Configure the connector for SSE

In Azure IoT Operations, the connector for server-sent events (SSE) enables access to data from SSE endpoints exposed by HTTP services.

An asset in Azure IoT Operations is a logical entity that you create to represent a physical asset or device. An Azure IoT Operations asset can have custom properties, data points, streams, and events that describe its behavior and characteristics. An asset is associated with one or more devices. Azure IoT Operations stores asset definitions in the Azure Device Registry.

A device in Azure IoT Operations is a logical entity that defines the connections to physical assets or devices. Without a device, data can't flow from a physical device or asset to the MQTT broker. When you configure a device and asset, a connection is established to the physical asset or device and data point values, events, and streams arrive in Azure IoT Operations instance. A device has one or more inbound endpoints. Azure IoT Operations stores device definitions in the Azure Device Registry.

The following table summarizes the features the connector for SSE supports:

Feature	Supported	Notes
Username/password authentication	Yes	Basic HTTP authentication
X.509 user certificates	Yes	Certificates for client authentication and authorization
Anonymous access	Yes	For testing purposes
Southbound certificate trust list	Yes	For secure TLS connections to the SSE endpoint
OpenTelemetry integration	Yes
Automatic retries	Yes	Reports failed status for nonretryable errors
WASM data transformation	No
Schema generation	Yes	Registers inferred schema with the schema registry

For each configured dataset, the connector for SSE:

Samples SSE events from the specified SSE endpoint.
Generates a message schema for each dataset based on the data it receives, and registers it with the schema registry in Azure Device Registry.
Forwards the event data to the specified destination.

This article explains how to use the connector for SSE to perform tasks such as:

Define the devices that connect SSE sources to your Azure IoT Operations instance.
Add assets, and define the events to enable the data flow from the SSE source to the MQTT broker or broker state store.

Prerequisites

To configure devices and assets, you need a running instance of Azure IoT Operations.

To sign in to the operations experience web UI, you need a Microsoft Entra ID account with at least contributor permissions for the resource group that contains your Kubernetes - Azure Arc instance. You can't sign in with a Microsoft account (MSA). For more information, see Troubleshoot access to the operations experience web UI.

Your IT administrator must configure the connector for SSE template for your Azure IoT Operations instance in the Azure portal.

You need any credentials required to access the SSE source. If the SSE source requires authentication, you need to create a Kubernetes secret that contains the username and password for the SSE source.

Have the event identification ready for each SSE source event you want to receive.

Deploy the connector for SSE

When you deploy Azure IoT Operations, the deployment includes various connectors. Before you can use the connectors (such as ONVIF, media, and HTTP/REST) in the operations experience web UI, an administrator must add connector template instances to your Azure IoT Operations instance.

All the connectors can publish captured data to the MQTT broker.

To add a connector template instance to your Azure IoT Operations instance:

In the Azure portal, go to your Azure IoT Operations instance, select Connector templates, and then select Create a connector template:
On the first page of the Add an Akri connector template wizard, select the type and version of connector template you want to add, such as ONVIF, Media, HTTP/REST, SSE, or MQTT. Then select Metadata.
On the Metadata page, accept the defaults, and then select Device inbound endpoint type.
On the Device inbound endpoint type page, accept the defaults, and then select Diagnostics configurations.
On the Diagnostics configurations page, accept the defaults, and then select Runtime configuration.
On the Runtime configuration page, accept the defaults, and then select Review.
On the Review page, review the details of the connector template instance, and then select Create to create the connector template instance.

An OT user can now use the operations experience web UI to create a device with a connector endpoint.

Configure a certificate trust list for the connector

To manage the trusted certificates list the connector uses to secure connections to external endpoints, see Manage certificates for external communications.

Create a device

To configure the connector for SSE, first create a device that defines the connection to the SSE source. The device includes the URL of the SSE source and any credentials you need to access the SSE source:

In the operations experience web UI, select Devices in the left navigation pane. Then select Create new.
Enter a name for your device, such as sse-connector. To add the endpoint for the connector for SSE, select New on the Microsoft.SSEHttp tile.
Add the details of the endpoint for the connector for SSE including any authentication credentials:

Select Apply to save the endpoint.
On the Device details page, select Next to continue.
On the Add custom property page, add any other properties you want to associate with the device. For example, you might add a property to indicate the manufacturer of the camera. Then select Next to continue.
On the Summary page, review the details of the device and select Create to create the asset.
After the device is created, you can view it in the Devices list:

Run the following commands:

az iot ops ns device create -n sse-connector-cli -g {your resource group name} --instance {your instance name} 

az iot ops ns device endpoint inbound add sse --device sse-connector-cli -g {your resource group name} -i {your instance name}  --name sse-connector-0 --endpoint-address "https://sse-connector-0:443/base-path"

To learn more, see az iot ops ns device.

Deploy the following Bicep template to create a device with an inbound endpoint for the SSE connector. Replace the placeholders <AIO_NAMESPACE_NAME> and <CUSTOM_LOCATION_NAME> with your Azure IoT Operations namespace name and custom location name respectively:

param aioNamespaceName string = '<AIO_NAMESPACE_NAME>'
param customLocationName string = '<CUSTOM_LOCATION_NAME>'

resource namespace 'Microsoft.DeviceRegistry/namespaces@2025-10-01' existing = {
  name: aioNamespaceName
}

resource customLocation 'Microsoft.ExtendedLocation/customLocations@2021-08-31-preview' existing = {
  name: customLocationName
}

resource device 'Microsoft.DeviceRegistry/namespaces/devices@2025-10-01' = {
  name: 'sse-connector'
  parent: namespace
  location: resourceGroup().location
  extendedLocation: {
    type: 'CustomLocation'
    name: customLocation.id
  }
  properties: {
    endpoints: {
      outbound: {
        assigned: {}
      }
      inbound: {
        'sse-connector-0': {
          endpointType: 'Microsoft.SSEHttp'
          address: 'https://sse-connector-0:443/base-path'
        }
      }
    }
  }
}

Configure a device to use a username and password

The previous example uses the Anonymous authentication mode. This mode doesn't require a username or password.

To use the Username password authentication mode, complete the following steps:

Follow the steps in Manage secrets for your Azure IoT Operations deployment to add secrets for username and password in Azure Key Vault, project them into Kubernetes cluster, and reference them from your device configuration.

Follow the steps in Manage secrets for your Azure IoT Operations deployment to add secrets for username and password in Azure Key Vault, and project them into Kubernetes cluster.

Modify the authentication block of your Bicep configuration for the connector to reference the synchronized secrets for username and password, as shown in the example below:

authentication: {
    method: 'UsernamePassword'
        usernamePasswordCredentials: {
            passwordSecretName: '<reference to synced password secret>'
            usernameSecretName: '<reference to synced username secret>'
        }
}

Configure a device to use an X.509 certificate

To use the X509 certificate authentication mode, follow the steps in Add and use secrets to add secrets for certificates and keys in Azure Key Vault, project them into Kubernetes cluster, and reference them from your device inbound endpoint configuration.

Create an asset

To define an asset that publishes events from the SSE endpoint, follow these steps:

In the operations experience web UI, select Assets in the left navigation pane. Then select Create asset.
Select the inbound endpoint for the connector for SSE that you created in the previous section.
Enter a name for your asset, such as my-sse-source.
Add any custom properties you want to associate with the asset. For example, you might add a property to indicate the manufacturer of the camera. Select Next to continue.

A dataset defines where the connector sends the data it collects from a collection of data points. An SSE asset can have multiple datasets. To create a dataset:

Select Create dataset.
Enter the details for the dataset such as its name, data source, and destination. For SSE assets, the data source is the path on the SSE endpoint. The destination is either an MQTT topic or a broker state store key.
Select Create and next to create the dataset.

Tip

Use the Manage default settings option to configure default dataset settings.

An event group defines where the connector sends the data it receives from a collection of events. An SSE asset can have multiple event groups. To create an event group:

Select Create event group.
Enter a name for the event group and the destination MQTT topic.
Select Create and next to create the event group and go to the events page.
Select Add event to add an event to the group. For example:

Add details for each event including the SSE event identification as the data source and the MQTT topic to publish to as the destination. Select Next to continue.
On the Review page, review the details of the asset and select Create to create the asset. After a few minutes, the asset is listed on the Assets page:

Run the following command:

az iot ops ns asset sse create --name mysseasset --instance {your instance name} -g {your resource group name} --device sse-connector-cli --endpoint sse-connector-0

az iot ops ns asset sse dataset add --asset mysseasset --instance {your instance name} -g {your resource group name} --name weatherdata --data-source "/api/weather" --dest topic="azure-iot-operations/data/erp" retain=Never qos=Qos1 ttl=3600

az iot ops ns asset sse event-group add --asset mysseasset --instance {your instance name} -g {your resource group name} --name alerts --data-source "" --dest topic="azure-iot-operations/events/mysseasset" retain=Never qos=Qos1 ttl=3600

az iot ops ns asset sse event add --asset mysseasset --instance {your instance name} -g {your resource group name} --event-group alerts --name temperaturethreshold --data-source "/events/temperaturethreshold" --dest topic="azure-iot-operations/events/mysseasset" retain=Never qos=Qos1 ttl=3600

To learn more, see az iot ops ns asset sse.

Deploy the following Bicep template to create an asset that publishes messages from the device shown previously to an MQTT topic. The data source of the dataset defines the path on the REST endpoint to query. Replace the placeholders <AIO_NAMESPACE_NAME> and <CUSTOM_LOCATION_NAME> with your Azure IoT Operations namespace name and custom location name respectively:

param aioNamespaceName string = '<AIO_NAMESPACE_NAME>'
param customLocationName string = '<CUSTOM_LOCATION_NAME>'

resource namespace 'Microsoft.DeviceRegistry/namespaces@2025-10-01' existing = {
  name: aioNamespaceName
}

resource customLocation 'Microsoft.ExtendedLocation/customLocations@2021-08-31-preview' existing = {
  name: customLocationName
}

resource asset 'Microsoft.DeviceRegistry/namespaces/assets@2025-10-01' = {
  name: 'mysseasset'
  parent: namespace
  location: resourceGroup().location
  extendedLocation: {
    type: 'CustomLocation'
    name: customLocation.id
  }
  properties: {
    displayName: 'mysseasset'
    description: 'An example SSE asset'
    enabled: true

    deviceRef: {
      deviceName: 'sse-connector'
      endpointName: 'sse-connector-0'
    }

    defaultDatasetsConfiguration: '{}'
    defaultEventsConfiguration: '{}'

    datasets: [
      {
        name: 'weatherdata'
        dataSource: '/api/weather'
        destinations: [
          {
            target: 'Mqtt'
            configuration: {
              topic: 'azure-iot-operations/data/erp'
              qos: 'Qos1'
              retain: 'Never'
              ttl: 3600
            }
          }
        ]
      }
    ]

    eventGroups: [
      {
        name: 'alerts'
        eventGroupConfiguration: '{}'
        events: [
          {
            name: 'temperaturethreshold'
            dataSource: '/events/temperaturethreshold'
            eventConfiguration: '{}'
            destinations: [
              {
                target: 'Mqtt'
                configuration: {
                  topic: 'azure-iot-operations/events/mysseasset'
                  qos: 'Qos1'
                  retain: 'Never'
                  ttl: 3600
                }
              }
            ]
          }
        ]
      }
    ]
  }
}

Feedback

Was this page helpful?

Last updated on 2026-04-23