Azure Policy Definitions for IoT Hub
Start course

This course will focus on the skills needed to integrate Azure Monitor and its corresponding features within IoT solutions. Each service within a given IoT solution has the ability to produce metrics, logging, and alerting data. How are you going to gather all of that information and make it available to users that are managing and maintaining your solutions? This course will provide the answers to that question!

Learning Objectives

  • Understand the different metrics and diagnostics that can be retrieved from the Azure IoT Hub
  • Learn how to configure the IoT Hub for scaling programmatically
  • Learn how to query and visualize the data that is stored in Azure Monitor
  • Define specific Azure policies for your IoT Hub so that the hub meets your requirements
  • Learn how to gather metrics and diagnostics from IoT Edge

Intended Audience

  • Developers
  • Operational engineers
  • Cloud architects
  • Anyone responsible for deploying IoT solutions on Azure


To get the most out of this course, you should have a strong understanding of the available IoT services that Microsoft provides, as well as a strong understanding of Azure Monitor and the different types of data that can be retrieved through all of its features and services.


Hi there. In this video, we're gonna be focusing on how to set up Azure Policy definitions that can be applied to your IoT hub within your given IoT solution. Azure Policy was something that we talked about in the introduction video, and is something that can be applied at multiple levels within Azure. Management Group level, Subscription level, Resource Group level. So, the question is, are your policies gonna be applied to only your solution, meaning to the resource group, to all solutions within your subscription, or to potentially all solutions within your organization?

Now, that organization could be your entire company, it could also just be a department within your company, depending upon how Azure was organized by those who set it up. Before we go into the specifics of IoT hub related Azure policies, let me give you a quick example here of a very, very common policy that almost every customer implements. If you look at the properties line, it's called "Allowed locations." We dive into the parameters. You're basically providing a "list of Azure regions or locations" that are relevant to your subscription. And then the rule is if the region you're creating a resource in does not fall into that list, which is just an array of strings. Then at the end, it's gonna deny it. Very, very common policy example, but just wanted to give you an idea of what an Azure Policy might look like relative to all of Azure. Before we focus on IoT hub.

Within Azure, there are a number of policies that have already been set up and built into Azure for IoT hub or Internet of Things. This URL will be made available to you at the end of the slide deck so that you can take a look at it yourself. Cause I am not gonna go through all of these available Azure Policy options. Some of them are currently generally available. Some of them are currently in preview, but they are all ones that can be applied to your IoT hub and therefore to the resource groups and subscriptions that may contain your IoT hub. Each one of these policies then has a specific effect that can be applied based on how that particular definition was set up.

If we look here in the effects column, you'll see first audit. So, if in fact your IoT hub does not meet the policy, then the audit would create a log entry for that, but nothing would be done. If you went to go modify your IoT hub and the policy said no, you're not allowed to modify it in that way. Then the policy would actually prevent you from making that configuration change and you would get an error back relative to that within the Azure Portal, letting you know that that was the reason. In addition, if you did a configuration change and the disabled function was put in place or to the disabled effect, then Azure would actually disable your IoT hub from being available based on that configuration change. The last option is here called deploy if not exists, meaning that if you set up a brand new IoT hub and you put in a particular configuration change that was not supposed to be allowed, the policy would actually prevent you from creating that particular IoT hub until you removed that configuration change. So, there's a number of different ways that policies can affect either existing IoT hubs, as well as the creation of new IoT hubs.

You can also set up remediation chains so that if you have a large number of IoT hubs and new policies get put in place, you can make sure that the existing IoT hubs will comply to those new policies that have been implemented. So, with that, let's jump into the portal and take a quick look at how to apply Azure Policy within your Azure subscription.

Okay, here we are in the Azure portal. And the first thing I wanna show you, is we go into myIoT hub and you'll notice here on the left-hand side, that there is no option anywhere here called policy or Azure Policy or policies. And that's because if you'll remember, policies can only be applied at the resource group subscription or management group level. They cannot be applied at the individual resource level. So, you're never gonna be able to do that here.

For us, what we're gonna do is we're gonna do it at the subscription level. So, we're gonna go into my subscription. And down here under settings is an item called policies. And this is where we're gonna actually be able to turn on policy definitions and apply them to Internet of Things or IoT hubs within our given subscriptions. So, the first thing that we're gonna do under Azure Policy is see what is our existing compliance level, meaning for all of the policies that have been implemented within the subscription, how many of them am I currently meeting. Right now? One. This is a development subscription, none of this really matters. This is just being used for demonstration purposes.

What we now wanna do is look at what are the available definitions for Internet of Things or IoT hubs? So, we go under the definition section and we of course choose the scope. In this case, it's going to be the subscription, but I could also set it to something other than that. If I had other options, we then wanna look at initiatives or policies. When we wanna look at both of them, each one of them can have different requirements. Usually a initiative is very tightly tied to a regulatory compliance, but it doesn't have to be.

Next is do we wanna look at built-in policies or custom? You do have the ability to build custom ones, if you should so desire. Once you understand the JSON definition and the resource that it's the resource type that it's gonna be applied to. And then lastly is the category. And this is where you're going to define which type of resources in Azure you're trying to create these policies against or apply them to.

What I'm gonna do is I'm gonna remove the select all and Internet of Things is the category that contains IoT hubs, IoT edge devices, and things of that nature. So, I'm gonna just type in internet and there it is, Internet of Things. So, the minute that I click on those, all of the same policies that I showed you in that table a little while ago are sitting here. Some of them are in preview, as you can see right here, or the majority of them are, in fact, in a generally available status. You can see that they are all policy types, they're all built in and they all apply to Internet of Things.

So, let's choose one of them to apply to our subscription. Let's choose this one here. And here is the JSON definition of this policy, which includes things like the description. What are the effects, if not met? What should happen? What is it being applied to? As you can see here, it is Microsoft at devices IoT hubs, which is exactly what we would want to allow.

In this instance, what we're looking for is whether or not public network access has been turned on. And you can see right here at the top, Configure Azure IoT Hubs to disable public network access, meaning that the IoT hubs should only be available inside of virtual networks. Now that's not always going to be a requirement. It's all gonna be based on your security controls, your specific compliance levels that you need to meet and things like that. But this is a very common requirement or security control that should be put in place for many, if not all of your IoT hubs. And then you can specify different things such as do you wanna audit it? Do you wanna deny it? Do you wanna retrofit it? Disable it? Those kinds of things that are gonna be based off of when you make that happen.

So, for right directly from here, I can click on the assign button and that would allow me to take this particular policy and apply it to my subscription management group or resource group. I could also duplicate it. I could export it exporting. Exporting it would allow you to basically get the JSON definition so that you could potentially create or modify your own. You cannot edit the definition here in the Azure portal. However, you can edit the inbound or the built-in definitions from Azure PowerShell and Azure CLI. So, let's go through the assignment process real quick.

First thing is we're gonna choose our scope. We're gonna choose our subscription first. Then we can choose whether or not we wanna apply it to a specific resource group. I will apply it to the IoT monitoring resource group, because that's the only place that I have in IoT hub. And, therefore, I'm not locking down future IoT hubs that might get created within my subscription, but I could go ahead and set it at the subscription level.

Next is, do we wanna set any exclusions? Meaning should there be specific IoT hubs that don't have to meet this policy? Only you can know that depending upon the IoT solutions that you're implementing. Then we have the basics of the definition, the assignment name, which you can modify yourself. If you wanna apply a particular policy to multiple resource groups and not the entire subscription, you would set a specific assignment name for each one of those resource groups. Then do you want it enabled or disabled? And then who is the assignee.

Once you've done that you can review and create. Now, this is a very very simple assignment. Some policies require you to set particular parameters. So, we go to parameters. There is no required parameter here for us to set because this one has a default value of modify. Meaning that, if at any point I turn on public network access, it's gonna automatically modify the IoT hub to remove that. But you could also set it to disabled. Which is what I'm going to do. If I go and I turn on public network access, then it's going to disable the IoT hub. That's only though for new IoT hub creations. For existing ones, you then have to go to the remediation tab and you have to set up a script that will go through the process of remediating any particular IoT hubs within a given region. That will, what will happen when the particular IoT hub goes against the policy.

You can also send noncompliance messages to the owner of the IoT hub. This will also go into the audit log because all audit messages from Azure Policy do show up in the Azure activity log, also known as the audit log. And then we can go with review and create. And just like that, I have a signed this policy to that resource group. Now, as I said, it only affects newly created IoT hubs. I would have had to have set up a remediation script to handle the existing one that is in fact, already set up with public network access. This is just one of many that are available and you can also create your own depending upon your IoT solutions and the types of controls and compliances that you need to meet.

In the next video, we're gonna be taking a look at the IoT edge devices in more detail.

About the Author

Brian has been working in the Cloud space for more than a decade as both a Cloud Architect and Cloud Engineer. He has experience building Application Development, Infrastructure, and AI-based architectures using many different OSS and Non-OSS based technologies. In addition to his work at Cloud Academy, he is always trying to educate customers about how to get started in the cloud with his many blogs and videos. He is currently working as a Lead Azure Engineer in the Public Sector space.