Skip to content

Releases: Azure/azure-iot-operations

2606 Update

Choose a tag to compare

@vealumalai vealumalai released this 30 Jun 21:11
e616c56

AIO2606 (v1.3.137) Public Release Notes

Release date: June 2026

Release type: Patch

Current GA version: 2606 · Version history

Azure IoT Operations (AIO) 2606 is a security and stability-focused patch release that delivers critical security vulnerability remediation across MQTT broker authorization, registry endpoints, and onboarding components, reliability improvements for OPC UA and dataflow connectors, and enhanced testing coverage for connector resilience.

Upgrade to 2606 from any supported GA version to ensure you receive the latest security patches and reliability enhancements. Staying current is recommended for continued support and reliability.


Release Highlights

  • Critical security vulnerability remediation: Addressed three high-priority security vulnerabilities including globe metacharacter injection in broker authorization, arbitrary audience/host token minting in registry endpoints, and incomplete ABAC conditions in onboarding role assignment.

  • OPC UA connector session management enhancements: Improved session lifecycle management with configurable method-execution client idle timeout and fixed issues preventing endpoints from transitioning between states correctly.

  • Dataflow health status and enrichment reliability: Fixed issues where dataflow health status could become stuck in a degraded state after transient failures, and resolved problems with the Map transform when enriching datasets with multiple records.

  • MQTT connector resilience improvements: Fixed an issue where async task panics could silently fail, addressed MQTT source status reporting on disconnect, and enhanced broker authorization handling with improved attribute matching validation.


Connectors

Fixes (MQTT)

  • Connector async task panic handling: Fixed an issue where panics in connector async tasks could cause the MQTT connector to stop processing device data without surfacing a clear failure signal. The connector now properly surfaces and logs async task failures to enable faster diagnosis.

OPC UA

Fixes

  • Session management and idle timeout: Fixed an issue where OPC UA Commander opened and closed sessions too frequently in certain customer scenarios. The method-execution client idle timeout is now configurable, allowing operators to tune session lifecycle behavior for their specific workloads.

  • Action request expiration handling: Fixed an issue where actions were enqueued in the OPC UA execution queue even if the request had already expired. Expired requests are now properly rejected before reaching the execution queue.

  • Endpoint state transitions: Fixed an issue where changed endpoints never transitioned to other states, causing them to remain in an inconsistent state. Endpoints now correctly transition between states in response to configuration changes and operational events.

MQTT

Fixes

  • Broker authorization attribute matching: Fixed an issue where MQ Broker authorization with attributes expected all attributes from the Security Access Token (SAT) to match configured patterns. Authorization validation now correctly handles partial attribute matching according to configured policies.

Dataflows

Fixes

  • Health status state machine recovery: Fixed an issue where dataflow graph health status could become stuck at Degraded after a download timeout. The health status state machine now correctly transitions out of degraded states when operations succeed.

  • Map transform enrichment with multi-record datasets: Fixed an issue where the 1P "Map" transform failed to enrich records when the context dataset contained multiple records and belonged to an asset. The enrichment logic now correctly handles multi-record context datasets.

  • Source status unavailability reporting on disconnect: Fixed an issue where the MQTT source status was not reporting unavailable when the connector disconnected. The source now correctly reports availability state changes on connection events.

Platform

Fixes

  • Meta Operator recovery from transient failures: Fixed an issue where an Azure IoT Operations instance custom resource (CR) could become permanently stuck in Failed state after a transient upgrade failure. Instance recovery is now more resilient to temporary failures during upgrades and cluster scaling events.

Security

Fixes

  • Glob metacharacter injection in BrokerAuthorization: Fixed a critical security vulnerability where special characters in BrokerAuthorization state-store key pattern substitution could be interpreted as glob metacharacters, potentially allowing unauthorized access. Key pattern matching now properly escapes metacharacters.

  • RegistryEndpoint arbitrary audience/host for MSI token minting: Fixed a critical security vulnerability where RegistryEndpoint allowed arbitrary audience and host values when minting Managed Service Identity (MSI) tokens. Token minting now enforces strict validation of audience and host parameters.

  • Azure IoT Operations Onboarding role self-assignment: Fixed a critical security vulnerability where the Azure IoT Operations Onboarding role had incomplete Attribute-Based Access Control (ABAC) conditions, allowing identities to self-assign the Contributor role. ABAC conditions have been strengthened to prevent role self-escalation.

  • Schema Registry vulnerability remediation: Addressed security vulnerabilities in Schema Registry components by updating affected dependencies to patched versions.


Known Issues

  • Inconsistent default authentication behavior on Akri Operator: The Akri Operator may display inconsistent default authentication behavior in certain configurations. Refer to updated documentation for recommended authentication configuration patterns.
  • MQTT Connector blocks external MQTT brokers with private IPs. Starting 2605, if the external MQTT broker has a private IP, the MQTT connector will not connect to it. This will be fully resolved in 2607.

2605 Update

Choose a tag to compare

@vealumalai vealumalai released this 26 May 16:48
c11dad8

AIO2605 (v1.3.105) Public Release Notes

Release date: May 2026

Release type: Patch

Current GA version: 2605 · Version history

Azure IoT Operations (AIO) 2605 is a security and reliability-focused patch release that delivers network security hardening for MQTT, REST, and SSE connectors, vulnerability remediation across the MQTT connector and Schema Registry, improved MQTT connector resilience, and reduced logging noise in the REST and SSE connectors.

Upgrade to 2605 from any supported GA version to ensure you receive the latest security patches and reliability enhancements. Staying current is recommended for continued support and reliability.


Release Highlights

  • Connector address validation and network security hardening: The MQTT, REST, and SSE connectors now validate configured server URLs against restricted address ranges, preventing connections to internal, loopback, link-local, and cloud-reserved endpoints.

  • MQTT connector data forwarding resilience: Fixed an issue in the MQTT connector's data forwarding pipeline that could block further processing of datasets. The connector now handles forwarding errors gracefully without disrupting other datasets.

  • OPC UA connector session management improvements: The OPC UA connector's model change observer now supports multiple subscribers per endpoint using a single shared session, significantly reducing session overhead.

  • Security vulnerability remediation: Addressed High-severity security vulnerabilities across the MQTT connector and Schema Registry components, including OpenSSL and system library updates.


Connectors

Fixes (MQTT, REST, SSE)

  • Address validation and network security hardening: Fixed an issue where the MQTT, REST, and SSE connectors accepted arbitrary URL targets without sufficient address validation. The connectors now block connections to restricted addresses, report configuration errors for blocked addresses, block DNS names that resolve to restricted ranges, and disable automatic HTTP redirect following to prevent bypass of address validation controls.

MQTT

Fixes

  • Data forwarding pipeline resilience: Fixed an issue where a failure in the MQTT connector's data forwarding path could block the dataset processing pipeline, affecting all datasets processed by the connector. The connector now isolates forwarding failures to the affected operation without disrupting other datasets.

  • Reconnection backoff for external MQTT servers: Fixed an issue where the MQTT connector immediately attempted to recreate a connection after a disconnection. The connector now implements a reconnect delay with exponential backoff.

Known Issues

  • MQTT connector template version mismatch during update: When updating to 2605, existing MQTT connector templates may display mismatched metadata versions in the portal. To resolve, delete and recreate the connector template. Alternatively, use the Azure CLI to update the connector. This will be fully resolved in 2606.

REST / SSE

Fixes

  • Reduced logging noise: Fixed an issue where the REST connector produced logs on every sampling interval, generating excessive log output. Sampling-interval and status reporting logs have been reduced and error messages improved with more actionable detail.

OPC UA

Fixes

  • Excessive session creation for model change observation: Fixed an issue where the OPC UA connector created a separate session for every model change observer, even when sync properties was disabled. The observer now shares a single session per endpoint and is no longer created when sync properties is disabled.

  • Unique certificate identity for multi-instance deployments: Fixed an issue where multiple AIO instances connecting to the same OPC UA server generated certificates with the same Common Name. Each instance now generates certificates with a unique subject Common Name.

  • OPC UA connector startup race condition: Fixed a race condition during startup where an incorrect signal after connecting to the MQTT broker caused the connector to hang.

Messaging and MQTT

Fixes

  • Broker replica recovery during cluster scaling: Fixed an issue where an MQTT broker replica joining an existing cluster could become permanently stuck during recovery. Broker replicas now correctly complete data synchronization before becoming operational.

  • Custom authentication diagnostics and connectivity: Fixed an issue where custom authentication failures and certificate parsing errors were silently discarded. Warning-level logs are now emitted for authentication failures, and the network policy has been updated to allow authentication pods to reach custom authentication servers.

  • Broker data consistency during pod failures: Fixed an issue where the MQTT broker's internal replication could produce inconsistent data if a broker pod was terminated during state synchronization. State synchronization is now atomic.

  • Diagnostics probe memory stability: Fixed an issue where the MQTT broker diagnostics probe could enter an infinite loop and consume unbounded memory under memory pressure. The probe now correctly detects and handles cyclic references.

Dataflows

Fixes

  • Unnecessary error logging for optional health status configuration: Fixed an issue where the dataflow engine logged error messages when the optional health status configuration was not present. The configuration is now correctly treated as optional.

  • Health status not reported for Kafka delivery failures: Fixed an issue where the dataflow health status was not updated when messages continuously failed to deliver to Kafka destinations. The dataflow now reports an unavailable health status when Kafka delivery fails.

  • Proxy support for image pulls: Fixed an issue where proxy environment variables were not passed through to the container runtime during image pulls. Proxy settings are now correctly propagated.

Azure Device Registry

Fixes

  • Schema Registry vulnerability remediation: See Security for details.

Azure IoT Operations CLI Extension

New features

  • Data flow graph command group: Added a new az iot ops dataflowgraph command group that enables operators to manage DataflowGraph resources associated with a dataflow profile. The group includes apply (create or replace from a JSON configuration file via --config-file), show, list, and delete commands, providing first-class CLI support for dataflow graph lifecycle management.

  • Data flow graph configuration validation: The az iot ops dataflowgraph apply command now validates node connection directions and enforces required graph node configuration parameters before submission, surfacing actionable client-side errors instead of relying on server-side rejection.

  • Mgmt actions clientIdPrefix: The az iot ops mgmt-actions enable command now sets clientIdPrefix on the EG MQTT dataflow endpoint it creates.

Fixes

  • Friendly error for invalid configuration files: Fixed an issue where CLI commands that accept --config-file surfaced a raw parser traceback for malformed JSON. The CLI now raises a clear, user-friendly error message identifying the invalid file.

  • Connector template image tag resolution: Fixed an issue where the connector template create flow did not use the correct image tag source. The CLI now resolves the connector image tag from imageConfigurationSettings.tag, ensuring templates reference the intended image version.

Platform

Fixes

  • Observability metrics collection during installation: Fixed a race condition during installation where a resource cleanup step could remove freshly installed observability components. The cleanup process now correctly excludes observability resources, ensuring metrics collection is reliably deployed.

Security

Fixes

  • MQTT connector vulnerability remediation: Addressed High-severity OpenSSL and system library vulnerabilities in the MQTT connector container image.

  • Schema Registry vulnerability remediation: Addressed security vulnerabilities in Schema Registry by updating affected dependencies to patched versions.

  • Dataflows WebAssembly runtime vulnerability remediation: Addressed High and Critical severity vulnerabilities in the WebAssembly runtime by updating affected dependencies to patched versions.

2604 Update

Choose a tag to compare

@vealumalai vealumalai released this 28 Apr 19:19
c1fcd50

AIO2604 (v1.3.70) Public Release Notes

Release date: April 2026

Release type: Patch

Current GA version: 2604 · Version history

Azure IoT Operations (AIO) 2604 is a stability and security-focused release that delivers vulnerability remediation across multiple components, MQTT connector reliability and health reporting improvements, OPC UA connector health state consistency, dataflow stability fixes, and new portal and tooling capabilities.


Release Highlights

  • MQTT connector health status improvements: The MQTT connector now surfaces richer health status signals for assets and endpoints, improving operational visibility and enabling faster diagnosis of connectivity issues.

  • Data Flow extension for VSCode now generally available: The VS Code extension for building third-party WebAssembly transforms is now GA, enabling developers to author and test custom data transformation modules directly from VS Code.

  • Resource status in Azure Portal and CLI: AIO and Azure Device Registry resource health status is now visible in the Azure IoT Operations Experience, Azure Portal, and CLI, giving operators a unified view of resource state across cloud and edge.

  • Dataflow graph startup reliability: Fixed a race condition that could prevent dataflow graphs from starting on busy clusters, improving deployment reliability in high-density environments.

  • Security vulnerability remediation: Addressed High and Critical security vulnerabilities across Akri, Schema Registry, AIO Observability, and OpenTelemetry SDK components.

Upgrade recommended if you rely on MQTT connectors, OPC UA connectors, dataflow graphs, or health monitoring — this release delivers critical connector stability fixes, improved health reporting, and security patches.

Upgrade to 2604 from any supported GA version to ensure you receive the latest security patches and reliability enhancements. Staying current is recommended for continued support and reliability.


Components Overview

Dataflows

Fixes

  • Dataflow graph startup race condition: Fixed an issue where dataflow graphs could fail to start under certain race conditions on busy clusters, which could result in timed-out commands and failed pipeline execution. Dataflow graphs now start reliably regardless of cluster load.

  • Client-side retries for transient failures: Fixed an issue where dataflows lacked client-side retry logic, which could cause them to hang indefinitely on transient failures. Dataflows now include retry logic to recover gracefully from transient errors without requiring manual intervention, improving overall messaging reliability.

Connectors

OPC UA

Fixes

  • Health state retransmission: Fixed an issue where the OPC UA connector did not periodically retransmit the last known health state for assets and devices, which could cause resources to fall to Unknown status after 5 minutes of stable operation. The connector now retransmits health state every 5 minutes, ensuring that healthy assets and devices maintain accurate status reporting.

MQTT

Fixes

  • Health status reporting improvements: The MQTT connector now surfaces improved health status signals for assets and endpoints, providing operators with more accurate and timely visibility into connector health and connectivity state.

  • Connector initialization timeout: Fixed an issue where the timeout for loading a transform graph to the connector was insufficient, which could cause dataset processing to fail.

  • Asset discovery with numeric identifiers: Fixed an issue where the MQTT connector failed to discover assets when the asset-level identifier derived from MQTT topics started with a digit (common with MAC address-based identifiers), which could prevent assets from being onboarded. The connector now correctly handles identifiers that begin with numeric characters. Connector version 2.0.0 is now available with this fix.

Azure IoT Operations Experience

New features

  • Resource status visibility: AIO and Azure Device Registry resource status is now surfaced in the Azure IoT Operations Experience, Azure Portal, and CLI, enabling operators to view resource health and operational state directly from cloud management surfaces.

Security

Fixes

  • Vulnerability remediation: Addressed security vulnerabilities across multiple components, including Akri, Schema Registry, and AIO Observability.

2603 Update

Choose a tag to compare

@byronjinmsft byronjinmsft released this 25 Mar 22:16
5395f78

AIO2603 (v1.3.38) Public Release Notes

Release date: March 2026
Release type: Stable

Current GA version: 1.3.38 (2603) · Version history


Azure IoT Operations 2603 delivers three GA milestones — no-code data flow graphs, cloud-to-edge management actions, and the MQTT connector — along with unified health status reporting, broker reliability improvements, and connector stability fixes across the platform.

Release Highlights

  • Unified health status across Azure IoT Operations: Core components, data flows, brokers, assets, and connectors now expose consistent health states (Available / Degraded / Unavailable / Unknown) surfaced through Kubernetes custom resources and Azure Resource Manager. Deploy observability resources
  • No‑code data flow graphs now generally available: Build visual data processing pipelines using built‑in transforms (Map, Filter, Branch, Window, Concatenate) without writing custom WebAssembly, with improved reliability, validation, and observability. Process data with data flow graphs
  • Cloud‑to‑edge management actions now generally available: Execute management actions from the cloud to on-premises assets using Azure Resource Manager and Event Grid MQTT messaging. Supports OPC UA, ONVIF, and MQTT connectors with built‑in RBAC access control, managed identity authentication, and activity logs for auditing. Enable and run management actions
  • MQTT connector now generally available: The MQTT connector is now GA, with MQTT asset discovery for external endpoints, payload transformation using WebAssembly modules, and cloud‑to‑edge management actions for command and control scenarios. How to use the connector for MQTT
  • Improved messaging and broker reliability: Enhancements include graceful shutdowns during upgrades, end‑to‑end idempotent replication, improved persistence correctness, and reduced false health signals under load.
  • Stronger connector health and lifecycle stability: OPC UA, Media, ONVIF, REST/HTTP, SSE, and MQTT connectors now surface richer health signals, with improved recovery and redeployment behavior.
  • Enhanced Azure IoT Operations CLI: Updated CLI capabilities for lifecycle management, bulk asset import/export, management actions, and alignment with Azure IoT Operations 2603 APIs and deployed extensions. Azure IoT Operations CLI extension

Upgrade recommended if you rely on OPC UA connectors, MQTT connectors, data flow graphs, cloud-to-edge management actions, or health monitoring — this release delivers GA-quality no-code data flow graphs, GA management actions, GA MQTT connector, unified health status, and critical connector stability fixes.

Upgrade to 2603 from any supported GA version to ensure you receive the latest security patches and feature enhancements. Staying current is recommended for continued support and reliability.

Review before upgrading if you have assets created with older API versions — they may require recreation to report health status correctly (see Known Issues).

Note

Features marked (Preview) are provided as-is and are not recommended for production use. They may be changed or removed without notice.

Version support: Azure IoT Operations 2603 introduces the 1.3.x minor version series. Under the N‑2 version support policy, the supported versions are now 1.3.x, 1.2.x, and 1.1.x. The 1.0.x series (versions 2411 through 2503) is no longer supported. Customers still on 1.0.x should upgrade to remain eligible for Azure support.

Known Issues

For the full list of active known issues, see Known Issues.

  • ⚠️ Newly tracked: Assets created using older API versions may not report health status after upgrading to 2603. Workaround: Run the remediation script documented on the Known Issues page to update affected assets to API version 2026-04-01. Known Issues
  • Fixed in this release: Data flow graph definitions could not be reused across multiple data flow instances (previously tracked as a known issue).
  • Fixed in earlier release: Akri webhook certificate expiry error during Azure IoT Operations instance updates or deletions.

Components Overview

This release spans improvements to Observability (unified health reporting), Data flows (GA no-code data flow graphs, cloud-to-edge management actions), Messaging (broker reliability and graceful shutdown), Akri (connector lifecycle), Connectors (MQTT connector now GA; health modeling across OPC UA, Media, ONVIF, REST/HTTP, SSE, MQTT), CLI (management actions, bulk import/export), and Platform (infrastructure-as-code alignment).

Observability

New features

  • Unified health status reporting: Added unified health status reporting for core Azure IoT Operations and Azure Device Registry resources, enabling operators to quickly understand system and asset health without relying solely on logs or metrics. Deploy observability resources

  • Multi-surface visibility: Health status is now surfaced on both Kubernetes custom resources and Azure Resource Manager (ARM) resources for supported components.

Improvements

  • Standardized health states: Improved operational visibility by standardizing health states across the platform.

  • Expanded resource coverage: Health status is now reported for the following resources:

    • Broker
    • Data flows
    • Data flow graphs
    • Assets
    • Device inbound endpoints
  • Consistent state model: Each resource reports one of the following health states:

    • Available — functioning as expected
    • Degraded — partially functional with one or more issues
    • Unavailable — not operational and requires attention
    • Unknown — health status cannot be determined
  • Higher-level signal: Health reporting complements existing OpenTelemetry-based metrics and logs by providing a higher-level operational signal rather than raw telemetry alone.

Fixes

  • Reduced false positives: Improved the accuracy and consistency of health signals by using aggregated evaluations over a defined time window, reducing false positives caused by transient conditions.

  • Upgrade reliability: Fixed an issue where health status was not populated correctly for some resources after upgrading to 2603, which could result in operators seeing stale or missing health data until the next refresh cycle.

Known issues

  • ⚠️ Newly tracked: Assets created using older API versions may not report health status after upgrading to 2603. Workaround: Recreate or update the affected asset using the current API version (2026-04-01). Known Issues

Data flows

New features

  • No-code data flow graphs (GA): Introduced visual, no-code data flow graphs with built-in transforms that enable data processing directly in the Azure IoT Operations experience—without writing custom WebAssembly transforms. Use WebAssembly (WASM) with data flow graphs
    • Map: Applies transformation rules to each record, including renaming fields, computing values, setting defaults, removing fields, and enriching from contextual data sources. Supports wildcard field matching.
    • Filter and Branch: Evaluate conditions against message schemas to include, exclude, or route records to different outputs.
    • Window: Aggregates records over time-based windows using built-in functions (including $last).
    • Concatenate: Merges outputs from multiple transforms into a single stream.
  • Cloud-to-edge management actions (GA): Send commands from the cloud to on-premises assets using Azure Resource Manager and Event Grid MQTT messaging (mRPC pattern). Supports OPC UA, ONVIF, and MQTT connectors with built-in RBAC access control, managed identity authentication to Event Grid, and activity logs for auditing and monitoring.

Improvements

  • Health modeling for data flows: Data flow operators, runtime instances, and individual transform stages now report structured health status (Available / Degraded / Unavailable) with specific reason codes for scenarios such as WebAssembly module download failures, module panics, and missing schema references.
  • Kafka target reliability: Improved reliability for Kafka targets by adding message batching and periodic metadata refresh to keep connections alive. Also fixed handling for multi-topic Kafka subscriptions.
  • Enhanced observability: Added data plane metrics for data flow graphs (per-stage and per-graph) and improved logging at source MQTT clients.
  • Improved validation: Duplicate output field rules in transforms are now detected, input reference checking is more robust, and invalid enrich input expressions are blocked in the Window operator.
    ...
Read more

2602 Update

Choose a tag to compare

@brycewang-microsoft brycewang-microsoft released this 19 Feb 18:51
80cc4e5

AIO2602 (v1.2.189) Public Stable Release Notes


Summary & Updates

Azure IoT Operations 2602 release includes reliability, security, and operational improvements across observability, dataflows, and messaging components.

Version Reference & Upgrade Guidance

Current GA version: 1.2.189 (2602)

Upgrade to 2602 from any supported GA version to ensure you receive the latest security patches and feature enhancements. Staying current is recommended for continued support and reliability. Detailed version legend is available at: IoT Operations versions · Azure/azure-iot-ops-cli-extension Wiki

Highlights

  • Improved Kafka dataflow reliability and subscription support.
  • Enhanced observability configuration for external OpenTelemetry collectors.
  • Reduced excessive logging under certain operational conditions.
  • Included security updates across core components and dependencies.

Observability

  • Fixed a broken path where the configured OpenTelemetry collector endpoints were not propagated into AIO.

Dataflows

  • Added support for subscribing to multiple Kafka topics within a single dataflow.
  • Improved Kafka client behavior to prevent idle connections from being dropped by the Azure Load Balancer.
  • Reduced excessive log output generated by Dataflows during reconciliation.

Messaging and MQTT

  • Improved broker behavior during upgrade scenarios to avoid transient connectivity checks being surfaced as failures.

Device Registry

  • Renamed defaultEventsDestinations to defaultDestinations in eventGroups.
  • Updated MQTT Broker and Akri to use latest Device Registry version.

Security

  • Addressed security vulnerabilities across Azure IoT Operations components, including operators and MQTT connectors.
  • Updated base images and dependencies to resolve OpenSSL and Glibc vulnerabilities.

Platform Updates

  • Integrated the latest supported version of Cert Manager Extension (CME) and Secret Store Extension (SSE).

2512 Update

Choose a tag to compare

@byronjinmsft byronjinmsft released this 16 Dec 18:32
9feb7b1

Azure IoT Operations – Release 2512


Summary & Updates

The 2512 release includes bug fixes, performance improvements and security updates.

Akri

General

  • RegistryEndpointRef: Now supports RegistryEndpointRef when referencing the connector image inside the ConnectorTemplate.

Known Issues

  • Expired Webhook Certificates: Users may encounter an error regarding expired webhook certificates with Akri when deleting/upgrading instances of Azure IoT Operations as well as performing CRUD on Akri resources such as Connector instances and ConnectorTemplates. To fix this, please run kubectl delete pod -n azure-iot-operations aio-akri-webhook-0 --ignore-not-foundto delete and restart the webhook pods which will allow the pod to pick up the new certificate.

2510 Update

Choose a tag to compare

@chgennar chgennar released this 05 Nov 20:46
114d7a4

Azure IoT Operations – Release 2510


Summary & Updates

The 2510 release introduces several enhancements focused on simplifying deployment and improving edge-to-cloud observability. Key updates include:

  • Secret Management: Integrated Secret Picker with Azure Key Vault for secure, in-portal secret selection.

  • Telemetry Connectors: New connectors stream HTTP events and OpenTelemetry (OTEL) telemetry to MQTT/state stores and Azure Monitor.

  • Modular Dataflows: Dataflow graphs and import/export capabilities streamline edge automation and configuration.

  • CLI Improvements: Deprecated extensions removed, new asset migration command added, and Python 3.13 proxy compatibility patched.

  • Connector Templates: Create reusable templates to standardize connector configuration and deployment across clusters.

  • ADR Namespaces: Enable logical isolation and security boundaries for managing assets and devices at scale.

  • Devices: Added support for devices with inbound endpoints and cross-connector capabilities.

  • New Connectors:

    • ONVIF Connector – Integrate ONVIF-compliant cameras and devices for video and surveillance scenarios.

    • Media Connector – Ingest and process media streams with greater flexibility.

    • REST Connector – Connect to RESTful endpoints for seamless integration with external systems.

    • Enrich Connector – Enhance incoming data with contextual metadata for analytics.

  • Device & Asset Discovery: Automatic detection and onboarding of devices and assets to reduce manual configuration.


OPC UA Connector

⚠️ Breaking Changes

  • Removed PublishingInterval: Removed from datapoints and events to prevent misconfiguration; still configurable for datasets and event groups.

  • Human-Friendly Asset Names:

    • Asset name renamed to <ParentBrowseName>-<AssetBrowseName>.

    • Dataset name: telemetry; topic: <AioNamespace>.data.<AssetName>.telemetry.

    • Event group name: events; topic: <AioNamespace>.data.<AssetName>.events.

    • Datapoint name: <ParentBrowseName>.<DatapointBrowseName>.

    • DeviceHealthAlarm renamed from <ExpandedNodeId> to DeviceHealthAlarm.

  • JSON Schema Update: $id is now defined only at the root level using the HTTP schema format.

  • Schema Referencing: OPC UA types now referenced via partial JSON pointers.

✨ New Features

  • Event Groups: Events are now organized within event groups, allowing dedicated destinations per group.

  • Dataset Write Schema Generation: Automatically generates JSON schemas (draft7) for dataset write operations.

  • OPC UA Write Support: Enables writing simple and complex datapoints within datasets using MQTT RPC API.

  • Address Space Browsing: Added support for browsing OPC UA server address spaces via MQTT RPC API.

  • Advanced Event Filtering: Supports selective event filtering on the OPC UA server to optimize processing and cost.

🐞 Bug Fixes

  • Fixed dataset write action for datapoints using Node IDs instead of Expanded Node IDs.

  • Removed incorrect const: 0 values from OPC UA JSON schemas.

  • Improved reliability in asset change detection and updates.


Media Connector

⚠️ Breaking Changes

  • Lifecycle is now managed by Akri, not the AIO Connectors supervisor.

  • Removed support for AssetEndpointProfile and Asset CR Datasets; configuration now via Namespaced Device/Asset CRs.

  • Media operations now defined in the Streams section of an Asset CR (migrated from Datasets).

✨ New Features

  • Downstream Authentication: Supports authentication for downstream media servers in RTSP tasks.

  • TLS Encryption: Now available for both media endpoints and downstream connections.


ONVIF Connector

⚠️ Breaking Changes

  • Lifecycle now managed by the Akri Operator.

  • Removed support for AssetEndpointProfile and legacy dataset configurations; uses Namespaced Device/Asset CRs.

  • Endpoint discovery redesigned to create inbound endpoints within DiscoveredDevice CRs.

✨ New Features

  • Media Metadata Exposure: Publishes resolution and framerate attributes for discovered media endpoints.

  • Management Group Support: Now supports management groups.

  • TLS Encryption: Added for ONVIF device connections.


REST/HTTP Connector

✨ New Features

  • Summary: Enables integration with external REST/HTTP endpoints for MQTT or state store publishing.

  • Configurable Sampling: Sample data from REST endpoints at custom intervals.

  • Flexible Routing: Send data to multiple destinations for analytics and observability.

  • Authentication Options: Supports username/password, x.509 certificates, certificate bundles, and anonymous access.


SSE Connector

✨ New Features

  • Summary: Introduces support for real-time ingestion from HTTP(S) SSE streams.

  • Key Capabilities:

    • Samples SSE events and forwards them to MQTT/state stores.

    • Automatically registers schemas in Schema and Device Registries.

    • Integrates with OpenTelemetry for observability.

    • Includes retry logic on sampling failures.

    • Supports multiple authentication methods (username/password, x.509, trust bundles, anonymous).


MQTT Broker

✨ New Features

  • Data Persistence: Data is now durable across broker restarts with configurable persistence.

  • Azure Device Registry Integration: Supports x.509 authentication via the Device Registry.

🐞 Bug Fixes

  • Fixed broker crash when trusted client CA cert was missing.

  • Corrected batching logic for large (8KiB+) publish messages.


Dataflows

✨ New Features

  • WebAssembly Support: Enables embedded WASM modules for custom logic.

  • OpenTelemetry Endpoint Integration: Direct integration with Azure Monitor or OTEL collectors.

  • Dynamic Destination Topics: Use variables (e.g., ${inputTopic}) for flexible routing.

🐞 Bug Fixes

  • Improved retry logic for control plane operations to enhance reliability.

Akri

✨ New Features

  • Revamped Akri Services: Re-architected core for managing connectors and discovery.

  • Connector Lifecycle Management: Akri now manages both first- and third-party connectors.

  • Device & Asset Discovery: Enhanced backend for ONVIF/media devices.

  • Portal Integration: Configure Akri directly in Azure Portal.

  • Secure Registry Access: Provides secure API for connector access to Device and Asset data.

🛠️ Known Issues

  • Connector Templates: Only supports image-based deployment; Helm and StatefulSet options coming soon.

  • Secret Sync Conflicts: Secret names must be globally unique to avoid connector failures.

  • Webhook issue: Users may encounter an error regarding expired webhook certificates with Akri when deleting/upgrading instances of Azure IoT Operations as well as performing CRUD on Akri resources such as Connector instances and ConnectorTemplates. To fix this, please run kubectl delete pod -n azure-iot-operations aio-akri-webhook-0 --ignore-not-foundto delete and restart the webhook pods which will allow the pod to pick up the new certificate.


AIO Observability

✨ New Features

  • Inline Observability Configuration: Add observability during upgrades using the --ops-config parameter.

ADR & Schema Registry

✨ New Features

  • Namespace Enforcement: All AIO instances now tied to namespaces for isolation.

  • Namespace Device Resource: Replaces endpoint profiles; maintains backward compatibility.

  • Namespace Asset Actions: Define writeable management actions (e.g., setpoints).

  • Streams & Events Enhancements: Multi-dataset, multi-event support for richer modeling.

  • Destinations & QoS: Route to broker/state store with QoS per destination.

  • Schema Registry Identity: Enables workload identity federation for edge scalability.


Azure Portal

✨ New Features

  • Secret Picker Integration: Secure Azure Key Vault secret selection.

  • Server-Sent Events Connector: Real-time HTTP event streaming to MQTT/state stores.

  • Namespaces in ADR:

    • Create, view, and manage namespaces.

    • Dedicated management blade and asset visibility improvements.

  • Connector Templates:

    • Guided template creation wizard.

    • Centralized management view.

  • MQTT Persistence Configuration:

    • Configure broker persistence from the portal.

Azure IoT Operations Experience

✨ New Features

  • OTEL Connector: Streams telemetry to Azure Monitor.

  • Modular Dataflows: Create real-time, low-latency edge workflows.

  • Import/Export: Simplify asset migration and replication.

  • **Expan...

Read more

2509 Update

2509 Update Pre-release
Pre-release

Choose a tag to compare

@chgennar chgennar released this 01 Oct 18:47
8f6379a

AIO2509 (v1.2.72) Public Preview Release Notes

Summary

The 2509 release introduces several enhancements now available in public preview, focused on simplifying deployment and improving edge-to-cloud observability. Key updates include:

  • Secret Management: Integrated Secret Picker with Azure Key Vault for secure, in-portal secret selection.
  • Telemetry Connectors: New connectors stream HTTP events and OTEL telemetry to MQTT/state stores and Azure Monitor.
  • Modular Dataflows: Dataflow graphs and import/export capabilities streamline edge automation and configuration.
  • CLI Improvements: Deprecated extensions removed, asset migration command added, and Python 3.13 proxy compatibility patched.

Server-Sent Events (SSE) Connector

Introducing the Server-Sent Events (SSE) connector, now in public preview. This connector enables integration with HTTP(S) endpoints that expose SSE streams, allowing real-time event ingestion into Azure IoT Operations.

Key Features:

  • Samples SSE events from configured HTTP(S) endpoints.
  • Automatically generates message schemas for each dataset/event and registers them with Schema Registry and Azure Device Registry.
  • Forwards event data to designated destinations.
  • Implements automatic retries on sampling failures.
  • Integrates with OpenTelemetry for enhanced observability.
  • Supports device endpoints and namespace assets.
  • Infers schema from JSON payloads.
  • Offers multiple authentication methods:
    • Username/password
    • x.509 certificates
    • Anonymous access
    • Certificate trust list/bundle

OPC UA Connector

Introducing enhancements to the OPC UA Connector, now available in public preview. These updates expand integration capabilities with shop floor systems and improve semantic data synchronization for edge intelligence.

Key Features:

  • OPC UA Call Support: Define management actions of type Call and Write, and invoke them via the MQTT RPC API: <AioNamespace>/asset-operations/<AssetName>/<ManagementGroupName>/<ManagementActionName>. The connector auto-generates JSON Schema Draft 7 definitions for request and response messages, simplifying interaction with OPC UA assets.

  • Property Synchronization to DSS: Semantic properties modeled in the OPC UA address space (e.g., metadata on variable nodes) are now synchronized into the AIO MQTT Distributed State Store (DSS). Properties are added under the ID: {AioNamespace}.{AssetName}.{DatasetName}.{DataPointName}.{PropertyName}. This enables enriched dataflows and dynamic routing based on asset metadata.

Breaking Changes:

  • MQTT Path for Dataset Write: Updated from: <AioNamespace>/asset-operations/<AssetName>/<DatasetName> to: <AioNamespace>/asset-operations/<AssetName>/builtin/<DatasetName>. This aligns with management group conventions.

  • MQTT Path for Dataset Telemetry: Updated from: <AioNamespace>/data/<AssetName>/ to: <AioNamespace>/data/<AssetName>/<DatasetName>. This change supports more granular dataflow definitions.

Fixed Bugs:

  • Support for multiple inbound endpoints of type Microsoft.OpcUa within a single device.
  • Custom MQTT destinations per dataset now function as expected.
  • Resolved Invalid Cast Exception during asset discovery when OPC UA address space browsing fails.

Azure Portal Enhancements

  • Secret Picker Integration: The Azure IoT Operations instance blade now features a streamlined Secret Picker experience, enabling secure browsing, selection, and management of secrets directly from Azure Key Vault.
  • Server-Side Events Connector: Supports real-time streaming of HTTP events to MQTT or state stores, simplifying integration with edge systems.

Azure IoT Operations Experience

  • OTEL Connector: Streams structured telemetry (logs, metrics, traces) from edge assets to observability platforms like Azure Monitor for real-time diagnostics and fleet-wide insights.
  • Modular Dataflow Graphs: Enables OT teams to build resilient, near real-time edge intelligence workflows.
  • Import/Export Capabilities: Facilitates seamless migration and scaling by allowing import/export of tags, datapoints, events, and management actions.
  • Server-Side Events Connector: Also available within the operations experience for HTTP-to-MQTT/state store streaming.

Azure IoT Operations CLI Updates

  • Deployment Changes:
    • Updated arc extension versions for ops init and ops create.
    • ops init no longer deploys the ACSA extension or supports extension config.
    • ops upgrade excludes the ACSA extension.
    • ops init skips AIO Platform extension deployment when --user-trust is specified.
  • Deprecated Parameters:
    • Removed from ops create: --enable-rsync, --runtime-socket, and --kubernetes-distro.
    • Removed from ops broker persist update: --user-key and --user-value.
  • New Command:
    • az iot ops migrate-assets: Migrates root assets to namespace assets.
  • Python 3.13 Compatibility Patch:
    • Applied to cluster-side commands (ops check, ops init --check-cluster, ops support create-bundle) to address proxy certificate issues with connectedk8s on Python 3.13 (non-conformance to RFC 5280).

2508 Update

Choose a tag to compare

@chgennar chgennar released this 02 Sep 18:09
a669eb3

AIO2508 (v1.1.69) Release Notes

Bug fixes, performance improvements and security updates.

2507 Update

2507 Update Pre-release
Pre-release

Choose a tag to compare

@chgennar chgennar released this 31 Jul 14:06
e000cea

AIO2507 (v1.2.36) Public Preview Release Notes

Summary of 2507


Connector Templates: Create reusable templates to streamline connector configuration and deployment across Azure IoT Operations clusters.

ADR Namespaces: Enable logical isolation and security boundaries for managing assets and devices at scale.

Devices: Support for devices with inbound endpoints, including cross-connector capabilities.

ONVIF Connector: Integrate ONVIF-compliant cameras and devices for video and surveillance scenarios.

Media Connector: Ingest and process media streams from diverse sources with enhanced flexibility.

REST Connector: Connect to any RESTful endpoint, enabling seamless integration with external systems and APIs.

Enrich: Enhance incoming data with contextual metadata from REST endpoints to support advanced analytics.

Discovery of Devices and Assets: Automatically detect and onboard devices and assets, reducing manual configuration.

Regional Expansion: Azure IoT Operations is now deployable to Arc-connected clusters in the Germany West Central region. This support is available in the latest preview and backported to GA version 1.1.59

OPC UA Connector


Breaking Changes

  • JSON Schema Update: Each dataset and event now generates a JSON schema with the $id defined only at the root level, using the HTTP schema format.
  • Schema Referencing: OPC UA-specific types are now referenced using partial JSON pointers within the document.

New Features

  • OPC UA Write Support: Customers can now write datapoints—both simple and complex types—within a dataset using the MQTT RPC API. This highly requested feature enables direct influence back into the shop floor.
  • Address Space Browsing: The connector now supports browsing the OPC UA server address space via MQTT RPC API, improving visibility and control.
  • Advanced Event Filtering: Full event filtering is now supported, allowing customers to select and shape events directly on the OPC UA server. This reduces data processing costs and improves efficiency.

Bug Fixes

  • Schema Correction: Removed incorrect const: 0 values from OPC UA-specific types in the JSON schema.
  • Asset Change Detection: Resolved issues where changes to assets were not consistently detected. Updates are now reliably handled.

Media Connector


Breaking Changes

  • Lifecycle Management: Media Connector's lifecycle is now managed by Akri and no longer by the AIO Connectors supervisor. 
  • Configuration Model Update: Support for AssetEndpointProfile CRs and Asset CRs Datasets has been removed. Configuration is now handled exclusively through Namespaced Device CRs and Namespaced Asset CRs. 
  • Dataset to Stream Migration: Media Connector's operation is now defined in the Streams section of an Asset CR, instead of the Datasets section. 

New Features

  • Downstream Server Authentication: Authentication is now supported for downstream media servers in the stream-to-RTSP task. 
  • TLS Support: Media Connector now supports TLS encryption for both media endpoints and downstream media server connections.

ONVIF Connector


Breaking Changes

  • Lifecycle Management: ONVIF Connector's lifecycle is now managed by the Akri Operator and no longer by the AIO Connectors supervisor. 
  • Configuration Model Update: Support for AssetEndpointProfile CRs and Asset CRs Datasets has been removed. Configuration is now handled exclusively via Namespaced Device CRs and Namespaced Asset CRs. 
  • Endpoint Discovery Redesign: The connector no longer creates individual DiscoveredAssetEndpointProfile CRs for each media endpoint. Instead, it creates inbound endpoints within a DiscoveredDevice CR, allowing them to be processed by DOE. 

New Features

  • Media Metadata Exposure: Resolution and framerate information for discovered media endpoints are now published as attributes in the DiscoveredDevice CR. 
  • Management Group Support: ONVIF Connector now supports management groups. 
  • TLS Support: TLS encryption is now supported for connections to ONVIF devices.

REST / HTTP Connector


New Features

  • Public Preview Launch: The REST/HTTP Connector is now available in Public Preview! This connector allows you to connect to external REST/HTTP endpoints and create Assets that send data to the MQTT broker or Broker State Store, enabling richer data enrichment and contextualization. 📘Learn more: Configure the connector for REST/HTTP.
  • Configurable Sampling: The connector supports data sampling at configurable intervals from REST/HTTP endpoints.
  • Flexible Data Routing: Forward sampled data to multiple destinations, including the MQTT broker and the State Store, for advanced observability and processing. 
  • Authentication Support: Multiple authentication methods are supported, including username/password, x509 certificates, certificate trust bundles, and anonymous access (for testing).

MQTT Broker


New Features

  • MQTT Data Persistence (Preview): Data can now be persisted to disk, ensuring durability across broker restarts. Granular configuration is supported for different data types. 📘Learn more: Configure MQTT broker persistence.
  • Azure Device Registry Integration (Preview): The broker now supports X.509 authentication backed by Azure's Device Registry. Devices must be pre-registered, and you can disable clients by disabling their corresponding registry entries. 📘Learn more: Configure MQTT broker authentication.

Bug Fixes

  • Broker Crash Fix: Resolved an issue where the broker would crash if the trusted client CA certificate was missing in a configured BrokerAuthentication.

DataFlows


New Features

  • WebAssembly Support (Preview): You can now deploy custom business logic and data transformations using WebAssembly (WASM) modules embedded within data flows. 📘Learn more: Use WebAssembly (WASM) with data flow graphs.
  • OpenTelemetry Endpoint Integration (Preview): Data flows now support sending data directly to OpenTelemetry collectors or Azure Monitor, enabling seamless observability integration. 📘Learn more: Configure OpenTelemetry data flow endpoints.
  • Dynamic Destination Topics: Define dynamic topics using variables like ${inputTopic}, allowing destination topics to reuse source topic segments for flexible routing. 📘Learn more: Configure data destination.

Bug Fixes

  • Retry Logic Fix: Resolved an issue where control plane operations were not retried adequately, improving reliability.

Akri


New Features

  • Revamped Akri Services (Public Preview): The Akri component has been completely rearchitected and is now available in public preview! 📘Learn more: What are Akri Services?
  • Connector Lifecycle Management: Akri now manages the deployment and lifecycle of both 1P Akri Connectors (e.g., ONVIF, Media, REST/HTTP) and 3P custom connectors built using the Azure IoT Operations SDKs. 
  • Device & Asset Discovery Backend: Akri handles the backend services for asset detection and device discovery—especially for ONVIF and media devices. 
  • Azure Portal Integration: Akri configuration can now be done via the Azure portal, enabling protocol selection and tracking configuration changes directly in your Azure IoT Operations instance. 
  • Secure Registry Access: Akri exposes an API that allows Akri Connectors to securely access Devices and Assets from the Azure Device Registry. 

Known Issues

  • Connector Template Limitations: The Connector Template ARM Resource/CRD currently supports only Image-based deployment. While it exposes fields for StatefulSet and Helm-based deployment, those options are not yet functional and will be supported in future releases. 
  • Secret Sync Conflict: When using Secret Sync, ensure that secret names are globally unique. If a local secret with the same name exists, connectors may fail to retrieve the intended secret.

AIO Observability


New Features

  • Inline Observability Configuration: Observability can now be configured by providing the --ops-config parameter during a standard upgrade command, making it easier to enable or modify observability at any point. 📘Learn more: Deploy observability resources.

ADR & Schema Registry


New Features

  • Namespace Enforcement: All Azure IoT Operations instances are now tied to a namespace. Resources created for an instance will reside within its associated namespace, introducing stricter logical isolation and security boundaries.
  • Device Resource Supersession: The new Namespace Device resource replaces asset endpoint profiles for namespace assets. While endpoint profiles remain for backward compatibility, future development should target the new device model.
  • Names...
Read more