Upload your intermediate or root CA certificate to Azure DPS and complete the proof-of-possession verification by generating and uploading a signed verification certificate.
Create an enrollment group in DPS specifying the CA certificate, the desired IoT Hub allocation policy (e.g., lowest latency, static assignment), and optionally a Device Twin initial state template.
Pre-install each device with a unique leaf certificate signed by the registered CA; the device does not need to be pre-registered in DPS or IoT Hub.
On first boot, the device connects to the DPS global endpoint (global.azure-devices-provisioning.net) on port 8883 using MQTT with its leaf certificate for TLS mutual authentication.
DPS validates the certificate chain against the enrollment group CA, assigns the device to an IoT Hub, creates the device identity, and returns the assigned IoT Hub hostname in the MQTT response.
The device stores the assigned IoT Hub hostname and reconnects directly to IoT Hub for all subsequent operations, bypassing DPS.
Known gotchas
Proof-of-possession must be completed for every CA certificate registered in DPS; skipping this step leaves the CA in an unverified state and enrollment groups using it will not function.
Enrollment groups match any certificate issued by the registered CA; use custom allocation policies (Azure Functions) if you need to assign devices to different hubs based on attributes in the certificate subject.
DPS re-provisioning on reconnect is controlled by the reprovisioningSettings in the enrollment group; by default, devices are not re-provisioned if they already have an IoT Hub assignment.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp