az iot hub device-identity list --hub-name <iot-hub-name> --resource-group <resource-group> --output tableDevice identity
A device identity is the IoT Hub identity registry entry that represents a permitted device or module, including its device ID, authentication material, status, and connection-related metadata.
Source: Microsoft Learn - Understand the Azure IoT Hub identity registry Reviewed 2026-05-13
- Exam trap
- Changing production before checking the exact Azure scope, owner, identity, destination, and rollback or recovery procedure.
- Production check
- Can you name the Azure scope, owner, resource ID, dependency, and rollback or recovery path without guessing?
Article details and learning context
- Aliases
- IoT Hub device identity, IoT device registry identity, device registry entry, IoT device ID
- Difficulty
- fundamentals
- CLI mappings
- 4
- Last verified
- 2026-05-13
Understand the concept
In plain English
Device identity is the IoT Hub registry entry that represents a device allowed to authenticate and connect to an IoT solution. In Azure, it helps teams control which devices may connect, how they authenticate, whether they are enabled, and how lifecycle actions are audited. Plainly, it is a named part of the architecture that operators can point to when they need evidence, ownership, and a safe change path. A useful glossary entry should explain where it appears, what it controls, what depends on it, and which signal proves it is healthy.
Why it matters
Device identity matters because a small Azure setting can shape customer experience, security posture, operational visibility, and incident recovery. When it is shallowly documented, teams may troubleshoot the wrong service, queue, device, policy, deployment, workspace, or destination while the real dependency remains hidden. In enterprise Azure work, the value is shared language: application, platform, security, data, finance, and operations teams can discuss the same object without guessing. That reduces incident time, improves audit quality, clarifies ownership, and makes production changes safer because failure modes and graph relationships are visible before change. Treat Device identity as production owned when customer traffic, regulated data, device fleets, shared infrastructure, or release automation depends on it.
Technical context
Technically, Device identity appears in IoT Hub identity registry, device IDs, authentication settings, device connection strings, device status, Device Provisioning Service enrollments, and device twin records and interacts with Azure IoT Hub, Device Provisioning Service, Device Twin, and Azure Monitor. Configuration is reviewed through device ID, authentication type, enabled or disabled status, and primary key, while operators validate live state through identity registry entry, connection state, device status, and last activity time. Scope determines which permissions, logs, commands, and dependencies matter.
Exam context
Compare with
Where it is used
Where you see it
- In IoT Hub, device identity appears in the identity registry before a device or module can authenticate and send telemetry during production review when operators collect repeatable evidence.
- In device lifecycle work, it appears when hardware is onboarded, disabled, rotated, repaired, transferred, or retired during production review when operators collect repeatable evidence before the change is approved.
- In incident response, it appears when a suspicious device must be disabled without deleting telemetry history or operational evidence during production review when operators collect repeatable evidence.
Common situations
- Register a device so it can connect to IoT Hub.
- Disable a compromised or retired device identity.
- Troubleshoot devices that cannot authenticate or report twin state.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Device identity in action for water utility IoT Scenario, objectives, solution, measured impact, and takeaway.
TerraPump Utilities, a water utility IoT organization, needed to address field sensors were replaced without a reliable process for disabling old identities. The architecture team used Device identity as the control point for a measurable production improvement.
- Disable retired devices within one hour
- Prevent duplicate device IDs
- Keep telemetry evidence for maintenance review
The IoT team defined device identity lifecycle steps for installation, replacement, and retirement. Technicians requested new identities through an approved workflow, while operations disabled old identities rather than deleting them immediately. Device twin and diagnostic logs linked the identity to location and service history. The team validated Device identity in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership. Runbooks were updated so support engineers could identify the correct scope, identity, dependency, telemetry signal, and approval record without asking the original implementer. The final design connected governance with day-to-day engineering work, which made the change understandable to security, operations, finance, and application stakeholders. The team validated Device identity in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership.
- Retired device disablement improved to under forty minutes
- Duplicate ID incidents stopped after rollout
- Maintenance auditors retained connection and telemetry evidence
Device identity gives IoT teams a controlled way to manage which physical assets may connect.
Scenario 02 Device identity in action for pharmaceutical logistics Scenario, objectives, solution, measured impact, and takeaway.
ColdChain Metrics, a pharmaceutical logistics organization, needed to address temperature trackers failed to reconnect after regional warehouse maintenance. The architecture team used Device identity as the control point for a measurable production improvement.
- Identify blocked device identities quickly
- Reduce lost telemetry windows below fifteen minutes
- Separate identity failures from network failures
Operators used device identity checks to confirm whether trackers were enabled and correctly registered in IoT Hub. Connection failures were compared with device twin state, Event Hubs ingestion, and network maintenance windows. Disabled identities were restored through change control after confirming device ownership. The team validated Device identity in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership. Runbooks were updated so support engineers could identify the correct scope, identity, dependency, telemetry signal, and approval record without asking the original implementer. The final design connected governance with day-to-day engineering work, which made the change understandable to security, operations, finance, and application stakeholders. The team validated Device identity in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership.
- Average reconnect investigation time fell 67 percent
- Telemetry gaps stayed below the compliance threshold
- Network and identity incidents were separated in reports
Device identity evidence prevents teams from blaming the network when the registry entry is the actual blocker.
Scenario 03 Device identity in action for agricultural robotics Scenario, objectives, solution, measured impact, and takeaway.
VectorFarm Robotics, a agricultural robotics organization, needed to address robot fleets needed secure onboarding before seasonal expansion across multiple farms. The architecture team used Device identity as the control point for a measurable production improvement.
- Register 4,000 devices with traceable ownership
- Rotate credentials without field downtime
- Block unauthorized devices from sending telemetry
Architects used IoT Hub device identities with approved naming, ownership tags, and key rotation runbooks. Device Provisioning Service handled onboarding for new robots, while identity registry checks identified unexpected devices. Monitor alerts flagged repeated connection attempts from disabled identities. The team validated Device identity in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership. Runbooks were updated so support engineers could identify the correct scope, identity, dependency, telemetry signal, and approval record without asking the original implementer. The final design connected governance with day-to-day engineering work, which made the change understandable to security, operations, finance, and application stakeholders. The team validated Device identity in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership.
- All seasonal devices had assigned owners
- Credential rotation completed without service interruption
- Unauthorized telemetry attempts were blocked at connection time
A device identity is the first enforceable boundary between an IoT platform and a physical device.
Azure CLI
CLI checks for Device identity are useful because they turn portal assumptions into repeatable evidence. Start with read-only commands that show scope, state, owner, permissions, destinations, deployment settings, or device records. Run mutating, security-impacting, or cost-impacting commands only after approval, because the wrong scope can affect production availability, spend, access, or telemetry.
Useful for
- Register a device so it can connect to IoT Hub.
- Disable a compromised or retired device identity.
- Troubleshoot devices that cannot authenticate or report twin state.
Before you run a command
- Run az account show, confirm tenant and subscription, and verify the operator identity has approved read access for the exact Azure scope.
- Confirm resource group, service name, resource ID, environment, owner, and change record before collecting evidence or modifying production configuration.
- Prefer read-only commands first; review any command that creates deployments, changes policy, alters device access, or routes telemetry before running it.
What the output tells you
- Whether the resource, setting, device, deployment, policy, queue, or API Management object exists at the expected Azure scope.
- Which state, target, timestamp, SKU, identity, destination, count, property, or compliance result is visible to the operator.
- Whether the issue is wrong scope, stale configuration, missing permissions, broken telemetry routing, policy drift, device provisioning failure, or release mismatch.
Mapped commands
Device identity operational checks
directaz iot hub device-identity show --hub-name <iot-hub-name> --device-id <device-id>az iot hub device-identity create --hub-name <iot-hub-name> --device-id <device-id>az iot hub device-identity update --hub-name <iot-hub-name> --device-id <device-id> --set status=disabledArchitecture context
Device identity belongs to Internet of Things architecture decisions where identity, monitoring, cost ownership, reliability, and production support need shared evidence.
- Security
- Security for Device identity starts with least privilege, trusted configuration, and evidence that access matches workload risk. Review device credentials, key rotation, disabled status, least-privilege registry access, and certificate trust before approving production use. A common failure is assuming that a working feature, successful deployment, connected device, or populated log destination proves the configuration is safe. Use Microsoft Entra groups, managed identities, RBAC, private connectivity, diagnostic logging, source-controlled definitions, and approval records where applicable. Keep exceptions ticketed, time-bounded, and owned. For regulated workloads, align the term with classification, retention, break-glass, and incident-response procedures. Remove broad access, stale keys, unreviewed contributors, and undocumented exception paths before Device identity becomes an incident path.
- Cost
- Cost for Device identity appears through compute capacity, transaction volume, diagnostic retention, policy remediation, storage consumption, API exposure, message retries, device fleet operations, and the human effort required to recover from mistakes. Review orphaned identities, excess telemetry, support investigation, failed connection retries, and device fleet cleanup before expanding production use. Some costs are direct, such as retained logs, provisioned capacity, storage transactions, or queue processing; others are indirect, such as failed releases, duplicated troubleshooting, emergency restores, and support escalation. Tag related resources, monitor usage, and separate exploratory work from production. A cost review should connect spend to a real owner and measurable value.
- Reliability
- Reliability for Device identity depends on repeatable configuration, tested dependencies, and clear failure signals. Watch device lifecycle state, reconnect behavior, duplicate IDs, provisioning alignment, and registry sync because drift often appears later as failed releases, missing telemetry, stuck messages, failed device provisioning, unavailable APIs, or confusing support evidence. Use lower environments, source-controlled definitions where possible, deployment validation, monitoring, and recovery notes before changing production. Operators should know which resource, endpoint, queue, policy, workspace, device, or downstream application fails first and which metric or log proves the failure. The goal is predictable recovery: detect Device identity drift, preserve service, restore safely, and explain the incident without guessing.
- Performance
- Performance for Device identity depends on workload shape, service limits, data volume, network path, diagnostic destination, policy evaluation, device scale, queue behavior, deployment capacity, and the monitoring path used to confirm success. Review connection churn, registry query time, telemetry ingestion rate, device reconnect storms, and identity lookup behavior before increasing capacity or retrying blindly. The better fix might be correcting partitioning, reducing log noise, warming an endpoint, tuning queue visibility, selecting a different deployment type, or moving telemetry to a better destination. Measure under representative production conditions. Operators should connect symptoms to evidence: latency, throttling, backlog, failed operations, dropped logs, or stale state.
- Operations
- Operations for Device identity should focus on ownership, observability, and safe repeatability. Standardize names, tags, owner groups, environment labels, diagnostic destinations, runbook links, approval records, and change windows so support teams do not reverse-engineer the platform during incidents. Use read-only CLI, API, policy, diagnostic, or portal checks first, then compare live state with intended configuration. For production, connect alerts, audit events, cost records, graph links, and release notes to the same term. The support question should be simple: who owns it, what changed, and what proves the current state?. Capture owner, scope, evidence, and recovery procedure before changing Device identity in a production environment.
Common mistakes
- Changing production before checking the exact Azure scope, owner, identity, destination, and rollback or recovery procedure.
- Treating a portal screenshot as sufficient evidence when CLI output, activity logs, diagnostics, and source-controlled configuration are repeatable.
- Assuming a name match proves the correct resource when subscriptions, regions, products, device IDs, queues, and workspaces can look similar.