DPS overview freshness

kgremban · kgremban · commit bbdd477092d2 · 2025-02-27T13:44:09.000-08:00
diff --git a/articles/iot-dps/about-iot-dps.md b/articles/iot-dps/about-iot-dps.md
@@ -3,7 +3,7 @@ title: Overview of Azure IoT Hub Device Provisioning Service
 description: Describes production scale device provisioning in Azure with the Device Provisioning Service (DPS) and IoT Hub
 author: kgremban
 ms.author: kgremban
-ms.date: 03/12/2024
+ms.date: 02/27/2025
 ms.topic: overview
 ms.service: azure-iot-hub
 services: iot-dps
@@ -25,11 +25,11 @@ The following diagram describes what goes on behind the scenes to provision a de
 Before the device provisioning flow begins, there are two manual steps to prepare:
 
 * On the device side, the device manufacturer prepares the device for provisioning by preconfiguring it with its authentication credentials and assigned Device Provisioning Service ID and endpoint. 
-* On the cloud side, you or the device manufacturer prepares the Device Provisioning Service instance with individual enrollments and enrollment groups that identify valid devices and define how they should be provisioned.
+* On the cloud side, you or the device manufacturer prepares the Device Provisioning Service instance with enrollments that identify valid devices and define how they should be provisioned.
 
-Once the device and cloud are set up for provisioning, the following steps kick off automatically as soon as the device powers on for the first time:
+Once the device and cloud are set up for provisioning, the following steps begin automatically when the device powers on for the first time:
 
-1. The device powers on for the first time, then connects to the DPS endpoint and presents it authentication credentials.
+1. The device powers on for the first time, then connects to the DPS endpoint and presents its authentication credentials.
 1. The DPS instance checks the identity of the device against its enrollment list. Once the device identity is verified, DPS assigns the device to an IoT hub and registers it in the hub.
 1. The DPS instance receives the device ID and registration information from the assigned hub and passes that information back to the device.
 1. The device uses its registration information to connect directly to its assigned IoT hub and authenticate.
@@ -47,7 +47,7 @@ There are many provisioning scenarios in which DPS is an excellent choice for ge
 * Reprovisioning based on a change in the device
 * Rolling the keys used by the device to connect to IoT Hub (when not using X.509 certificates to connect)
 
-Provisioning of nested IoT Edge devices (parent/child hierarchies) isn't currently supported by DPS.
+DPS doesn't support provisioning of nested IoT Edge devices (parent/child hierarchies).
 
 ## Provisioning process
 
@@ -60,9 +60,9 @@ Both of these steps can be incorporated into existing manufacturing and deployme
 
 ### Manufacturing step
 
-This step is all about what happens on the manufacturing line. The roles involved in this step include silicon designer, silicon manufacturer, integrator and/or the end manufacturer of the device. This step is concerned with creating the hardware itself.
+This step is all about what happens on the manufacturing line. The roles involved in this step include silicon designer, silicon manufacturer, integrator, and/or the end manufacturer of the device. This step is concerned with creating the hardware itself.
 
-DPS doesn't introduce a new step in the manufacturing process; rather, it ties into the existing step that installs the initial software and (ideally) the hardware security module (HSM) on the device. Instead of creating a device ID in this step, the device is programmed with the provisioning service information, enabling it to call the provisioning service to get its connection info/IoT solution assignment when it's switched on.
+DPS doesn't introduce a new step in the manufacturing process; rather, it ties into the existing step that installs the initial software and (ideally) the hardware security module (HSM) on the device. Instead of creating a device ID in this step, the device is programmed with the provisioning service information, enabling it to call the provisioning service to get its connection info/IoT solution assignment when it turns on.
 
 Also in this step, the manufacturer supplies the device deployer/operator with identifying key information. Supplying that information could be as simple as confirming that all devices have an X.509 certificate generated from a signing certificate provided by the device deployer/operator, or as complicated as extracting the public portion of a TPM endorsement key from each TPM device. Many silicon manufacturers offer these services.
 
@@ -81,15 +81,15 @@ After the service is configured for automatic provisioning, it must be prepared
 * The first part is establishing the initial connection between the device and the IoT solution by registering the device.
 * The second part is applying the proper configuration to the device based on the specific requirements of the solution it was registered to.
 
-Once both of those two steps have been completed, we can say that the device has been fully provisioned. Some cloud services only provide the first step of the provisioning process, registering devices to the IoT solution endpoint, but don't provide the initial configuration. DPS automates both steps to provide a seamless provisioning experience for the device.
+Once both of those steps are completed, we can say that the device is fully provisioned.
 
 ## Features of the Device Provisioning Service
 
 DPS has many features, making it ideal for provisioning devices.
 
 * **Secure attestation** support for both X.509 and TPM-based identities.
-* **Enrollment list** containing the complete record of devices/groups of devices that may at some point register. The enrollment list contains information about the desired configuration of the device once it registers, and it can be updated at any time.
-* **Multiple allocation policies** to control how DPS assigns devices to IoT hubs in support of your scenarios: Lowest latency, evenly weighted distribution (default), and static configuration. Latency is determined using the same method as [Traffic Manager](../traffic-manager/traffic-manager-routing-methods.md#performance). Custom allocation, which lets you implement your own allocation policies via webhooks hosted in Azure Functions is also supported.
+* **Enrollment list** containing the complete record of devices/groups of devices that might register at some point. The enrollment list contains information about the desired configuration of a device once it registers, and it can be updated at any time.
+* **Multiple allocation policies** to control how DPS assigns devices to IoT hubs in support of your scenarios: Lowest latency, evenly weighted distribution (default), and static configuration. Custom allocation lets you implement your own allocation policies via webhooks hosted in Azure Functions instead of using one of the defaults.
 * **Monitoring and diagnostics logging** to make sure everything is working properly.
 * **Multi-hub support** allows DPS to assign devices to more than one IoT hub. DPS can talk to hubs across multiple Azure subscriptions.
 * **Cross-region support** allows DPS to assign devices to IoT hubs in other regions.
@@ -99,93 +99,63 @@ You can learn more about the concepts and features involved in device provisioni
 
 ## Cross-platform support
 
-Just like all Azure IoT services, DPS works cross-platform with various operating systems. Azure offers [open-source SDKs](https://github.com/Azure/azure-iot-sdks) in various languages to facilitate connecting devices and managing the service. DPS supports the following protocols for connecting devices:
+Just like all Azure IoT services, DPS works cross-platform with various operating systems. Azure offers [open-source SDKs](https://github.com/Azure/azure-iot-sdks) in various languages to facilitate connecting devices and managing the service.
 
-* HTTPS
+DPS supports the following protocols for connecting devices:
+
+* HTTPS*
 * AMQP
 * AMQP over web sockets
 * MQTT
 * MQTT over web sockets
 
-DPS only supports HTTPS connections for service operations.
+*DPS only supports HTTPS connections for service operations.
 
 ## Regions
 
-DPS is available in many regions. The list of supported regions for all services is available at [Azure Regions](https://azure.microsoft.com/regions/). You can check availability of the Device Provisioning Service on the [Azure Status](https://azure.microsoft.com/status/) page.
+DPS is available in many regions. For the list of supported regions for all services, see [Azure regions](https://azure.microsoft.com/regions/). You can check availability of the Device Provisioning Service on the [Azure status](https://azure.microsoft.com/status/) page.
 
-For resiliency and reliability, we recommend deploying to one of the regions that support [Availability Zones](iot-dps-ha-dr.md).
+For resiliency and reliability, we recommend deploying to one of the regions that support [availability zones](iot-dps-ha-dr.md).
 
 ### Data residency consideration
 
 Device Provisioning Service stores customer data. By default, customer data is replicated to a secondary region to support disaster recovery scenarios. For deployments in Southeast Asia and Brazil South, customers can choose to keep their data only within that region by [disabling disaster recovery](./iot-dps-ha-dr.md). For more information, see [Cross-region replication in Azure](../reliability/cross-region-replication-azure.md).
 
-DPS uses the same [device provisioning endpoint](concepts-service.md#device-provisioning-endpoint) for all provisioning service instances, and performs traffic load balancing to the nearest available service endpoint. As a result, authentication secrets may be temporarily transferred outside of the region where the DPS instance was initially created. However, once the device is connected, the device data flows directly to the original region of the DPS instance. To ensure that your data doesn't leave the original or secondary region, use a private endpoint. To learn how to set up private endpoints, see [DPS support for virtual networks](virtual-network-support.md#private-endpoint-limitations).
+DPS uses the same [device provisioning endpoint](concepts-service.md#device-provisioning-endpoint) for all provisioning service instances, and performs traffic load balancing to the nearest available service endpoint. As a result, authentication secrets might be temporarily transferred outside of the region where the DPS instance was initially created. However, once the device is connected, the device data flows directly to the original region of the DPS instance. To ensure that your data doesn't leave the original or secondary region, use a private endpoint. To learn how to set up private endpoints, see [DPS support for virtual networks](virtual-network-support.md#private-endpoint-limitations).
 
-## Quotas and Limits
+## Quotas and limits
 
-Each Azure subscription has default quota limits in place that could impact the scope of your IoT solution. The current limit is 10 Device Provisioning Service instances per subscription.
+Each Azure subscription has default quota limits in place that could affect the scope of your IoT solution. The current limit is 10 Device Provisioning Service instances per subscription.
 
-For more information about quota limits, see [Azure Subscription Service Limits](../azure-resource-manager/management/azure-subscription-service-limits.md).
+For more information about quota limits, see [Azure subscription service limits](../azure-resource-manager/management/azure-subscription-service-limits.md).
 
 [!INCLUDE [azure-iotdps-limits](../../includes/iot-dps-limits.md)]
 
 ## Billable service operations and pricing
 
-Each API call on DPS is billable as one *operation*. This includes all the service APIs and the device registration API.
+Each API call on DPS, whether from the service APIs or the device registration API, is billable as one *operation*.
 
-The tables below show the current billable status for each DPS service API operation. To learn more about pricing for DPS, select **Pricing table** at the top of the [Azure IoT Hub pricing](https://azure.microsoft.com/pricing/details/iot-hub/) page. Then select the  **IoT Hub Device Provisioning Service** tab and the currency and region for your service.
+The following tables show the current billable status for each DPS API operation. To learn more about pricing for DPS, select **Pricing table** at the top of the [Azure IoT Hub pricing](https://azure.microsoft.com/pricing/details/iot-hub/) page. Then select the  **IoT Hub Device Provisioning Service** tab and the currency and region for your service.
 
 | API | Operation | Billable? |
 | --------------- | -------  | -- |
-|  Device API | [Device Registration Status Lookup](/rest/api/iot-dps/device/runtime-registration/device-registration-status-lookup) | No|
-|  Device API | [Operation Status Lookup](/rest/api/iot-dps/device/operation-groups)| No |
-|  Device API | [Register Device](/rest/api/iot-dps/device/runtime-registration/register-device) | Yes |
-| DPS Service API (registration state)  | [Delete](/rest/api/iot-dps/service/device-registration-state/delete) | Yes|
-| DPS Service API (registration state)  | [Get](/rest/api/iot-dps/service/device-registration-state/get) | Yes|
-| DPS Service API (registration state)  | [Query](/rest/api/iot-dps/service/device-registration-state/query) | Yes|
-| DPS Service API (enrollment group) | [Create or Update](/rest/api/iot-dps/service/enrollment-group/create-or-update) | Yes|
-| DPS Service API (enrollment group) | [Delete](/rest/api/iot-dps/service/enrollment-group/delete) | Yes|
-| DPS Service API (enrollment group) | [Get](/rest/api/iot-dps/service/enrollment-group/get) | Yes|
-| DPS Service API (enrollment group) | [Get Attestation Mechanism](/rest/api/iot-dps/service/enrollment-group/get-attestation-mechanism)| Yes|
-| DPS Service API (enrollment group) | [Query](/rest/api/iot-dps/service/enrollment-group/query) | Yes|
-| DPS Service API (enrollment group) | [Run Bulk Operation](/rest/api/iot-dps/service/enrollment-group/run-bulk-operation) | Yes|
-| DPS Service API (individual enrollment) | [Create or Update](/rest/api/iot-dps/service/individual-enrollment/create-or-update)  | Yes|
-| DPS Service API (individual enrollment)| [Delete](/rest/api/iot-dps/service/individual-enrollment/delete) | Yes|
-| DPS Service API (individual enrollment)| [Get](/rest/api/iot-dps/service/individual-enrollment/get) | Yes|
-| DPS Service API (individual enrollment)| [Get Attestation Mechanism](/rest/api/iot-dps/service/individual-enrollment/get-attestation-mechanism) | Yes|
-| DPS Service API (individual enrollment)| [Query](/rest/api/iot-dps/service/individual-enrollment/query)  | Yes|
-| DPS Service API (individual enrollment)| [Run Bulk Operation](/rest/api/iot-dps/service/individual-enrollment/run-bulk-operation)  | Yes|
-|  DPS Certificate API|  [Create or Update](/rest/api/iot-dps/dps-certificate/create-or-update) | No |
-|  DPS Certificate API| [Delete](/rest/api/iot-dps/dps-certificate/delete) | No |
-|  DPS Certificate API| [Generate Verification Code](/rest/api/iot-dps/dps-certificate/generate-verification-code)|No  |
-|  DPS Certificate API| [Get](/rest/api/iot-dps/dps-certificate/get) | No |
-|  DPS Certificate API| [List](/rest/api/iot-dps/dps-certificate/list) |No  |
-|  DPS Certificate API| [Verify Certificate](/rest/api/iot-dps/dps-certificate/verify-certificate) | No |
-|  IoT DPS Resource API| [Check Provisioning Service Name Availability](/rest/api/iot-dps/iot-dps-resource/check-provisioning-service-name-availability)  | No |
-|  IoT DPS Resource API| [Create or Update](/rest/api/iot-dps/iot-dps-resource/create-or-update)  | No |
-|  IoT DPS Resource API| [Delete](/rest/api/iot-dps/iot-dps-resource/delete) |  No|
-|  IoT DPS Resource API| [Get](/rest/api/iot-dps/iot-dps-resource/get) | No |
-|  IoT DPS Resource API| [Get Operation Result](/rest/api/iot-dps/iot-dps-resource/get-operation-result)| No |
-|  IoT DPS Resource API| [List By Resource Group](/rest/api/iot-dps/iot-dps-resource/list-by-resource-group) |No  |
-|  IoT DPS Resource API| [List By Subscription](/rest/api/iot-dps/iot-dps-resource/list-by-subscription) |No  |
-|  IoT DPS Resource API| [List By Keys](/rest/api/iot-dps/iot-dps-resource/list-keys) |No  |
-|  IoT DPS Resource API| [List Keys for Key Name](/rest/api/iot-dps/iot-dps-resource/list-keys-for-key-name) |No  |
-|  IoT DPS Resource API| [List Valid SKUs](/rest/api/iot-dps/iot-dps-resource/list-valid-skus) |No  |
-|  IoT DPS Resource API| [Update](/rest/api/iot-dps/iot-dps-resource/update) |  No|
+| [DPS Device API - runtime registration](/rest/api/iot-dps/device/runtime-registration) | Device registration status lookup | No |
+|  | Operation status lookup | No |
+|  | Register device | Yes |
+| [DPS Service API - device registration state](/rest/api/iot-dps/service/device-registration-state)  | All | Yes |
+| [DPS Service API - enrollment group](/rest/api/iot-dps/service/enrollment-group) | All | Yes |
+| [DPS Service API - individual enrollment](/rest/api/iot-dps/service/individual-enrollment) | All  | Yes |
+| [DPS Certificate API](/rest/api/iot-dps/dps-certificate) | All | No |
+| [IoT DPS Resource API](/rest/api/iot-dps/iot-dps-resource) | All  | No |
 
 ## Related Azure components
 
 DPS automates device provisioning with Azure IoT Hub. Learn more about [IoT Hub](../iot-hub/index.yml).
 
-> [!NOTE]
-> Provisioning of nested edge devices (parent/child hierarchies) is not currently supported by DPS.
-
 IoT Central applications use an internal DPS instance to manage device connections. To learn more, see [How devices connect to IoT Central](../iot-central/core/overview-iot-central-developer.md).
 
 ## Next steps
 
-You now have an overview of provisioning IoT devices in Azure. The next step is to try out an end-to-end IoT scenario.
-
 [Set up IoT Hub Device Provisioning Service with the Azure portal](quick-setup-auto-provision.md)
 
 [Create and provision a simulated device](quick-create-simulated-device-tpm.md)
diff --git a/includes/iot-dps-limits.md b/includes/iot-dps-limits.md
@@ -9,25 +9,25 @@ ms.subservice: azure-iot-hub-dps
 
 The following table lists the limits that apply to Azure IoT Hub Device Provisioning Service resources.
 
-| Resource | Limit | Adjustable? |
-| --- | --- | --- |
-| Maximum device provisioning services per Azure subscription | 10 | No |
-| Maximum number of registrations | 1,000,000 | No |
-| Maximum number of individual enrollments | 1,000,000 | No |
-| Maximum number of enrollment groups *(X.509 certificate)* | 100 | No |
-| Maximum number of enrollment groups *(symmetric key)* | 100 | No |
-| Maximum number of CAs | 25 | No |
-| Maximum number of linked IoT hubs | 50 | No |
-| Maximum size of message | 96 KB| No |
+| Resource | Limit |
+| --- | --- |
+| Maximum device provisioning services per Azure subscription | 10 |
+| Maximum number of registrations | 1,000,000 |
+| Maximum number of individual enrollments | 1,000,000 |
+| Maximum number of enrollment groups *(X.509 certificate)* | 100 |
+| Maximum number of enrollment groups *(symmetric key)* | 100 |
+| Maximum number of CAs | 25 |
+| Maximum number of linked IoT hubs | 50 |
+| Maximum size of message | 96 KB|
 
 > [!TIP]
-> If the hard limit on symmetric key enrollment groups is a blocking issue, it is recommended to use individual enrollments as a workaround.
+> If the hard limit on symmetric key enrollment groups is a blocking issue, use individual enrollments as a workaround.
 
 The Device Provisioning Service has the following rate limits.
 
-| Rate | Per-unit value | Adjustable? |
-| --- | --- | --- |
-| Operations | 1,000/min/service | No |
-| Device registrations | 1,000/min/service | No |
-| Device polling operation | 5/10 sec/device | No |
+| Rate | Per-unit value |
+| --- | --- |
+| Operations | 1,000/min/service |
+| Device registrations | 1,000/min/service |
+| Device polling operation | 5/10 sec/device |
 
