Introducing Azure Sphere (Integrated) Public Preview
Published Aug 08 2023 01:40 PM 6,290 Views
Steel Contributor

We are excited to announce the public preview release of a new seamless Azure experience for Azure Sphere users. Azure Sphere (Integrated) enables you to manage your Azure Sphere catalogs and devices directly from the Azure portal and Azure CLI. This is driven by a new API integrating the Azure Sphere Security Service into the Azure Resource Manager, Azure’s control plane management platform. 


In this blog post, we will illustrate the advantages and new features of Azure Sphere (Integrated), and tell you how to take next steps to try this out using either existing or new Azure Sphere devices.


Azure Portal and Azure CLI integration

The Azure portal provides comprehensive views of your Azure Sphere fleet, including products, device groups, and devices in an easy-to-navigate interface where you can claim devices individually or in bulk, quickly configure device group property settings, or create and deploy new applications in a single step. Administrators will appreciate new views, such as the Device Groups view below, where you can simultaneously see each device group’s current OS feed, its current app update policy, and whether crash dump files are being collected from devices in the group or not.





Other conveniences of working directly in Azure portal include being able to view which resource group and subscription a given catalog belongs to, and easily finding help when you need it. Experiencing an issue? Simply search troubleshooting content directly in the Azure portal, or quickly file a support ticket, complete with pre-populated case information such as the resource ID and Azure subscription ID.





The new Azure Sphere extension for Azure CLI allows you to manage Azure Sphere devices from the command line in the native Azure CLI tool, fluently performing Azure Sphere tasks right alongside your other Azure tasks.  Like the existing Azure Sphere CLI tool “azsphere”, the Azure CLI extension "az sphere" supports commands that operate on locally-attached devices via USB (e.g. configuring WiFi settings or sideloading an application), as well as commands that interact with the Azure Sphere Security Service via the new Azure Sphere (Integrated) API (e.g. to deploy an application over-the-air to remote devices).




Azure Role Based Access Control (RBAC) and the new Azure Sphere built-in RBAC roles

User administrators will appreciate the power of Azure Role Based Access Control (RBAC) that delivers the ability to configure granular user permissions for Azure Sphere catalogs, products, and device groups individually. Using the new Azure Sphere built-in RBAC roles, you can quickly assign specific Azure Sphere permissions for your organization’s Azure Active Directory (AAD) users and groups. For example, you can enable development teams to manage their development and test devices and deploy new software to them, while simultaneously only allowing operations teams to manage or update production devices deployed to customer installations.





Advanced fleet monitoring and diagnostic insights with Azure Monitor

All remote device administrators appreciate the ability to remotely monitor, immediately identify, and remotely diagnose and resolve issues without needing to dispatch a technician to a physical site. With Azure Monitor’s new support for Azure Sphere devices, you can quickly set up fleet monitoring and event logging using pre-built Azure Sphere queries and Azure’s standard Diagnostics configuration. Azure Monitor brings greatly expanded troubleshooting capabilities to your fleet management as it collects data and log events from both the Azure Sphere devices and the Azure Sphere security service itself. Azure Monitor’s metrics, diagnostics, and event logging capabilities provide you a comprehensive view where you can easily analyze unexpected behaviors and immediately correlate potentially related events across other Azure services such as IoT Hub with the Azure Sphere security service, leading to deeper insights and faster issue resolution.





The new Azure Sphere (Integrated) API vs. the Azure Sphere (Legacy) API

The integration into Azure Resource Manager is achieved through a new Azure Sphere (Integrated) REST API. This API has been launched in Public Preview alongside the existing Azure Sphere (Legacy) API – also known as Azure Sphere PAPI.  Here is a summary:


Azure Sphere (Integrated)

  •  Refers to the Azure Resource Manager interface for Azure Sphere, accessed through the Azure Portal, Azure CLI extension commands (az sphere) and new REST API.
  •  Is available in Public Preview and is recommended for development and evaluation uses. For production use cases such as production-scale manufacturing or management of field-deployed customer devices we recommend that you depend on our Generally Available interface, Azure Sphere (Legacy), until Azure Sphere (Integrated) becomes Generally Available. See later in the document for how you can have both interfaces active on the same underlying devices.
  •  During the Public Preview phase, we may make API, command-line or Portal UX changes that may, for example, break compatibility with scripted uses, in order to react to user feedback and fix bugs before General Availability.

Azure Sphere (Legacy)

  •  Refers to the original Public API (PAPI) interface, accessed through the Azure Sphere (azsphere) CLI tool, and directly via the Public API interface.
  •  Remains Generally Available and fully supported.  This will continue to be true even after Azure Sphere (Integrated) becomes Generally Available, though we recommend that customers plan to move to Azure Sphere (Integrated) over time due to the features it enables above.

An Azure Sphere ‘tenant’ is a logical grouping of Azure Sphere resources within the Azure Sphere (Legacy) interface - including products, devices, device groups, and software images.  Since the name 'tenant' is already in use within Azure, to avoid ambiguity we are using a different word - 'catalog' - for the same logical grouping in Azure Sphere (Integrated). 



Both interfaces can be used simultaneously on the same Azure Sphere device resources

An existing Azure Sphere (Legacy) tenant can be integrated into an Azure Sphere (Integrated) catalog while still being accessible via the Legacy PAPI-based interfaces.  This causes a new catalog to be created that relates to the same devices that are present in the PAPI tenant. It’s important to understand that the underlying Azure Sphere resources themselves (products, devices, device groups, and images) are not changed, duplicated, or deleted in this process. As the illustration below shows, you can user either interface to manage the same set of Azure Sphere resources that have been integrated to an Azure Sphere (Integrated) catalog.




Because both interfaces can be used at the same time, existing customers can continue to use the Azure Sphere (Legacy) interface as normal (e.g. for production use cases), while developing and testing new tooling/scripts/processes based on the Azure Sphere (Integrated) interface. No point-in-time "migration" is required.


Integrating a (Legacy) tenant into an (Integrated) catalog can be accomplished using the Azure Portal:




Try it out today!

As described above, Azure Sphere (Integrated) adds many new features to Azure Sphere device management, and we are excited for you to try this preview out and share your feedback with us via email at  If you have existing Azure Sphere devices, you can get started by integrating your existing Azure Sphere (Legacy) tenant.  If you are new to Azure Sphere, we recommend you start by acquiring an Azure Sphere development kit and claiming it into a new Azure Sphere (Integrated) catalog.  Further details and guidance can be found in the Azure Sphere documentation.


Version history
Last update:
‎Aug 08 2023 01:24 PM
Updated by: