Azure Sphere May 2025 Services release is now available
Today we are releasing an update to the Azure Sphere Services, comprising: Ability to pause or re-enable Legacy access Change to expired certificate download behavior Ability to block devices from receiving Azure Sphere issued certificates There are no OS or SDK updates in this release. Ability to pause or re-enable Legacy access You can now pause Azure Sphere (Legacy) tenant operations using the Azure portal, and you also reverse this by enabling Azure Sphere (Legacy) if paused. Azure Sphere (Legacy) is retiring on 27 September 2027, and users must migrate to Azure Sphere (Integrated). The ability to pause and enable Legacy operations assists with migration in the following ways: Once you have migrated Legacy use cases, you can pause the Legacy interface to assure yourself that there are no remaining use cases for Legacy, because any use of Legacy will now result in an error You can re-enable Legacy temporarily to enable you to migrate any remaining use cases that you discover For security, once you know that Legacy is no longer needed, we recommend you should pause Legacy to avoid any operations being conducted via that interface As of this release, newly created Azure Sphere catalogs will have Legacy access paused by default. Catalogs created by integrating an existing Azure Sphere Legacy tenant will continue to have Legacy access enabled by default, to enable migration to occur without disruption. Change to expired certificate download behavior Azure Sphere services will no longer allow you to download expired tenant/catalog certificates. This does not impact production use cases since those certificates are already expired. The metadata for those certificates is still available when viewing your tenant/catalog's list of certificates, but requests for the certificate body via the Legacy CLI, Integrated CLI and Portal will result in a "null" or "not found" response. Ability to block devices from receiving Azure Sphere issued certificates Customers may now block devices from receiving device certificates from Azure Sphere via a support request. This capability might be useful in instances such as if a device becomes lost or stolen, or if an organization wishes to decommission a device. This would prevent services like Azure IoT Hub, which are configured to trust Azure Sphere-issued certificates, from trusting such devices. Please reach out to azsppgsup@microsoft.com if you need this capability.Azure Sphere 25.04 SDK release is now available
Today we are releasing an update to the Azure Sphere SDK and associated tooling, comprising: Updated Azure Sphere SDK 25.04 for Windows and for Linux Updated the azure-sphere extension 1.0.2 for Azure CLI Updated Azure Sphere extensions for Visual Studio and for Visual Studio Code There are no OS or services updates in this release. New and changed features in the 25.04 SDK The 25.04 release of the Azure Sphere SDK includes the following changes: Addition of SDK support for Ubuntu 24.04 LTS The 25.04 SDK adds support for Ubuntu 24.04 LTS. The Linux SDK installer can determine the LTS version of Ubuntu you are running and download and install the appropriate SDK. End of SDK support for Ubuntu 20.04 LTS Ubuntu 20.04 is no longer supported by Canonical as of May 2025, so we have removed support for Ubuntu 20.04 from the Azure Sphere SDK. Error message update for azsphere register-user command The azsphere register-user command in the Azure Sphere (Legacy) CLI is no longer supported. We have updated the error message in case this command is used to be clearer. Alternative methods should be used to register Azure Sphere (Legacy) users. Addition of message regarding retirement of Azure Sphere (Legacy) The Azure Sphere (Legacy) interfaces, including the Azure Sphere (Legacy) API (also known as PAPI) and the Azure Sphere (Legacy) CLI (also known as azsphere), will be retired on 27 September 2027. A retirement message has been added to the Azure Sphere CLI and will be displayed when you run the --help parameter for a command. For more information about retirement and how to migrate to Azure Sphere (Integrated), see this blog post. Removal of Azure Sphere Classic CLI The Azure Sphere classic CLI is an old version of the CLI that predated the Legacy CLI. We announced retirement of this in 2023, and this version is now retired and removed from the SDK. We recommend using Azure Sphere (Integrated). Updates to the azure-sphere extension for Azure CLI The azure-sphere extension for the Azure CLI version 1.0.2 is now available. This includes support for the az sphere image-package pack-application command and other improvements. Updates to Visual Studio and Visual Studio Code extensions This release includes the following updates to the Azure Sphere extensions for Visual Studio and for Visual Studio Code: Updates to the user interfaces to support the Azure Sphere extension for the Azure CLI Bug fixes For technical inquiries, please visit Microsoft Q&A or Stack Overflow. If you require technical support and have a support plan, please submit a support ticket in Microsoft Azure Support or work with your Microsoft Technical Account Manager. If you would like to purchase a support plan, please explore the Azure support plans.Azure Sphere – Certificate store update
Update 26 February 2025: We have released an update which will result in all devices (regardless of whether they are on the Retail or Retail Eval feed) installing this update and rebooting. This update does not change the OS version. Azure Sphere is updating the set of certificates it uses to establish trust with TLS endpoints, following best practices for security. The only impact on production devices is that they will experience a reboot when we release the new certificate store to devices, similar to the reboot during an OS update or an update to the trusted key store. What is a certificate store used for, and why update it? Azure Sphere devices store a public root certificate like any device or browser would to establish an HTTPS connection with an endpoint that is signed with a publicly trusted certificate. The Azure IoT platform transitioned from the Baltimore CyberTrust Root to DigiCert Global Root G2. These certificates are primarily intended for establishing connections to Azure IoT services, such as the Device Provisioning Service and IoT Hub, but are also useful for apps connecting to any HTTPS service that chains up to these same public trust certificates. While Azure IoT transitioned to DigiCert Global Root G2, the Baltimore CyberTrust Root certificate has remained valid, and has been included in the Azure Sphere certificate store for compatibility. Certificate management is a strength of the Azure Sphere platform, as this is managed by Microsoft on your behalf. However, this certificate is expiring on May 12 th 2025, and removing it from the certificate store is a best practice to prevent connectivity to improperly configured web services relying on expired certificates. When is this happening? The next update to the image signing certificate is targeted for February 26 th 2025. When that happens, all HTTPS attempts to services using the Baltimore CyberTrust Root will cease to function. Azure IoT services have already transitioned to the DigiCert Global Root G2, along with Azure Sphere services so this should not impact any Microsoft managed connectivity. However, it is a good practice to audit all app endpoint targets prior to this rollout to ensure any services your app targets do not still utilize the Baltimore CyberTrust Root certificate. If you do have a dependency and would like to request an extension for this update, please contact us at AZSPPGSUP@microsoft.com. After this update is released, the next time that each Azure Sphere device checks for updates (or up to 24 hours later if using the update deferral feature), the device will apply the certificate store update and reboot. The certificate store update is independent of an OS update, and it will apply to devices using both the retail and retail-eval feeds. Do I need to take any action? No action is required for production-deployed devices; however, we recommend auditing all services specific to your app that might utilize the Baltimore CyberTrust Root certificate.Migrate to Azure Sphere (Integrated) ahead of Sept 2027 retirement of Legacy service interface
On 27 September 2027, Azure Sphere will retire its Legacy service interfaces, Azure Sphere (Legacy) API (also known as PAPI), and Azure Sphere CLI (also known as azsphere). This blog will guide you on the migration process and benefits of Azure Sphere (Integrated).
