AZ-220 Provision and manage devices (15-20%)

• AZ-220: Microsoft Azure IoT Developer Exam
• Microsoft Certified: Azure IoT Developer Specialty

The Microsoft Global Partner Solutions (GPS) Technical Team, IoT Product Group, IoT Advocates, and Microsoft Worldwide Learning have collaborated to create this guide to help you prepare for the Microsoft Azure IoT Developer exam!

Skills Measured: Provision and Manage Devices

Set up the device provisioning service

• Create a device provisioning service
• Create a new enrollment in the device provisioning service
• Link an IoT hub to the device provisioning service

Manage the device lifecycle

• Provision a device by using the device provisioning service
• Deprovision an auto-enrollment
• Decommission (disenroll) a device

Manage IoT devices by using IoT Hub

• Manage devices list in the IoT Hub device registry
• Modify device twin tags and properties
• Specify a set of devices to manage by using IoT Hub Automatic Device Management
• Implement and manage configuration on a set of devices by using IoT Hub Automatic Device Management
• Control access to device functionality by using module identities and module twins

Manage IoT devices by using Azure IoT Central

• Create and manage device templates by using Azure IoT Central and Digital Twins Definition Language (DTDL)
• Configure rules, actions, and commands in Azure IoT Central
• Add, enroll, and manage devices by using Azure IoT Central
• Manage Azure IoT Central applications, including security, tenants, customization, and visualizations
• Manage data integration, including data ingress, data export, and data transformation
• Configure and manage Azure IoT Central jobs
• Manage Azure IoT Central by using APIs

NOTE: In most cases, exams do NOT cover preview features, and some features will only be added to an exam when they are GA (General Availability).

Microsoft Learn - Related Learning Paths

Provision IoT devices at scale by using the Device Provisioning Service (5 Modules)

Learn about the Device Provisioning Service properties and capabilities, device attestation mechanisms, device provisioning lifecycle tasks, and you will implement device enrollment (and disenrollment) using individual and group enrollment processes.

Manage IoT devices by using IoT Hub and apps (5 Modules)

Learn about device management patterns and the capabilities for device management, including bulk device management, that can be implemented using features of IoT Hub and by developing code.

Build low touch IoT solutions by using Azure IoT Central (4 Modules)

Learn about the Azure IoT Central application platform and the support that it provides to companies with limited budgets and technical resources who are interested in developing, managing, and maintaining IoT solutions.

Quick Reference: Key Concepts and Terminology

• Device Provisioning Service (DPS) Features:
  • Secure attestation support for X.509 and TPM-based identities
  • A configurable, updatable enrollment list containing the complete record of devices/groups of devices that may at some point register
  • Multiple allocation policies to control how DPS assigns devices to IoT hubs in support of your scenarios: Lowest latency, evenly weighted distribution (default), and static configuration via the enrollment list
  • Monitoring and diagnostics logging to make sure everything is working properly
  • Multi-hub support allows DPS to assign devices to more than one IoT hub (including across subscriptions and regions), assigned by multiple allocation policies
  • Cross-region support allows DPS to assign devices to IoT hubs in other regions
  • Encryption for data at rest allows data in DPS to be encrypted and decrypted transparently using 256-bit AES encryption
  • Cross-platform support
    - A variety of operating systems
    - SDKs across multiple languages
    - HTTPS, AMQP, and MQTT protocol support (Service SDK is HTTPS only)
• Service Operations Endpoint – Used for managing DPS and the enrollment list
• Device Provisioning Endpoint – Single address used for all provisioning, shared across all customers and DPS instances
• Linked IoT Hubs – Target Azure IoT Hub instances for the DPS
• Allocation Policy – As previously mentioned, the mapping of device to target Azure IoT Hub
• Enrollment – The record of a device or group of devices that may register against the DPS
• Registration – The record of a successful registration/provisioning of a device
• Operations – The billing unit for DPS; one successfully completed request
• ID Scope – Differentiates various DPS instances and tenants at the fixed, shared target endpoints
• Registration ID – Uniquely identifies a device in the DPS instance
• Device ID – Uniquely identifies a device in the associated IoT Hub instance
• Attestation mechanism – the way a device proves its identity to the DPS
  • X.509 Certificates – Digital identity based on private/public key pairs and a chain of trust; issued by a certificate authority (CA)
    Certificate rules:
    - Chain must be trusted
    - Group or individual enrollment
    - Individual overrides group
  • TPM nonce challenge
    Trusted Platform Module (TPM) – a specification for storing keys or the interface for communicating with an HSM acting as a TPM; two hardware keys for the TPM:
    - Endorsement key (EK) – unique identifier for the TPM; read-only, injected by the manufacturer
    - Storage root key (SRK) – protects the TPM secrets; generated when a user takes ownership of the TPM
  • Symmetric key
• Hardware security module (HSM) – used for secure, hardware-based storage of device secrets
• Individual Enrollments - An Individual enrollment is an entry for a single device that may register. Individual enrollments may use either X.509 certificates or SAS tokens (from a physical or virtual TPM) as attestation mechanisms.
• Group Enrollments - An Enrollment group is an entry for a group of devices that share a common attestation mechanism of X.509 certificates, signed by the same signing certificate, which can be the root certificate or the intermediate certificate, used to produce device certificate on physical device.

Other Helpful Resources

• Azure IoT Blogs
• Azure IoT Hub Pricing
• Azure IoT Reference Architecture
• Best practices for device configuration within an IoT solution
• Export IoT data to Azure Data Explorer
• How to deprovision devices that were previously auto-provisioned
• How to disenroll a device from Azure IoT Hub Device Provisioning Service
• How to provision a single simulated device
• How to provision for multitenancy
• How to provision legacy devices using Symmetric key attestation
• How to reprovision devices
• How to roll X.509 device certificates
• Import and export IoT Hub device identities in bulk
• Invoke a direct method on a device
• IoT Hub Device Provisioning Service concepts
• Microsoft Tech Community - IoT - Blogs and conversation spaces
• Schedule jobs on multiple devices
• Transform data externally for IoT Central
• YouTube - Microsoft IoT Developers

Happy studies!