Azure IoT Security part II | Azure Sphere

Derk van der Woude
5 min readFeb 13, 2023

The first part I describes the setup of the generic AZ3166 IoT device in Azure IoT services like the IoT Hub, agentless scanning features and the Microsoft Defender for IoT integration. The second part will go deeper into Azure Sphere MT3620 lab setup. First a new overview of Azure IoT Security V2 in the graphic below (V3 in the 3rd and last blog).

Azure Sphere

Azure Sphere is a secured crossover MCU (Micro Controller Unit) including a secure linux-based operating system and secure cloud-based / connected (Azure Sphere) Security service for end-to-end security for IoT (Internet of Things) devices

The security features of Azure Sphere are

  • End-to-end secure authenticated connections
  • Azure Sphere Security Service for automatic software updates : Microsoft release the O.S. updates and the Vendor releases application updates
  • Connected cloud services for data analytics etc.

The Azure Sphere MT3620 Development Kit is used to setup a lab environment. This kit includes Wi-Fi, Ethernet requires an extra module.

Disclaimer: the AZ3166 from my previous blog can be (re-)used in different Azure tenants. The MT3620 Azure Sphere can only be used in one Azure Sphere tenant (see Claim Device).

Setup of the Azure Sphere device

The setup is written in detail: I will describe a high level overview of the setup including screen prints.

Install the Azure Sphere SDK (Windows)
Download the Azure Sphere SDK and install the Azure_Sphere_SDK_<version>.exe (requires reboot), after reboot the Azure Sphere CLI is available.

The Azure Sphere SDK requires Visual Studio (Code). Install Visual Studio and the Azure Sphere extension

Claim Device

Every device must be claimed into an Azure Sphere tenant. Claiming the device associates its unique, immutable device ID with the Azure Sphere tenant. The Azure Sphere Security Service uses the device ID to identify and authenticate the device.

  • Connect the Azure Sphere hardware device over USB
  • Start PowerShell (Run As Administrator)
azsphere device recover

device recover updates the devices to the latest version.

After the update is completed:
register-user is only used once to register the user with Azure Sphere Security Service

azsphere register-user --new-user <email-address>

Consent is required.

azsphere login

And the authorization is completed.

Now we need to create an Azure Sphere tenant

azsphere tenant create --name <tenant-name or tenant-ID>

And finally we need to claim the device into the Azure Sphere tenant.

azsphere device claim

The Azure Sphere device is now claimed into the Azure Sphere tenant, this process cannot be reversed.

Configure networking and update the device O.S. (automatically)

Disclaimer: multiple TAP network can interfere network (internet) connectivity.

Set up Wi-Fi on the Azure Sphere Device via the CLI or the Azure Sphere Explorer


azsphere device wifi add --ssid "SSID" --psk "password"

The <network ID> is shown above

azsphere device wifi enable --id <network id>
azsphere device network list-interfaces

Azure Sphere Explorer
Visual Studio > View > Other Windows > Azure Sphere Explorer

  • Select Wi-Fi network and connect
  • Verify via the CLI
azsphere device wifi wifi show-status

The Azure Sphere device checks for Azure Sphere O.S. and application updates on startup and every 24-hours.

Add device to Azure IoT Hub

  • The Azure IoT Hub was created in part I.
  • Download the tenant authentication CA certificate from the Azure Sphere Security Service
azsphere login
azsphere ca-certificate download --destination CAcertificate.cer
  • Add the certificate in the Security settings
  • Create an X.509 device in the Azure IoT Hub for the Azure Sphere device

To get the Device ID

azsphere device show-attached

Input the Device ID and select X.509 CA Signed.

The device is created in the Azure IoT Hub and protected via the integrated Microsoft Defender for IoT.

Microsoft Defender for IoT protects the device via prevention of threats (Recommendations)

and detection of threats (Alert)

The main difference (besides the price x2) with the generic AZ3166 and the Azure Sphere MT3620 is the Azure Sphere Security Service which makes the MT3620 a very secure IoT device and solution.

Part 3 of the blog series will be about the question mark in red in the overview picture, it’s about an Azure Arc connected agent-based Microsoft Defender for IoT solution. I am working with Microsoft on this in a private preview program [NDA].