Revoke certificates and delete policies (preview)

This article shows you how to run certificate lifecycle operations for Azure Device Registry in Azure IoT Hub:

Revoke certificates at the device level.
Revoke certificates at the policy level.
Delete a policy.
Delete a credential resource.

Use these procedures when you need to respond to a security event, retire certificate resources, or clean up certificate paths in production.

Important

Azure IoT Hub with ADR integration and Microsoft-backed X.509 certificate management is in public preview and isn't recommended for production workloads. For more information, see the FAQ: What is new in IoT Hub?

Prerequisites

Before you begin, make sure you have:

An active Azure subscription. If you don't have one, create a free account.
An existing production deployment with IoT Hub Gen2 linked to a Device Registry namespace. For setup steps, see Deploy Azure IoT Hub with ADR integration and certificate management.
A configured credential and policy in the Device Registry namespace. For setup steps, see Configure a Root CA credential in Azure Device Registry.
Device Provisioning Service (DPS) configured for devices that use operational certificate issuance and rotation.
The Azure Device Registry Credentials Contributor role on the Device Registry namespace.

Azure portal
Azure CLI

Revoke certificates for a device

Use these steps to rotate one device certificate when you need to isolate risk to a single device.

Sign in to the Azure portal.
Open your Azure Device Registry namespace.
Under Namespace resources on the sidebar menu, select Devices.
Select the target device.
Select Revoke device certificates.
(Optional) Select Also disable device after revoking if you need to block device authentication.
Confirm the operation.

Revoke certificates for a policy

Use these steps to rotate a policy issuer when you need to invalidate certificates issued by that policy.

Open your Azure Device Registry namespace.
Under Namespace resources on the sidebar menu, select Credential Policies.
Select the target policy.
Select Revoke certificates, and confirm the operation.

For a standard policy that uses your namespace's root CA, Azure Device Registry rotates the issuing CA and syncs the replacement CA to linked hubs.

For a policy that uses an external root, you cannot revoke the policy on Azure Device Registry as the CRL is also external. You must ensure that the revocation also propagates to that external CA's certificate revocation list (CRL) or OCSP responder. We require that you revoke all of your leaf certificates and then delete your policy.

Delete a policy

Use these steps to remove a policy when you no longer need it for certificate issuance.

Open your Azure Device Registry namespace.
Under Namespace resources on the sidebar menu, select Credential policies.
Select the target policy.
Select Delete policy, and confirm the operation.

Delete a credential resource

Use these steps to remove a credential resource when you need to retire that certificate path.

Open Credential policies in your Device Registry namespace.
Select the credential resource.
Select Delete, and confirm the delete operation.

Set variables

Define shared variables first so you can reuse the same values across all commands and reduce input errors.

RG_NAME="<resource-group>"
NS_NAME="<adr-namespace>"
HUB_NAME="<iot-hub-name>"
POLICY_NAME="<policy-name>"
DEVICE_ID="<device-id>"

Revoke a device

Run this command to revoke a device from Device Registry.

az iot adr ns device revoke \
  -n <device-id> \
  --ns "$NS_NAME" \
  -g "$RG_NAME" \
  -y

To revoke a device and also disable it, run the following command.

az iot adr ns device revoke \
  -n <device-id> \
  --ns "$NS_NAME" \
  -g "$RG_NAME" \
  -disable
  -y

Revoke certificates for a policy that uses the namespace-level root CA

Run this command to rotate a standard policy issuer and trigger the service-managed revoke flow.

az iot adr ns policy revoke-issuer \
  --ns "$NS_NAME" \
  -g "$RG_NAME" \
  --policy-name "$POLICY_NAME" \
  -y

Delete a policy

Run this command to remove a policy that you no longer need in the namespace.

az iot adr ns policy delete \
  --ns "$NS_NAME" \
  -g "$RG_NAME" \
  --policy-name "$POLICY_NAME" \
  -y

Run this command to confirm the deleted policy no longer appears.

az iot adr ns policy list --ns "$NS_NAME" -g "$RG_NAME"

Verify that the deleted policy no longer appears.

Delete a credential resource

Run this command to remove the credential resource when you retire that trust anchor path.

az iot adr ns credential delete \
  --ns "$NS_NAME" \
  -g "$RG_NAME" \
  --credential-name default \
  -y

Run this command to confirm the credential resource is no longer available.

az iot adr ns credential show \
  --ns "$NS_NAME" \
  -g "$RG_NAME" \
  --credential-name default

Verify that the credential resource is no longer available.

Feedback

Was this page helpful?

Last updated on 2026-04-15

Revoke certificates and delete policies (preview)

Prerequisites

Revoke certificates for a device

Revoke certificates for a policy

Delete a policy

Delete a credential resource

Related content

Feedback

Additional resources