Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The provisioningServices resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Devices/provisioningServices resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Devices/provisioningServices@2025-02-01-preview' = {
etag: 'string'
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
___location: 'string'
name: 'string'
properties: {
allocationPolicy: 'string'
authorizationPolicies: [
{
keyName: 'string'
primaryKey: 'string'
rights: 'string'
secondaryKey: 'string'
}
]
enableDataResidency: bool
iotHubs: [
{
allocationWeight: int
applyAllocationPolicy: bool
authenticationType: 'string'
connectionString: 'string'
___location: 'string'
selectedUserAssignedIdentityResourceId: 'string'
}
]
ipFilterRules: [
{
action: 'string'
filterName: 'string'
ipMask: 'string'
target: 'string'
}
]
portalOperationsHostName: 'string'
privateEndpointConnections: [
{
properties: {
privateEndpoint: {}
privateLinkServiceConnectionState: {
actionsRequired: 'string'
description: 'string'
status: 'string'
}
}
}
]
provisioningState: 'string'
publicNetworkAccess: 'string'
state: 'string'
}
resourcegroup: 'string'
sku: {
capacity: int
name: 'string'
}
subscriptionid: 'string'
tags: {
{customized property}: 'string'
}
}
Property Values
IotDpsPropertiesDescription
| Name | Description | Value |
|---|---|---|
| allocationPolicy | Allocation policy to be used by this provisioning service. | 'GeoLatency' 'Hashed' 'Static' |
| authorizationPolicies | List of authorization keys for a provisioning service. | SharedAccessSignatureAuthorizationRuleAccessRightsDescription[] |
| enableDataResidency | Optional. Indicates if the DPS instance has Data Residency enabled, removing the cross geo-pair disaster recovery. |
bool |
| iotHubs | List of IoT hubs associated with this provisioning service. | IotHubDefinitionDescription[] |
| ipFilterRules | The IP filter rules. | IpFilterRule[] |
| portalOperationsHostName | Portal endpoint to enable CORS for this provisioning service. | string |
| privateEndpointConnections | Private endpoint connections created on this IotHub | PrivateEndpointConnection[] |
| provisioningState | The ARM provisioning state of the provisioning service. | string |
| publicNetworkAccess | Whether requests from Public Network are allowed | 'Disabled' 'Enabled' |
| state | Current state of the provisioning service. | 'Activating' 'ActivationFailed' 'Active' 'Deleted' 'Deleting' 'DeletionFailed' 'FailingOver' 'FailoverFailed' 'Resuming' 'Suspended' 'Suspending' 'Transitioning' |
IotDpsSkuInfo
| Name | Description | Value |
|---|---|---|
| capacity | The number of units to provision | int |
| name | Sku name. | 'S1' |
IotHubDefinitionDescription
| Name | Description | Value |
|---|---|---|
| allocationWeight | weight to apply for a given iot h. | int |
| applyAllocationPolicy | flag for applying allocationPolicy or not for a given iot hub. | bool |
| authenticationType | IotHub MI authentication type: KeyBased, UserAssigned, SystemAssigned. | 'KeyBased' 'SystemAssigned' 'UserAssigned' |
| connectionString | Connection string of the IoT hub. | string |
| ___location | ARM region of the IoT hub. | string (required) |
| selectedUserAssignedIdentityResourceId | The selected user-assigned identity resource Id associated with IoT Hub. This is required when authenticationType is UserAssigned. | string |
IpFilterRule
| Name | Description | Value |
|---|---|---|
| action | The desired action for requests captured by this rule. | 'Accept' 'Reject' (required) |
| filterName | The name of the IP filter rule. | string (required) |
| ipMask | A string that contains the IP address range in CIDR notation for the rule. | string (required) |
| target | Target for requests captured by this rule. | 'all' 'deviceApi' 'serviceApi' |
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
Microsoft.Devices/provisioningServices
| Name | Description | Value |
|---|---|---|
| etag | The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. | string |
| identity | The managed identities for a provisioning service. | ManagedServiceIdentity |
| ___location | The resource ___location. | string (required) |
| name | The resource name | string (required) |
| properties | Service specific properties for a provisioning service | IotDpsPropertiesDescription (required) |
| resourcegroup | The resource group of the resource. | string |
| sku | Sku info for a provisioning Service. | IotDpsSkuInfo (required) |
| subscriptionid | The subscription id of the resource. | string |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
PrivateEndpoint
| Name | Description | Value |
|---|
PrivateEndpointConnection
| Name | Description | Value |
|---|---|---|
| properties | The properties of a private endpoint connection | PrivateEndpointConnectionProperties (required) |
PrivateEndpointConnectionProperties
| Name | Description | Value |
|---|---|---|
| privateEndpoint | The private endpoint property of a private endpoint connection | PrivateEndpoint |
| privateLinkServiceConnectionState | The current state of a private endpoint connection | PrivateLinkServiceConnectionState (required) |
PrivateLinkServiceConnectionState
| Name | Description | Value |
|---|---|---|
| actionsRequired | Actions required for a private endpoint connection | string |
| description | The description for the current state of a private endpoint connection | string (required) |
| status | The status of a private endpoint connection | 'Approved' 'Disconnected' 'Pending' 'Rejected' (required) |
ResourceTags
| Name | Description | Value |
|---|
SharedAccessSignatureAuthorizationRuleAccessRightsDescription
| Name | Description | Value |
|---|---|---|
| keyName | Name of the key. | string (required) |
| primaryKey | Primary SAS key value. | string |
| rights | Rights that this key has. | 'DeviceConnect' 'EnrollmentRead' 'EnrollmentWrite' 'RegistrationStatusRead' 'RegistrationStatusWrite' 'ServiceConfig' (required) |
| secondaryKey | Secondary SAS key value. | string |
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentity
| Name | Description | Value |
|---|
Usage Examples
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Create an IoT Hub Device Provisioning Service | This template enables you to create an IoT hub and an IoT Hub Device Provisioning Service, and link the two services together. |
ARM template resource definition
The provisioningServices resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Devices/provisioningServices resource, add the following JSON to your template.
{
"type": "Microsoft.Devices/provisioningServices",
"apiVersion": "2025-02-01-preview",
"name": "string",
"etag": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"___location": "string",
"properties": {
"allocationPolicy": "string",
"authorizationPolicies": [
{
"keyName": "string",
"primaryKey": "string",
"rights": "string",
"secondaryKey": "string"
}
],
"enableDataResidency": "bool",
"iotHubs": [
{
"allocationWeight": "int",
"applyAllocationPolicy": "bool",
"authenticationType": "string",
"connectionString": "string",
"___location": "string",
"selectedUserAssignedIdentityResourceId": "string"
}
],
"ipFilterRules": [
{
"action": "string",
"filterName": "string",
"ipMask": "string",
"target": "string"
}
],
"portalOperationsHostName": "string",
"privateEndpointConnections": [
{
"properties": {
"privateEndpoint": {
},
"privateLinkServiceConnectionState": {
"actionsRequired": "string",
"description": "string",
"status": "string"
}
}
}
],
"provisioningState": "string",
"publicNetworkAccess": "string",
"state": "string"
},
"resourcegroup": "string",
"sku": {
"capacity": "int",
"name": "string"
},
"subscriptionid": "string",
"tags": {
"{customized property}": "string"
}
}
Property Values
IotDpsPropertiesDescription
| Name | Description | Value |
|---|---|---|
| allocationPolicy | Allocation policy to be used by this provisioning service. | 'GeoLatency' 'Hashed' 'Static' |
| authorizationPolicies | List of authorization keys for a provisioning service. | SharedAccessSignatureAuthorizationRuleAccessRightsDescription[] |
| enableDataResidency | Optional. Indicates if the DPS instance has Data Residency enabled, removing the cross geo-pair disaster recovery. |
bool |
| iotHubs | List of IoT hubs associated with this provisioning service. | IotHubDefinitionDescription[] |
| ipFilterRules | The IP filter rules. | IpFilterRule[] |
| portalOperationsHostName | Portal endpoint to enable CORS for this provisioning service. | string |
| privateEndpointConnections | Private endpoint connections created on this IotHub | PrivateEndpointConnection[] |
| provisioningState | The ARM provisioning state of the provisioning service. | string |
| publicNetworkAccess | Whether requests from Public Network are allowed | 'Disabled' 'Enabled' |
| state | Current state of the provisioning service. | 'Activating' 'ActivationFailed' 'Active' 'Deleted' 'Deleting' 'DeletionFailed' 'FailingOver' 'FailoverFailed' 'Resuming' 'Suspended' 'Suspending' 'Transitioning' |
IotDpsSkuInfo
| Name | Description | Value |
|---|---|---|
| capacity | The number of units to provision | int |
| name | Sku name. | 'S1' |
IotHubDefinitionDescription
| Name | Description | Value |
|---|---|---|
| allocationWeight | weight to apply for a given iot h. | int |
| applyAllocationPolicy | flag for applying allocationPolicy or not for a given iot hub. | bool |
| authenticationType | IotHub MI authentication type: KeyBased, UserAssigned, SystemAssigned. | 'KeyBased' 'SystemAssigned' 'UserAssigned' |
| connectionString | Connection string of the IoT hub. | string |
| ___location | ARM region of the IoT hub. | string (required) |
| selectedUserAssignedIdentityResourceId | The selected user-assigned identity resource Id associated with IoT Hub. This is required when authenticationType is UserAssigned. | string |
IpFilterRule
| Name | Description | Value |
|---|---|---|
| action | The desired action for requests captured by this rule. | 'Accept' 'Reject' (required) |
| filterName | The name of the IP filter rule. | string (required) |
| ipMask | A string that contains the IP address range in CIDR notation for the rule. | string (required) |
| target | Target for requests captured by this rule. | 'all' 'deviceApi' 'serviceApi' |
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
Microsoft.Devices/provisioningServices
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2025-02-01-preview' |
| etag | The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. | string |
| identity | The managed identities for a provisioning service. | ManagedServiceIdentity |
| ___location | The resource ___location. | string (required) |
| name | The resource name | string (required) |
| properties | Service specific properties for a provisioning service | IotDpsPropertiesDescription (required) |
| resourcegroup | The resource group of the resource. | string |
| sku | Sku info for a provisioning Service. | IotDpsSkuInfo (required) |
| subscriptionid | The subscription id of the resource. | string |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.Devices/provisioningServices' |
PrivateEndpoint
| Name | Description | Value |
|---|
PrivateEndpointConnection
| Name | Description | Value |
|---|---|---|
| properties | The properties of a private endpoint connection | PrivateEndpointConnectionProperties (required) |
PrivateEndpointConnectionProperties
| Name | Description | Value |
|---|---|---|
| privateEndpoint | The private endpoint property of a private endpoint connection | PrivateEndpoint |
| privateLinkServiceConnectionState | The current state of a private endpoint connection | PrivateLinkServiceConnectionState (required) |
PrivateLinkServiceConnectionState
| Name | Description | Value |
|---|---|---|
| actionsRequired | Actions required for a private endpoint connection | string |
| description | The description for the current state of a private endpoint connection | string (required) |
| status | The status of a private endpoint connection | 'Approved' 'Disconnected' 'Pending' 'Rejected' (required) |
ResourceTags
| Name | Description | Value |
|---|
SharedAccessSignatureAuthorizationRuleAccessRightsDescription
| Name | Description | Value |
|---|---|---|
| keyName | Name of the key. | string (required) |
| primaryKey | Primary SAS key value. | string |
| rights | Rights that this key has. | 'DeviceConnect' 'EnrollmentRead' 'EnrollmentWrite' 'RegistrationStatusRead' 'RegistrationStatusWrite' 'ServiceConfig' (required) |
| secondaryKey | Secondary SAS key value. | string |
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentity
| Name | Description | Value |
|---|
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Create an IOT Hub and Ubuntu edge simulator |
This template creates an IOT Hub and Virtual Machine Ubuntu edge simulator. |
| Create an IoT Hub Device Provisioning Service |
This template enables you to create an IoT hub and an IoT Hub Device Provisioning Service, and link the two services together. |
Terraform (AzAPI provider) resource definition
The provisioningServices resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Devices/provisioningServices resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Devices/provisioningServices@2025-02-01-preview"
name = "string"
parent_id = "string"
identity {
type = "string"
identity_ids = [
"string"
]
}
___location = "string"
tags = {
{customized property} = "string"
}
body = {
etag = "string"
properties = {
allocationPolicy = "string"
authorizationPolicies = [
{
keyName = "string"
primaryKey = "string"
rights = "string"
secondaryKey = "string"
}
]
enableDataResidency = bool
iotHubs = [
{
allocationWeight = int
applyAllocationPolicy = bool
authenticationType = "string"
connectionString = "string"
___location = "string"
selectedUserAssignedIdentityResourceId = "string"
}
]
ipFilterRules = [
{
action = "string"
filterName = "string"
ipMask = "string"
target = "string"
}
]
portalOperationsHostName = "string"
privateEndpointConnections = [
{
properties = {
privateEndpoint = {
}
privateLinkServiceConnectionState = {
actionsRequired = "string"
description = "string"
status = "string"
}
}
}
]
provisioningState = "string"
publicNetworkAccess = "string"
state = "string"
}
resourcegroup = "string"
sku = {
capacity = int
name = "string"
}
subscriptionid = "string"
}
}
Property Values
IotDpsPropertiesDescription
| Name | Description | Value |
|---|---|---|
| allocationPolicy | Allocation policy to be used by this provisioning service. | 'GeoLatency' 'Hashed' 'Static' |
| authorizationPolicies | List of authorization keys for a provisioning service. | SharedAccessSignatureAuthorizationRuleAccessRightsDescription[] |
| enableDataResidency | Optional. Indicates if the DPS instance has Data Residency enabled, removing the cross geo-pair disaster recovery. |
bool |
| iotHubs | List of IoT hubs associated with this provisioning service. | IotHubDefinitionDescription[] |
| ipFilterRules | The IP filter rules. | IpFilterRule[] |
| portalOperationsHostName | Portal endpoint to enable CORS for this provisioning service. | string |
| privateEndpointConnections | Private endpoint connections created on this IotHub | PrivateEndpointConnection[] |
| provisioningState | The ARM provisioning state of the provisioning service. | string |
| publicNetworkAccess | Whether requests from Public Network are allowed | 'Disabled' 'Enabled' |
| state | Current state of the provisioning service. | 'Activating' 'ActivationFailed' 'Active' 'Deleted' 'Deleting' 'DeletionFailed' 'FailingOver' 'FailoverFailed' 'Resuming' 'Suspended' 'Suspending' 'Transitioning' |
IotDpsSkuInfo
| Name | Description | Value |
|---|---|---|
| capacity | The number of units to provision | int |
| name | Sku name. | 'S1' |
IotHubDefinitionDescription
| Name | Description | Value |
|---|---|---|
| allocationWeight | weight to apply for a given iot h. | int |
| applyAllocationPolicy | flag for applying allocationPolicy or not for a given iot hub. | bool |
| authenticationType | IotHub MI authentication type: KeyBased, UserAssigned, SystemAssigned. | 'KeyBased' 'SystemAssigned' 'UserAssigned' |
| connectionString | Connection string of the IoT hub. | string |
| ___location | ARM region of the IoT hub. | string (required) |
| selectedUserAssignedIdentityResourceId | The selected user-assigned identity resource Id associated with IoT Hub. This is required when authenticationType is UserAssigned. | string |
IpFilterRule
| Name | Description | Value |
|---|---|---|
| action | The desired action for requests captured by this rule. | 'Accept' 'Reject' (required) |
| filterName | The name of the IP filter rule. | string (required) |
| ipMask | A string that contains the IP address range in CIDR notation for the rule. | string (required) |
| target | Target for requests captured by this rule. | 'all' 'deviceApi' 'serviceApi' |
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
Microsoft.Devices/provisioningServices
| Name | Description | Value |
|---|---|---|
| etag | The Etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal ETag convention. | string |
| identity | The managed identities for a provisioning service. | ManagedServiceIdentity |
| ___location | The resource ___location. | string (required) |
| name | The resource name | string (required) |
| properties | Service specific properties for a provisioning service | IotDpsPropertiesDescription (required) |
| resourcegroup | The resource group of the resource. | string |
| sku | Sku info for a provisioning Service. | IotDpsSkuInfo (required) |
| subscriptionid | The subscription id of the resource. | string |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.Devices/provisioningServices@2025-02-01-preview" |
PrivateEndpoint
| Name | Description | Value |
|---|
PrivateEndpointConnection
| Name | Description | Value |
|---|---|---|
| properties | The properties of a private endpoint connection | PrivateEndpointConnectionProperties (required) |
PrivateEndpointConnectionProperties
| Name | Description | Value |
|---|---|---|
| privateEndpoint | The private endpoint property of a private endpoint connection | PrivateEndpoint |
| privateLinkServiceConnectionState | The current state of a private endpoint connection | PrivateLinkServiceConnectionState (required) |
PrivateLinkServiceConnectionState
| Name | Description | Value |
|---|---|---|
| actionsRequired | Actions required for a private endpoint connection | string |
| description | The description for the current state of a private endpoint connection | string (required) |
| status | The status of a private endpoint connection | 'Approved' 'Disconnected' 'Pending' 'Rejected' (required) |
ResourceTags
| Name | Description | Value |
|---|
SharedAccessSignatureAuthorizationRuleAccessRightsDescription
| Name | Description | Value |
|---|---|---|
| keyName | Name of the key. | string (required) |
| primaryKey | Primary SAS key value. | string |
| rights | Rights that this key has. | 'DeviceConnect' 'EnrollmentRead' 'EnrollmentWrite' 'RegistrationStatusRead' 'RegistrationStatusWrite' 'ServiceConfig' (required) |
| secondaryKey | Secondary SAS key value. | string |
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentity
| Name | Description | Value |
|---|