| title | Create an IoT Hub with Certificate Management in Azure Device Registry using a Script |
|---|---|
| description | This article explains how to create an IoT Hub with Azure Device Registry and certificate management integration using a script. |
| author | cwatson-cat |
| ms.author | cwatson |
| ms.service | azure-iot-hub |
| ms.topic | include |
| ms.date | 12/19/2025 |
Use the provided PowerShell script to automate the setup of your IoT Hub with Azure Device Registry integration. The script performs all the necessary steps to create the required resources and link them together, including:
- Create a resource group
- Configure the necessary app privileges
- Create a user-assigned managed identity
- Create an ADR namespace with system-assigned managed identity
- Create a credential (root CA) and policy (issuing CA) scoped to that namespace
- Create an IoT Hub (preview) with linked namespace and managed identity
- Create a DPS with linked IoT Hub and namespace
- Sync your credential and policies (CA certificates) to IoT Hub
- Create an enrollment group and link to your policy to enable certificate provisioning
Important
During the preview period, IoT Hub with ADR integration and certificate management features enabled on top of IoT Hub are available free of charge. Device Provisioning Service (DPS) is billed separately and isn't included in the preview offer. For details on DPS pricing, see Azure IoT Hub pricing.
- Download PowerShell 7 for Windows.
- Navigate to the GitHub repository and download the Scripts folder, which contains the script file,
iothub-adr-certs-setup-preview.ps1.
Open the script file in a text editor and modify the following variables to match your desired configuration.
TenantId: Your tenant ID. You can find this value by runningaz account showin your terminal.SubscriptionId: Your subscription ID. You can find this value by runningaz account showin your terminal.ResourceGroup: The name of your resource group.Location: The Azure region where you want to create your resources. Check out the available locations for preview features in the Supported regions section.NamespaceName: Your namespace name may only contain lowercase letters and hyphens ('-') in the middle of the name, but not at the beginning or end. For example, "msft-namespace" is a valid name.HubName: Your hub name can only contain lowercase letters and numerals.DpsName: The name of your Device Provisioning Service instance.UserIdentity: The user-assigned managed identity for your resources.WorkingFolder: The local folder where your script is located.
[!INCLUDE iot-hub-pii-note-naming-hub]
-
Open the script and run in PowerShell 7+ as an administrator. Navigate to the folder containing your script and run
.\iothub-adr-certs-setup-preview.ps1. -
If you run into an execution policy issue, try running
powershell -ExecutionPolicy Bypass -File .\iothub-adr-certs-setup-preview.ps1. -
Follow the guided prompts:
- Press
Enterto proceed with a step - Press
sorSto skip a step - Press
Ctrl+Cto abort
- Press
Note
The creation of your ADR namespace, IoT Hub, DPS, and other resources may take up to 5 minutes each.
-
The script continues execution when warnings are encountered and only stops if a command returns a non-zero exit code. Monitor the console for red ERROR messages, which indicate issues that require attention.
-
Once the script completes, validate the creation of your resources by visiting your new Resource Group on the Azure portal. You should see the following resources created:
- IoT Hub instance
- Device Provisioning Service (DPS) instance
- Azure Device Registry (ADR) namespace
- User-Assigned Managed Identity (UAMI)