Automatic device provisioning with Azure IoT Hub using Mender

In IoT, while data protection concerns still exist they mainly extend further into the physical world and most often geographically dispersed at large scale with heavy reliance on battery and wireless connectivity. Therefore, it inherently becomes harder to securely manage IoT devices as compared to other environments such as servers, laptops and desktops that are locally deployed. To ensure security of devices, they must be updated frequently with the latest software and security patches. Software updated remotely if implemented poorly can provide additional attack vectors to already existing device vulnerabilities.

IoT cloud platforms offer a broad range of service offerings to ingest, analyze and integrate data generated by devices into business applications. Azure IoT Hub is a hosted service in the cloud that acts as a central message hub for communication between applications and its attached devices. You can connect millions of devices and their backend solutions reliably and securely.

Mender 3.2 allows to automate the inclusion of new devices into your Azure IoT Hub account having a simpler provisioning workflow by adding them into Mender. The devices added to Mender automatically provisioned and authenticated with Azure IoT Hub.


What follows in this section is a tutorial explaining how to integrate Azure IoT Hub with Mender. In order to follow this tutorial step-by-step you will need to have the prerequisites. Please keep in mind that you can use other devices and configurations but you will need to tweak them by yourself.


A Mender account

If you don’t have an active Mender account, you can try Mender for Free. Sign up and connect up to 10 devices free for 12 months – no credit card required.

A Microsoft Azure account

If you don’t have a Microsoft Azure account, you can create one for free following this Microsoft website. There is a free trial for Azure, and Azure IoT Hub also has a free tier which you can take a look at this website for more information. They also offer a welcome credit that you can use for testing purposes.

A Raspberry Pi

You can use a Raspberry Pi 3 (Model B or B+) or 4, in this tutorial I will use a Raspberry Pi 4 Model B. Also, get a SD Card of at least 8 GB.

Initial setup

Let’s configure our RaspberryPi with Mender

Just follow this quick start guide provided in the official’s Mender documentation and you will be ready to go. Just follow from Step 1 to 6. We are going to run step 7 later on this tutorial so keep the tab open.

Creating your Azure IoT Hub instance

CLI Approach

You only need to run the commands below. Please be aware these ones are based on their docs:

  • Enable the Azure IoT Hub
$ az extension add --upgrade --name azure-iot
  • Create a resource group. Change for MenderResourceGroup your favorite name
$ az group create --name MenderResourceGroup --location eastus
  • Create an IoT Hub you can change the name. In this example we set it as MenderIoTHub
$ az iot hub create --resource-group MenderResourceGroup --name MenderIoTHub

Web Approach

You can follow this step by step tutorial full of images and just ignore the Register a new device in the IoT hub section as we are going to start the automation from this point.

Configuring the automatic device provisioning from Mender to Azure IoT Hub

Getting the connection-string from Azure CLI

You can grab your connection string as follows:

$ az iot hub connection-string show --hub-name MenderIoTHub

The output will look like this;SharedAccessKeyName=iothubowner;SharedAccessKey=<alphanumericKey>0=

Getting the connection-string from Azure IoT Hub webpage

Using the Azure’s Web interface, you only need to get the connection-string as described in here.

You will need to Click on the left panel Shared access policies under the Security settings, then in the iothubowner policy and finally to copy the value from the Primary connection string.

Adding the connection-string to your Mender server

First go to the upper right corner and click on your username and then on Settings. On the left panel click on Integrations and then click on Add a new integration.

Select the Azure IoT Hub option.

And paste in the input the connection string you got from IoT Hub. Then click on SAVE.

Mender provisions the devices in Azure IoT Hub - as a result of this operation, Azure device connection string is retrieved by Mender server.

Testing the integration

In this example, you can see that we have 2 devices already in the pending state.

As soon as you accept one of them, it will become part of your fleet in Mender and it will get added to your devices in the IoT Hub automatically. Notice how the Id given to the device in Mender represents also the name given in Azure IoT Hub.

You can add as many devices as needed. In the following image you will realize we added one more device that is another Raspberry Pi 3. Also this one is running a Yocto-based image. You can learn how to develop Yocto-based images following this tutorial.

Please notice that after provisioning the device by using Mender, devices will acquire their unique symmetric key needed for work properly in the Azure IoT Hub environment.

As a side comment, if a device gets rejected in Mender, it is automatically set to disabled state in Azure IoT Hub. If the device gets decommissioned, it is automatically deleted from Azure IoT Hub.


Combining Mender and Azure IoT Hub provides with a secure device lifecycle management through single pane of glass with the following key integration benefits:

  • Reduce user operational complexity to provision devices
  • Prevent having to compromise on security by keeping devices updated with Mender while seamlessly integrating them with Azure solutions
  • Capability to correlate analytics from Azure with past software update deployments from Mender

To watch a video on this integration and learn more, visit Mender-Azure IoT Hub partner page. Get more support by joining the Mender Hub open source community.


Azure IoTHUB DPS supports 2 types of client device authentication

  1. Security token structure
  2. Certificate based authentication

The method explained above is using Security Token but does mender support Certificate based authentication DPS scenario?

Hey there! I’m Nahuel and I’m new to the mender community.

I see it has been more than an year since the last reply and I wanted to know if there is any update on the matter.

In this demo from 2019, although not show, it’s mentioned that there is an Azure function in charge of connecting the two clouds, Azure and hosted mender. Is there any documentation about that?

We are currently considering using mender in our solution stack and it would be interesting to know how well is currently mender integrating to Azure DPS.

If I messed up by replying in this thread, please let me know where to post it and I’ll correct it. Thanks!

Hello @nahuel,

My apologies I did not see this message. We rely in connection strings as described in here

The docs can be found in here Azure IoT Hub integration | Mender documentation.

Hope it still helps,