Azure IoT Security basics

Derk van der Woude
4 min readFeb 9, 2023

This blog is part of two series. The first part describes the Azure IoT security basics overview and the setup of a hardware IoT device lab with the MXCHIP AZ3166 IOT-DevKit. The second part will go deeper into Azure Sphere.

I am not an expert in Azure IoT (yet) so please comment if something needs to be added/changed to the blog. Just trying to help people quickstart Azure IoT security via the Microsoft Defender products


  • MXCHIP AZ3166 IoT DevKit
  • Azure subscription

Azure IoT Security overview

The overview below (Azure Sphere will be added in the 2nd part) is my view of Azure IoT Security integration with the Microsoft Defender products in-scope of IoT.

Let’s go from right to left to describe the difference Azure IoT components.

Azure IoT Central

Azure IoT Central is an aPaaS (application PaaS) solution with ready to use UI and API to built IoT applications. Azure IoT Central does not support Microsoft Defender for IoT integration. To deploy our IoT device to Azure IoT Central see Quickstart: Connect an MXCHIP AZ3166 devkit to IoT Central

Azure IoT Hub

Azure IoT Hub is more complex but modular for building IoT device applications. The Standard Tier is required for Microsoft Defender for IoT integration. The integration can be enabled during the creation of the Azure IoT Hub via the Add-ons Defender for IoT

or after the installation via the Defender for IoT section

To deploy our IoT device to Azure IoT Central see Quickstart: Connect an MXCHIP AZ3166 devkit to IoT Hub

After the deployment the IoT device is visible in the Azure IoT Hub — Device management and in the section Defender for IoT

Azure IoT Edge process the data locally on the location where the data is collected before sending and communication to the Azure IoT Hub as central controller.

Pro-tip: Termite can be used after the deployment to monitor device communication with the Azure Cloud

Microsoft Defender for IoT

Microsoft Defender can use agentless detection of devices, threats (alerts) and vulnerabilities (recommendations) via the OT sensor connected to the SPAN port of the OT network (or any other air-gapped network).

Azure IoT Hub devices integrate with Microsoft Defender for IoT as a managed device in the device inventory.

Alerts (threat detection) and recommendations (threat prevention) from the Microsoft Defender for IoT portal (see above) are synchronized to the Azure IoT Hub — Defender for IoT portal (see below)

Microsoft Defender for Endpoint / Enterprise IoT

Microsoft Defender for Endpoint -Device Discovery is an agentless scan feature to detect devices (computer & mobile, network and IoT devices) on IT and IoT networks via (all or selected) MDE onboarded devices. IoT device discovery is part of the MDE P2 or Microsoft 365 E5 license.

By enabling the Enterprise IoT plan (Azure subscription) Risk- (alert) and exposure (vulnerabilities) level become visible.

Left is MDE P2 only and right is the Enterprise IoT plan enabled.

Enterprise IoT

Optional and EIoT sensor (same hardware as the OT sensor) can be deployed on network segments without MDE devices to scan for IoT devices, agentless via the SPAN port of the network switch.

See my previous blogs for more information on Microsoft Defender for IoT and Enterprise IoT:

Azure Sphere

The Azure Sphere MT3620 Devevopment Kit including the MT3620 WiFi-module and the Grove Start kit for Azure Sphere MT3620 arrived for the second part of the blog :-)