"region":"USA"}}', initial twin tags '{"version":"2"}', and device information '{"color":"red"}'.
az iot dps enrollment update -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --initial-twin-properties "{'location':{'region':'USA'}}" --initial-twin-tags "{'version1':'2'}" --device-information "{'color':'red'}"Required Parameters
Individual device enrollment ID.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Type of allocation policy to determine how a device is assigned to an IoT Hub. If not provided, the allocation policy will be the current allocation policy default set for the Device Provisioning Service instance.
| Property | Value | 
|---|---|
| Parameter group: | Allocation Policy Arguments | 
| Accepted values: | custom, geoLatency, hashed, static | 
The API version of the provisioning service types sent in the custom allocation request. Minimum supported version: 2018-09-01-preview.
| Property | Value | 
|---|---|
| Parameter group: | Allocation Policy Arguments | 
Indicates whether the operation should auto-derive a policy key or use the current Azure AD session. If the authentication type is login and the resource hostname is provided, resource lookup will be skipped unless needed.You can configure the default using az configure --defaults iotdps-data-auth-type={auth-type-value}.
| Property | Value | 
|---|---|
| Parameter group: | Access Control Arguments | 
| Default value: | key | 
| Accepted values: | key, login | 
The path to the file containing the primary certificate.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
Device ID registered in the IoT Hub.
Optional device information.
Name or hostname of the Azure IoT Hub Device Provisioning Service. Required if --login is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Device Provisioning Service Identifier Arguments | 
Flag indicating edge enablement.
| Property | Value | 
|---|---|
| Accepted values: | false, true | 
TPM endorsement key for a TPM device.
Etag or entity tag corresponding to the last state of the resource. If no etag is provided the value '*' is used.
Host name of target IoT Hub associated with the allocation policy. Use space-separated list for multiple IoT Hubs.
| Property | Value | 
|---|---|
| Parameter group: | Allocation Policy Arguments | 
Initial device twin properties.
Initial device twin tags.
This command supports an entity connection string with rights to perform action. Use to avoid session login via "az login". If both an entity connection string and name are provided the connection string takes priority. Required if --dps-name is not provided.
| Property | Value | 
|---|---|
| Parameter group: | Device Provisioning Service Identifier Arguments | 
The primary symmetric shared access key stored in base64 format.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
Enable or disable enrollment entry.
| Property | Value | 
|---|---|
| Accepted values: | disabled, enabled | 
Flag to remove current primary certificate.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
| Accepted values: | false, true | 
Flag to remove current secondary certificate.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
| Accepted values: | false, true | 
Policy to determine how device data should be handled on re-provision to a different IoT Hub.
| Property | Value | 
|---|---|
| Accepted values: | never, reprovisionandmigratedata, reprovisionandresetdata | 
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The path to the file containing the secondary certificate.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
The secondary symmetric shared access key stored in base64 format.
| Property | Value | 
|---|---|
| Parameter group: | Authentication Arguments | 
The Azure Function webhook URL used for custom allocation requests.
| Property | Value | 
|---|---|
| Parameter group: | Allocation Policy Arguments | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False |