how-to-manage-enrollments.md

title	Manage device enrollments in the Azure portal
titleSuffix	Azure IoT Hub Device Provisioning Service
description	How to manage group and individual device enrollments for your Device Provisioning Service (DPS) in the Azure portal.
author	cwatson-cat
ms.author	cwatson
ms.date	08/11/2025
ms.topic	how-to
ms.service	azure-iot-hub
services	iot-dps
manager	lizross
ms.subservice	azure-iot-hub-dps

Manage device enrollments in the Azure portal

A device enrollment creates a record of a single device or a group of devices that can at some point register with the Azure IoT Hub Device Provisioning Service (DPS). The enrollment record contains the initial configuration for the device as part of that enrollment. Included in the configuration is either the IoT hub to which a device is assigned, or an allocation policy that applies to a set of IoT hubs. This article shows you how to manage device enrollments for your provisioning service.

The Device Provisioning Service supports two types of enrollments:

• Enrollment groups: Used to enroll multiple related devices.
• Individual enrollments: Used to enroll a single device.

Important

If you have trouble accessing enrollments from the Azure portal, it might be because you have public network access disabled or IP filtering rules configured that block access for the Azure portal. To learn more, see Disable public network access limitations and IP filter rules limitations.

Prerequisites

• Create an instance of Device Provisioning Service in your subscription and link it to an IoT hub. For more information, see Quickstart: Set up IoT Hub Device Provisioning Service with the Azure portal.

Create an enrollment group

An enrollment group is an entry for a group of devices that share a common attestation mechanism. We recommend that you use an enrollment group for a large number of devices that share an initial configuration, or for devices that go to the same tenant. Enrollment groups support either X.509 certificate or symmetric key attestation.

X.509 certificate

For a walkthrough that demonstrates how to create and use enrollment groups with X.509 certificates, see Tutorial: Provision devices using symmetric key enrollment groups.

To create an X.509 certificate enrollment group:

[!INCLUDE iot-dps-enrollment-group-x509.md]

Symmetric key

For a walkthrough that demonstrates how to create and use enrollment groups with symmetric keys, see Tutorial: Provision devices using symmetric key enrollment groups.

To create a symmetric key enrollment group:

[!INCLUDE iot-dps-enrollment-group-key.md]

TPM

Enrollment groups don't support TPM attestation.

---

Create an individual enrollment

An individual enrollment is an entry for a single device that can be assigned to an IoT hub. Devices using X.509 certificates, symmetric key, and TPM attestation are supported.

X.509 certificate

For a walkthrough of how to create and use individual enrollments with X.509 certificates, see Quickstart: Provision an X.509 certificate device.

To create an X.509 certificate individual enrollment:

[!INCLUDE iot-dps-individual-enrollment-x509.md]

Symmetric key

For a walkthrough of how to create and use individual enrollments with symmetric keys, see Quickstart: Provision a symmetric key device.

To create a symmetric key individual enrollment:

[!INCLUDE iot-dps-individual-enrollment-key.md]

TPM

For a walkthrough of how to create and use individual enrollments using TPM attestation, see Quickstart: Provision a simulated TPM device. If you don't have the endorsement key and registration ID for your device, use the quickstart to try these steps on a simulated device.

To create a TPM individual enrollment:

[!INCLUDE iot-dps-individual-enrollment-tpm.md]

---

Update an enrollment entry

To update an existing enrollment entry:

1. Sign in to the Azure portal and navigate to your Device Provisioning Service instance.

2. Select Manage enrollments from the Settings section of the navigation menu.

3. Select either the Enrollment groups or Individual enrollments tab, depending on whether you want to update an enrollment group or an individual enrollment.

4. Select the name of the enrollment entry that you wish to modify.

5. On the enrollment entry details page, you can update all items, except the security type and credentials.

6. Once completed, select Save.

Remove a device enrollment

To remove an enrollment entry:

1. Sign in to the Azure portal and navigate to your Device Provisioning Service instance.

2. Select Manage enrollments from the Settings section of the navigation menu.

3. Select either the Enrollment groups or Individual enrollments tab, depending on whether you want to remove an enrollment group or an individual enrollment.

4. Select the enrollment entry you want to remove.

5. At the top of the page, select Delete.

6. When prompted to confirm, select Yes.

7. Once the action is completed, you see that your entry is removed from the list of device enrollments.

Note

Deleting an enrollment group doesn't delete the registration records for devices in the group. DPS uses the registration records to determine whether the maximum number of registrations is reached for the DPS instance. Orphaned registration records still count against this quota. For the current maximum number of registrations supported for a DPS instance, see Quotas and limits.

You might want to delete the registration records for the enrollment group before deleting the enrollment group itself. You can see and manage the registration records for an enrollment group manually on the Registration Records tab for the group in Azure portal. You can retrieve and manage the registration records programmatically using the Device Registration State REST APIs or equivalent APIs in the DPS service SDKs, or using the az iot dps enrollment-group registration Azure CLI commands.

Next steps

• Learn more about How to link and manage IoT hubs.
• Understand How to use allocation policies to provision devices across multiple IoT hubs.