IoT 中心设备预配服务概念IoT Hub Device Provisioning Service concepts

IoT 中心设备预配服务是一项 IoT 中心帮助程序服务,该服务用于将零接触设备预配到指定 IoT 中心。IoT Hub Device Provisioning Service is a helper service for IoT Hub that you use to configure zero-touch device provisioning to a specified IoT hub. 使用设备预配服务,可以通过安全且可缩放的方式自动预配数百万台设备。With the Device Provisioning Service, you can auto-provision millions of devices in a secure and scalable manner.

设备预配是一个两部分过程。Device provisioning is a two part process. 第一部分是通过注册设备来建立设备和 IoT 解决方案之间的初始连接 。The first part is establishing the initial connection between the device and the IoT solution by registering the device. 第二部分是根据解决方案的具体要求将适当的配置应用于设备 。The second part is applying the proper configuration to the device based on the specific requirements of the solution. 在这两个步骤都完成后,设备已完全预配 。Once both steps have been completed, the device has been fully provisioned. 设备预配服务自动执行这两个步骤,为设备提供无缝的预配体验。Device Provisioning Service automates both steps to provide a seamless provisioning experience for the device.

本文概述了最适用于管理服务的预配概念 。This article gives an overview of the provisioning concepts most applicable to managing the service. 本文与设备部署准备工作的云设置步骤中提及的角色最为相关。This article is most relevant to personas involved in the cloud setup step of getting a device ready for deployment.

服务操作终结点Service operations endpoint

服务操作终结点是用于管理服务设置和维护注册列表的终结点。The service operations endpoint is the endpoint for managing the service settings and maintaining the enrollment list. 此终结点仅由服务管理员使用,设备不使用它。This endpoint is only used by the service administrator; it is not used by devices.

设备预配终结点Device provisioning endpoint

设备预配终结点是单一终结点,所有设备都使用它进行自动预配。The device provisioning endpoint is the single endpoint all devices use for auto-provisioning. 此 URL 对于所有预配服务实例都是相同 ,因而无需使用供应链方案中的新连接信息来刷新设备。The URL is the same for all provisioning service instances, to eliminate the need to reflash devices with new connection information in supply chain scenarios. ID 范围可确保租户隔离。The ID scope ensures tenant isolation.

链接 IoT 中心Linked IoT hubs

设备预配服务只能将设备预配到已链接到它的 IoT 中心。The Device Provisioning Service can only provision devices to IoT hubs that have been linked to it. 将 IoT 中心链接到设备预配服务实例可以为 IoT 中心的设备注册表提供服务读/写权限;通过该链接,设备预配服务可以注册设备 ID 并在设备孪生中设置初始配置。Linking an IoT hub to an instance of the Device Provisioning service gives the service read/write permissions to the IoT hub's device registry; with the link, a Device Provisioning service can register a device ID and set the initial configuration in the device twin. 链接 IoT 中心可能位于任何 Azure 区域。Linked IoT hubs may be in any Azure region. 可将其他订阅中的中心链接到预配服务。You may link hubs in other subscriptions to your provisioning service.

分配策略Allocation policy

用于确定设备预配服务如何将设备分配给 IoT 中心的服务级别设置。The service-level setting that determines how Device Provisioning Service assigns devices to an IoT hub. 支持三种分配策略:There are three supported allocation policies:

  • 均匀加权分发:链接的 IoT 中心等可能地获得预配到它们的设备。Evenly weighted distribution: linked IoT hubs are equally likely to have devices provisioned to them. 默认设置。The default setting. 如果只将设备预配到一个 IoT 中心,则可以保留此设置。If you are provisioning devices to only one IoT hub, you can keep this setting.

  • 最低延迟:将设备预配到具有最低延迟的 IoT 中心。Lowest latency: devices are provisioned to an IoT hub with the lowest latency to the device. 如果多个链接 IoT 中心提供相同的最低延迟,则预配服务将在这些中心上散列设备If multiple linked IoT hubs would provide the same lowest latency, the provisioning service hashes devices across those hubs

  • 通过注册列表进行静态配置:注册列表中所需 IoT 中心的规范优先于服务级别分配策略。Static configuration via the enrollment list: specification of the desired IoT hub in the enrollment list takes priority over the service-level allocation policy.


注册是指可以通过自动预配注册的设备或设备组的记录。An enrollment is the record of devices or groups of devices that may register through auto-provisioning. 注册记录包含有关设备或设备组的信息,包括:The enrollment record contains information about the device or group of devices, including:

  • 设备使用的证明机制the attestation mechanism used by the device
  • 可选的初始所需配置the optional initial desired configuration
  • 所需的 IoT 中心desired IoT hub
  • 所需的设备 IDthe desired device ID

设备预配服务支持两种类型的注册:There are two types of enrollments supported by Device Provisioning Service:

注册组Enrollment group

注册组是一组共享特定证明机制的设备。An enrollment group is a group of devices that share a specific attestation mechanism. 注册组支持 X.509 和对称。Enrollment groups support both X.509 as well as symmetric. X.509 注册组中的所有设备都提供已由同一根或中间证书颁发机构 (CA) 签名的 X.509 证书。All devices in the X.509 enrollment group present X.509 certificates that have been signed by the same root or intermediate Certificate Authority (CA). 对称密钥注册组中的每个设备都提供派生自组对称密钥的 SAS 令牌。Each device in the symmetric key enrollment group present SAS tokens derived from the group symmetric key. 注册组名称和证书名称必须是小写的字母数字,并可包含连字符。The enrollment group name and certificate name must be alphanumeric, lowercase, and may contain hyphens.


建议对共享所需初始配置的大量设备,或者全部转到同一租户的设备使用注册组。We recommend using an enrollment group for a large number of devices that share a desired initial configuration, or for devices all going to the same tenant.

单独注册Individual enrollment

单独注册是用于可注册的单一设备的条目。An individual enrollment is an entry for a single device that may register. 个人注册可使用 X.509 叶证书或 SAS 令牌(来自物理或虚拟 TPM)作为证明机制。Individual enrollments may use either X.509 leaf certificates or SAS tokens (from a physical or virtual TPM) as attestation mechanisms. 单独注册中的注册 ID 是小写的字母数字,并且可包含连字符。The registration ID in an individual enrollment is alphanumeric, lowercase, and may contain hyphens. 单独注册可能会指定所需 IoT 中心设备 ID。Individual enrollments may have the desired IoT hub device ID specified.


对于需要唯一初始配置的设备或仅能通过 TPM 证明使用 SAS 令牌进行身份验证的设备,建议为其使用个人注册。We recommend using individual enrollments for devices that require unique initial configurations, or for devices that can only authenticate using SAS tokens via TPM attestation.


注册是设备通过设备预配服务成功注册/预配到 IoT 中心的记录。A registration is the record of a device successfully registering/provisioning to an IoT Hub via the Device Provisioning Service. 注册记录自动创建,可以删除,但不能更新。Registration records are created automatically; they can be deleted, but they cannot be updated.


操作是设备预配服务的计费单位。Operations are the billing unit of the Device Provisioning Service. 成功完成到服务的一条指令即为一次操作。One operation is the successful completion of one instruction to the service. 操作包括设备注册和重新注册,还包括服务侧更改(例如添加注册列表条目和更新注册列表条目)。Operations include device registrations and re-registrations; operations also include service-side changes such as adding enrollment list entries, and updating enrollment list entries.