Skip to content

Commit 2dc4567

Browse files
authored
Merge pull request #279448 from limwainstein/device-builders-iot-hub-change
Set up access to IoT hub
2 parents e2291ef + a606729 commit 2dc4567

File tree

1 file changed

+90
-2
lines changed

1 file changed

+90
-2
lines changed

articles/defender-for-iot/device-builders/quickstart-onboard-iot-hub.md

Lines changed: 90 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,13 @@ This article explains how to enable Microsoft Defender for IoT on an Azure IoT h
1818

1919
- The ability to create a standard tier IoT Hub.
2020

21+
- For the [resource group and access management setup process](#allow-access-to-the-iot-hub), you need the following roles:
22+
23+
- To add role assignments, you need the Owner, Role Based Access Control Administrator and User Access Administrator roles.
24+
- To register resource providers, you need th Owner and Contributor roles.
25+
26+
Learn more about [privileged administrator roles in Azure](../../role-based-access-control/role-assignments-steps.md#privileged-administrator-roles).
27+
2128
> [!NOTE]
2229
> Defender for IoT currently only supports standard tier IoT Hubs.
2330
@@ -33,6 +40,8 @@ You can create a hub in the Azure portal. For all new IoT hubs, Defender for IoT
3340

3441
:::image type="content" source="media/quickstart-onboard-iot-hub/management-tab.png" alt-text="Ensure the Defender for IoT toggle is set to on.":::
3542

43+
1. Follow these steps to [allow access to the IoT Hub](#allow-access-to-the-iot-hub).
44+
3645
## Enable Defender for IoT on an existing IoT Hub
3746

3847
You can onboard Defender for IoT to an existing IoT Hub, where you can then monitor the device identity management, device to cloud, and cloud to device communication patterns.
@@ -41,15 +50,17 @@ You can onboard Defender for IoT to an existing IoT Hub, where you can then moni
4150

4251
1. Sign in to the [Azure portal](https://portal.azure.com/).
4352

53+
1. Follow these steps to [allow access to the IoT Hub](#allow-access-to-the-iot-hub).
54+
4455
1. Navigate to **IoT Hub** > **`Your hub`** > **Defender for IoT** > **Overview**.
4556

4657
1. Select **Secure your IoT solution**, and complete the onboarding form.
4758

4859
:::image type="content" source="media/quickstart-onboard-iot-hub/secure-your-iot-solution.png" alt-text="Select the secure your IoT solution button to secure your solution." lightbox="media/quickstart-onboard-iot-hub/secure-your-iot-solution-expanded.png":::
4960

50-
The **Secure your IoT solution** button will only appear if the IoT Hub hasn't already been onboarded, or if you set the Defender for IoT toggle to **Off** while onboarding.
61+
The **Secure your IoT solution** button will only appear if the IoT Hub hasn't already been onboarded, or if you set the Defender for IoT toggle to **Off** while onboarding.
5162

52-
:::image type="content" source="media/quickstart-onboard-iot-hub/toggle-is-off.png" alt-text="If your toggle was set to off during onboarding.":::
63+
:::image type="content" source="media/quickstart-onboard-iot-hub/toggle-is-off.png" alt-text="If your toggle was set to off during onboarding.":::
5364

5465
## Verify that Defender for IoT is enabled
5566

@@ -85,6 +96,83 @@ Configure data collection settings for Defender for IoT in your IoT hub, such as
8596

8697
1. Select **Save** to save your settings.
8798

99+
## Set up resource providers and access control
100+
101+
To set up permissions needed to access the IoT hub:
102+
103+
1. [Set up resource providers and access control for the IoT hub](#allow-access-to-the-iot-hub).
104+
1. To allow access to a Log Analytics workspace, also [set up resource providers and access control for Log Analytics workspace](#allow-access-to-a-log-analytics-workspace).
105+
106+
Learn more about [resource providers and resource types](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).
107+
108+
### Allow access to the IoT Hub
109+
110+
To allow access to the IoT Hub:
111+
112+
#### Set up resource providers for the IoT hub
113+
114+
1. Sign in to the [Azure portal](https://portal.azure.com/) and navigate to the **Subscriptions** page.
115+
116+
1. In the subscriptions table, select your subscription.
117+
118+
1. In the subscription page that opens, from the left menu bar, select **Resource providers**.
119+
120+
1. In the search bar, type: *Microsoft.iot*.
121+
122+
1. Select the **Microsoft.IoTSecurity** provider and verify that its status is **Registered**.
123+
124+
#### Set up access control for the IoT hub
125+
126+
1. In your IoT hub, from the left menu bar, select **Access control (IAM)**, and from the top menu, select **Add > Add role assignment**.
127+
128+
1. In the **Role tab**, select the **Privileged administrator roles** tab, and select the **Contributor** role.
129+
130+
1. Select the **Members** tab, and next to **Members**, select **Select members**.
131+
132+
1. In the **Select members** page, in the **Select** field, type *Azure security*, select **Azure Security for IoT**, and select **Select** at the bottom.
133+
134+
1. Back in the **Members** tab, select **Review + assign** at the bottom of the tab, in the **Review and assign tab**, select **Review + assign** at the bottom again.
135+
136+
### Allow access to a Log Analytics workspace
137+
138+
To connect to a Log Analytics workspace:
139+
140+
#### Set up resource providers for the Log Analytics workspace
141+
142+
1. In the Azure portal, navigate to the **Subscriptions** page.
143+
144+
1. In the subscriptions table, select your subscription.
145+
146+
1. In the subscription page that opens, from the left menu bar, select **Resource providers**.
147+
148+
1. In the search bar, type: *Microsoft.OperationsManagement*.
149+
150+
1. Select the **Microsoft.OperationsManagement** provider and verify that its status is **Registered**.
151+
152+
#### Set up access control for the Log Analytics workspace
153+
154+
1. In the Azure portal, search for and navigate to the **Log analytics workspaces** page, select your workspace, and from the left menu, select **Access control (IAM)**.
155+
156+
1. From the top menu, select **Add > Add role assignment**.
157+
158+
1. In the **Role tab**, under **Job function roles**, search for *Log analytics*, and select the **Log Analytics Contributor** role.
159+
160+
1. Select the **Members** tab, and next to **Members**, select **Select members**.
161+
162+
1. In the **Select members** page, in the **Select** field, type *Azure security*, select **Azure Security for IoT**, and select **Select** at the bottom.
163+
164+
1. Back in the **Members** tab, select **Review + assign** at the bottom of the tab, in the **Review and assign tab**, select **Review + assign** at the bottom again.
165+
166+
#### Enable Defender for IoT
167+
168+
1. In your IoT hub, from the left menu, select **Settings**, and in the **Settings page**, select **Data Collection**.
169+
170+
1. Toggle on **Enable Microsoft Defender for IoT**, and select **Save** at the bottom.
171+
172+
1. Under **Choose the Log Analytics workspace you want to connect to**, set the toggle to **On**.
173+
174+
1. Select the subscription for which you [set up the resource provider](#set-up-resource-providers-for-the-log-analytics-workspace) and workspace.
175+
88176
## Next steps
89177

90178
Advance to the next article to add a resource group to your solution.

0 commit comments

Comments
 (0)