Trust and security at scale: integrate Azure PKI with
device provisioning service for IoT
Background and goals
The IoT Hub DPS (Device Provisioning Service) is a service to set up large numbers of devices by automatically connecting them to the right IoT Hub. Azure PKI (Public Key Infrastructure) is a cloud-based service in Azure that helps organizations issue and manage digital certificates to securely identify devices and services.
In the IoT space, every device must authenticate itself before it can communicate with the cloud. By integrating DPS with PKI, we enable each device to be automatically issued a trusted certificate during provisioning. It is a crucial starting point to remove the barrier to X.509 certificate adoption and help our customers and partners increase their IoT security posture.
User pain points
55% of IoT survey respondents indicated device certificates and identities was their most important security priority, while 47% of DPS users are still using symmetric key, which is not an ideal secured way to connect their devices.
Many customers rely on third-party tools for certificate issuance and management, which not only increases expenses but also requires complex integration with Azure IoT.
Design principles
Set clear expectations: use plain language to reflect users’ intent, show the progress and status along the way, etc.
Just-in-time help: Provide contextual guidance such as helper text, tooltips, or inline prompts to support users in the moment and prevent errors.
Don’t overwhelm the users: use step by step wizard and progressive disclosure, keep the main flow simple and offload complexity into advanced settings
Streamline the workflow: group related steps, chunk information to digestible sections, etc.
Design process
Form Hypothesis
Lo-Fi Exploration
Feedback
Iterate
Hi-Fi Design
Launch & monitor
Prototype in Axure
I used Axure to build a prototype for the Azure PKI project because it provides a clear and interactive way to communicate the concept across teams, especially with the Azure PKI team, which sits outside our IoT organization.
It also enables us to gather meaningful user feedback early in the process, allowing us to validate assumptions and refine the user experience before investing in development.
Given the security priority, it is critical to identify potential technical constraints and usability challenges early on.
Used wizard-style flow to break the process and reduce cognitive load.
Integrated the PKI link steps directly into the flow, connecting siloed experiences into a cohesive, end-to-end journey. This helps users understand the full context of what they’re doing, reduces confusion, and streamlines the process of linking and managing certificates across services.
Hi-fi design screens
Previously, users had to navigate to individual IoT hubs to find registration details and separately visit the DPS to check certificate expiration dates. By bringing this scatted data together in one place, the design helps users more easily understand the relationship between certificate status and device registration, reducing the likelihood of missed expirations or misconfigurations.
User feedback
Here are some highlights from user feedback:
“This is great! Prior to this, I might have gone to linked ioT hubs to see you know the the linked hubs and then I might have gone to a particular hub to search for a particular device by its ID.”
-Lead Software Developer, Mesh Systems
"I'm really glad the link steps are now part of the main flow..it used to feel so disconnected. Now it feels like one continuous process instead of jumping between siloed experiences."
-System Architect #2, Shell Oil