Microsoft Entra ID · Hardware & Devices
IoT Device Administrator
Provisions new IoT devices, manages their lifecycle, configures certificates, and manages device templates.
Scope: Full management of IoT devices and device templates in Entra ID
Permissions
- Provision IoT devices
- Manage device lifecycle
- Configure device certificates
- Create device templates
- Manage template owners
Common use cases
- IoT device onboarding
- Device template management
- Certificate configuration
- Device lifecycle management
- Smart building deployments
Best practices
- Use standardized templates
- Rotate certificates regularly
- Document device provisioning
- Monitor device health
Security considerations
- Can provision new devices
- Certificate access is sensitive
- Device impersonation risk
- Network access implications
Common questions
When should I assign the IoT Device Administrator role?
Assign IoT Device Administrator when you need to: IoT device onboarding; Device template management; Certificate configuration; Device lifecycle management; and Smart building deployments. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the IoT Device Administrator role do?
The IoT Device Administrator role grants permissions including: Provision IoT devices; Manage device lifecycle; Configure device certificates; Create device templates; and Manage template owners. See the Permissions section above for the full list.
What are the security risks of the IoT Device Administrator role?
Key considerations when assigning IoT Device Administrator: Can provision new devices; Certificate access is sensitive; Device impersonation risk; and Network access implications. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.