Azure Sphere (Integrated) is generally available
Published Mar 26 2024 02:28 PM 1,423 Views
Steel Contributor

Starting today, Azure Sphere (Integrated), the Azure Sphere management interface built on the Azure Resource Manager platform, is generally available and ready for production use. Azure Sphere (Integrated) is now the recommended interface for the Azure Sphere security service, and is no longer marked Preview in the Azure portal. Azure Sphere (Legacy), the original service API and CLI tool for the Azure Sphere security service, continues to be a fully supported product as well. After a simple, one-time integration process, you can manage any existing Azure Sphere tenant in both Azure Sphere (Integrated) and Azure Sphere (Legacy), enabling you to explore Azure Sphere (Integrated) features and benefits while continuing to use the Azure Sphere (Legacy) API and CLI for ongoing production management tasks until you are ready to fully migrate. 

 

The power of native Azure integration for Azure Sphere

 

Azure Sphere (Integrated) is a native Azure interface, built on the Azure Resource Manager platform. Azure Sphere (Integrated) enables you to manage Azure Sphere resources in the Azure portal and Azure CLI and it includes support for powerful core Azure services including Microsoft Entra, Azure Monitor, and Azure role-based access control (RBAC). With Azure Sphere (Integrated), you can manage your Azure Sphere tenants and devices directly in the Azure portal and Azure CLI, and you can use the Azure Sphere (Integrated) REST API to build your own Azure Sphere client applications. 

 

In Azure portal, you will find a fresh, easy-to-navigate management experience. Note that Azure Sphere (Integrated) uses the term “Azure Sphere catalog” in place of “Azure Sphere tenant,” (“tenant” is reserved exclusively for Microsoft Entra tenants). 

 

Blog_GA_Fig1_ASRPoverview.png

 

In the Azure portal catalog view shown above, you can quickly access any Azure Sphere catalog belonging to your Azure subscription, and you can browse resources within a select catalog from the left menu. Enjoy Azure portal’s comprehensive resource views, such as the Device Groups view where you can view information about a resource, and click on a specific resource to update its settings or perform administrative tasks, such as creating a deployment for a device group. 

 

In the Azure portal, you can perform common Azure Sphere tasks more efficiently, such as adding multiple images at a time, or claiming multiple devices at a time. The Add images window allows you to add up to 5 images simultaneously, and also specify a device group to which they will be deployed if desired. 

 

Blog_GA_Fig2_AddImages.png

 

In the Devices view, you can claim up to 5 devices using the Claim function, or in the Bulk claim window shown below, you can claim up to 500 devices at a time. Simply download the device claim .csv template, add your device IDs to the template; then upload the template and, if desired, specify a device group where the devices will be assigned 

 

Blog_GA_Fig3_BulkClaim.png

 

Managing users and assigning fine-grained access privileges with Microsoft Entra and Azure Role-Based Access Control (RBAC) 

 

Azure Sphere (Integrated) offers a streamlined user administration experience with native support for Microsoft Entra and Azure Role-Based Access Control (RBAC). Feel confident that you can more easily stay in compliance with your standard user administration processes and corporate security policies by using your existing Microsoft Entra users and groups to quickly configure Azure Sphere access as employees join, change roles within, or potentially leave the company. 

 

Leverage the power of Azure RBAC’s fine-grained access control capabilities to grant users access to any Azure Sphere resource, including catalogs, products, device groups, or even individual devices. Select from a set of Azure Sphere (Integrated) pre-built RBAC roles that offer a curated set of privileges for common user functions, or build a custom Azure RBAC role with only the specific privileges your user may need. For example, a company may configure Azure RBAC to allow the following for the different business teams: 

 

  • The manufacturing team can claim devices to a catalog but do nothing else 
  • The software engineering team can manage engineering-owned device groups and devices, including enabling development, downloading certificates, and deploying new applications, but cannot access production devices. 
  • The operations team can manage production devices, including deploying applications to them, but cannot claim new devices or access engineering-owned devices. 

For more information on best practices for configuring Azure RBAC for Azure Sphere, see this documentation.

 

Seamless CLI access with the Azure Sphere extension for Azure CLI 

 

The Azure Sphere extension for Azure CLI lets you perform Azure Sphere tasks directly in Azure’s command line tool and fluently switch between Azure Sphere tasks and other Azure tasks. 

 

Blog_GA_Fig4_CLI.png

 

The Azure Sphere CLI extension supports all the commands found in the legacyazsphere” tooling, including commands that operate on locally-attached Azure Sphere devices via USB, such as configuring WiFi settings, as well as commands that interact with the Azure Sphere Security Service, such as deploying an application over-the-air to remote devices. 

 

Comprehensive fleet monitoring and troubleshooting with Azure Monitor 

 

Native support for Azure Monitor offers an array of monitoring and troubleshooting capabilities that can help you identify, remotely diagnose and potentially resolve issues without needing to dispatch a technician to a physical site. Azure Monitor collects data and log events from both the Azure Sphere devices and the Azure Sphere security service itself, and pre-built log file queries allow you to quickly build comprehensive views. Gain deeper insights and enjoy faster issue resolution with Azure Monitor’s metrics and diagnostics as you analyze unexpected behaviors and correlate potentially related events across your fleet, as well as with other Azure services such as IoT Hub.  

 

Metrics 2 (16x9) (2).png

 

For more information about best practices for using Azure Monitor for Azure Sphere devices, see this blog post.  

 

Easily set up trust relationships between Azure Sphere device and Azure IoT  

 

When you connect an Azure Sphere device to an Azure IoT Hub or Azure IoT Hub Device Provisioning Service (DPS), the service must first be set up to trust that device’s catalog using the catalog’s CA certificate. Azure Sphere (Integrated) simplifies this process; you can now set this up directly in the Azure portal.

 

Facilitating transition from Azure Sphere (Legacy) to Azure Sphere (Integrated) 

 

If you have an existing Azure Sphere (Legacy) tenant, you can integrate the tenant to Azure Sphere (Integrated) in one simple step. Simply select the tenant, and click the Integrate button as shown below. 

 

Blog_GA_Fig6_IntegrateScreen.png

 

The Integrate function does two things: 

  • Assigns an Azure resource ID to each resource in the tenant enabling the Azure Resource Manager to manage it 
  • Suggests a mapping of the tenant’s user accounts and access assignments to Microsoft Entra user accounts and Azure RBAC role assignments. During the integrate process, you can choose whether to accept or reject the mapping suggestion for each tenant user account. 

It’s important to understand that the integration process is simply enabling the new interface, Azure Sphere (Integrated), to manage the same underlying resources. The tenant itself is not copied; it remains stored in the Azure Sphere security service as shown below.  

 

Blog_GA_Fig7_Interfaces.png

 

Once the integration process is complete, you can manage your tenant (now called a catalog) in the Azure portal, the Azure CLI, or using the Azure Sphere (Integrated) API. You can also continue to manage the tenant using the Azure Sphere (Legacy) CLI and API as needed. 

 

The Azure Sphere (Legacy) interface remains generally available and fully supported. For more information about the two interfaces please see this documentation. 

 

Try it out today 

If you are an existing Azure Sphere user, we recommend migrating to Azure Sphere (Integrated).  Azure Sphere (Integrated) includes important new security and usability features such as fine-grained permission controls via integration with Azure RBAC, integration with Azure Monitor to get alerts of events such as upcoming catalog certificate rollover, and Azure Portal integration which provides a graphical user interface for managing Azure Sphere devices and catalogs.  These features are not available in Azure Sphere (Legacy). 

 

Because of the backwards-compatible integration process, you can get started with testing Azure Sphere (Integrated) using your existing tenant while your existing processes and scripts continue to work with Azure Sphere (Legacy).   

 

If you are new to Azure Sphere, we recommend you start by acquiring an Azure Sphere development kit and claiming it into a new Azure Sphere (Integrated) catalog.   

 

 

Co-Authors
Version history
Last update:
‎Mar 26 2024 12:14 PM
Updated by: