Access control of Azure IoT Edge device management - azure-iot-hub

Is it possible to restrict management of IoT edge devices by groups or some filtering criteria?
The scenario would be that we have different sites with different edge devices deployed to these sites. We have a single IoT hub for the organization, is it possible to restrict management of only certain devices within the IoT hub or would we require different IoT hubs by site to do this?

Related

Does an Azure IoT Hub Maintain both an device twin and a digital twin?

From https://learn.microsoft.com/en-us/azure/iot-develop/concepts-digital-twin#device-twins-and-digital-twins, it says "Along with a digital twin, Azure IoT Hub also maintains a device twin for every connected device. A device twin is similar to a digital twin in that it's a representation of a device's properties. An IoT hub initializes a digital twin and a device twin the first time an IoT Plug and Play device is provisioned".
I'm trying to understand where the digital twins and the device twins are kept. Are they part of the Azure IoT Hub?
There's another Azure service called Azure Digital Twins (https://azure.microsoft.com/en-us/products/digital-twins/). Is that where the IoT digital twins are kept? Even though I can see some devices and device twins in my Azure IoT Hub, I don't see any digital twins in Azure Digital Twins.
Your Azure IoT Hub maintains both the device twin and the digital twin - as the article you referenced describes, they use different JSON representations of the device state. There are separate APIs for each.
Azure Digital Twins is a separate Azure service that extends the concept of the digital twins maintained by IoT Hub. In ADT, the model can represent complex clients, such as smart buildings.

Azure IoT Edge: How to monitor the edge module (install) state for all devices on IoT hub

Is it possible to read events from IoT hubs in a way that we receive all status changes for IoT edge module installs? Possibly by receiving state changes to the edge agent reported properties of all connected devices?
Background: We are allowing users to "install" applications (represented by edge modules) on their edge devices on the fly through our own portal. We want to monitor changes to IoT devices and their modules, and note the changes in our database, so we can flag the corresponding apps as installed, removed, or failed.
Right now I can only find Event Grid based events for Device connected / disconnected events. I can also see that I can manually query the desired properties of each edge device's edge Agent separately. But since we will a large number of edge devices connected (>5000), polling them all just to see if something changed is not feasible.
Are the edge agent status changes of all IoT edge devices available as an event stream somewhere? Or is there a better solution?
IoT Edge's integration with Azure Monitor may help (docs). It has a module view that shows which modules are running and their availability. Since all the data is available in Log Analytics, you can create custom visualizations and processes using the data.
The Module twins in Azure IoT Hub shall help in below based on the information stored with it.
Monitoring the connectivity of the system
Monitoring the health of IoT Edge deployments
The Azure IoT Edge runtime has "IoT Edge Agent" as one of two modules that performs installation / initiation of modules and updating / reporting of the status of the modules to the IoT Hub. The $edgeAgent maintains the health and connectivity data about both the IoT Edge agent and IoT Edge hub runtime modules.
The Azure IoT Edge hub runtime maintains the data about communications between the "IoT Edge hub" running on the device and that of Azure IoT hub via the $edgeHub.
High level Overview :
Here is "Azure Monitor workbooks for IoT" that provides views couple of views :
An overview / state of active devices can be seen in the "Devices" View
Alerts display as per rules configured for the devices in "Alerts" View
Azure Monitor workbooks can be tuned for seeing data at any level (device state, app status) of interest. The public templates can be modified to meet the need/requirement in hand. The data shall fetched based on resource-centric KQL queries on the InsightsMetrics table.
Screenshot of Devices View :
Screenshot of Alerts View:
References :
Monitor Module Twins
Monitor Workbooks

Is there a way to connect the data present in Azure IOT hub to IOT Central smart meter application

I have published data to the Azure Iot Hub devices from my hardware devices. Now I want to perform some analysis using the IOT Central's application 'Smart Meter Monitoring' the link to the website is this https://apps.azureiotcentral.com/build/energy.To be more concise, I'm trying to consume the data present in the azure iot hub devices using the the IOT Central's application 'Smart Meter Monitoring' so that i can build dashboards on the data that is consumed. I Have browsed many websites and I am not having any progress in trying to connect azure IOT HUB and the 'Smart Meter Monitoring' application of IOT central. I am beginner in this field want to understand how this integration is made any tutorial or blog will be helpful
You could use this repo https://github.com/IOTD-Americas/iothub-bridge-function in order to re-send all telemetry from IoT Hub to IoT Central using an Azure Function in real time

Azure IoT Hub Device Identity requirements

I need to connect some sensors to an Azure IoT Edge Runtime via MQTT.
I read here:How an IoT Edge device can be used as a gateway , that in the "Transparent" Pattern, devices who hold their own IoT Hub device identity can communicate directly with Azure IoT Edge via MQTT.
I am still in the planning phase and don't have the sensors (or Iot Hub devices) at the moment so I couldn't really start testing directly. I wanted to know if all devices/sensors can hold their IoT Hub device identity and if there are any hardware requirements in order to do so?
Thank you very much in advance!
In the transparent gateway case, the requirements for devices / sensors are the same as if the device would connect directly to an IOTHub using its identity. That is, if the device or sensor supports to Azure IOTHub via MQTT, it should work through the transparent gateway. When configuring the device, instead of using a connection string for the Azure IOTHub itself, you'd use a connection string that references the local Edge gateway.
There are 3 basic steps to take in the transparent gateway scenario - the article you linked steps into them, but I'll add in some color for 2 and 3.
Set up the gateway for connectivity from the downstream devices & routing to the upstream IOTHub. This article has good details.
For each device, create an identity in Azure IOTHub, using the device's unique ID (for example, device EUI for a lorawan sensor) as the IOTHub DeviceId, and set up auth per this article. This step is where you determine the Edge gateway connection string.
Connect the downstream device to the gateway device and start sending messages. That's this article. This is obviously dependent on the device itself and the operating code/configs (whether a 3rd party black box type device or something running your own code).

Initial Device ID registration to Azure IoT Hub by the device itself

In order to send messages to the Azure IoT Hub, you first need to register the devices to the IoT Hub registry, though how can you make the devices register its' ID by themselves in a safe way?
My intention of this question is about the security problem.
I am thinking of implementing them on apps such as Androids, iOS, etc. which will be used by many users.
If you give those devices a read/write permission to the registry (which the shared access key is stored in the app), there will be a risk that a malicious user finds out the shared access key and use it to abuse the system.
Are there any other solutions besides preparing a public server that provides a function to register a device and give them back the per-device access key? Or, shouldn't I use the IoT Hub and find another service?
If you want users to be able to register their own devices with your IoT hub, you should create a separate service that can be called from the device and that returns a key. The service should register the device with IoT Hub and provide some logic that limits the number of devices that any user can register.
This is the approach taken in the MyDriving sample solution here that allows users to register their phones as devices connected to an IoT hub.
You can create multiple keys, so using the way Azure Storage works - have a primary and a secondary.