Configure the connector for SSE

In Azure IoT Operations, the connector for server-sent events (SSE) enables access to data from SSE endpoints exposed by HTTP services.

An asset in Azure IoT Operations is a logical entity that you create to represent a physical asset or device. An Azure IoT Operations asset can have custom properties, data points, streams, and events that describe its behavior and characteristics. An asset is associated with one or more devices. Azure IoT Operations stores asset definitions in the Azure Device Registry.

A device in Azure IoT Operations is a logical entity that defines the connections to physical assets or devices. Without a device, data can't flow from a physical device or asset to the MQTT broker. When you configure a device and asset, a connection is established to the physical asset or device and data point values, events, and streams arrive in Azure IoT Operations instance. A device has one or more inbound endpoints. Azure IoT Operations stores device definitions in the Azure Device Registry.

The following table summarizes the features the connector for SSE supports:

Feature	Supported	Notes
Username/password authentication	Yes	Basic HTTP authentication
X.509 user certificates (mTLS)	Yes	Certificates for client authentication and authorization
Anonymous access	Yes	For testing purposes
Southbound certificate trust list	Yes	For secure TLS connections to the SSE endpoint
OpenTelemetry integration	Yes
Automatic retries	Yes	Reports failed status for nonretryable errors
WASM data transformation	No
Schema generation	Yes	Registers inferred schema with the schema registry

For each configured dataset, the connector for SSE:

Samples SSE events from the specified SSE endpoint.
Generates a message schema for each dataset based on the data it receives, and registers it with the schema registry in Azure Device Registry.
Forwards the event data to the specified destination.

This article explains how to use the connector for SSE to perform tasks such as:

Define the devices that connect SSE sources to your Azure IoT Operations instance.
Add assets, and define the events to enable the data flow from the SSE source to the MQTT broker or broker state store.

Prerequisites

An instance of Azure IoT Operations deployed in a Kubernetes cluster. For more information, see Deploy Azure IoT Operations.

The Azure CLI version 2.62.0 or newer installed on your development machine. Use az --version to check your version and az upgrade to update if necessary. For more information, see Install the Azure CLI.
The Azure IoT Operations extension for the Azure CLI. Use the following command to add the extension or update it to the latest version:
```
az extension add --upgrade --name azure-iot-ops
```

To sign in to the operations experience web UI, you need a Microsoft Entra ID account with at least contributor permissions for the resource group that contains your Kubernetes - Azure Arc instance. You can't sign in with a Microsoft account (MSA). For more information, see Troubleshoot access to the operations experience web UI.

Your IT administrator must configure the connector for SSE template for your Azure IoT Operations instance in the Azure portal.

You need any credentials required to access the SSE source. If the SSE source requires authentication, you need to create a Kubernetes secret that contains the username and password for the SSE source.

Have the event identification ready for each SSE source event you want to receive.

SSE connector template instance

Before an OT user can create a device that uses the connector for SSE, an IT administrator must add an SSE connector template instance to your Azure IoT Operations instance. To learn more, see Create and manage connector template instances.

Configure a certificate trust list for the connector

Each connector has its own trust list: the set of certificates the connector uses to validate the TLS certificate that a southbound endpoint presents when the connector establishes a secure connection to it. Add a certificate to the trust list when the southbound endpoint uses a TLS certificate that's signed by a private or enterprise certificate authority (CA), or a self-signed certificate that the connector doesn't already trust. Client certificates that the connector presents to the southbound endpoint for mutual TLS are configured separately as part of the device's user authentication.

Note

For the connector for OPC UA, the trust list also handles OPC UA application-instance certificates. To learn more, see Understand the OPC UA certificates infrastructure.

You can add a certificate to a connector's trust list in two ways:

Operations experience. In the operations experience web UI, you can either upload a certificate file directly or pick an existing secret from Azure Key Vault. The operations experience adds the certificate to Azure Key Vault as a secret (if needed), creates the synced secret resource on the cluster, and wires it into the connector's trust list for you. To learn more, see Manage certificates for external communications.
Azure CLI. The Azure CLI flow assumes the certificate is already stored as a secret in Azure Key Vault. You use az iot ops secretsync secret set to create a synced secret on the cluster that references the Key Vault secret, and then az iot ops connector template update to add a reference to the synced secret in the connector template's trust list. To learn more, see Add and use certificates. To learn how to add a certificate to Azure Key Vault, see Add certificates as secrets to Azure Key Vault.

The operations experience and the Azure CLI flows partially overlap. The operations experience can both upload a new certificate to Azure Key Vault and sync it to the cluster in one experience. The Azure CLI flow assumes the certificate is already in Azure Key Vault and only handles the sync and trust-list wiring.

Create a device

To configure the connector for SSE, first create a device that defines the connection to the SSE source. The device includes the URL of the SSE source and any credentials you need to access the SSE source:

In the operations experience web UI, select Devices in the left navigation pane. Then select Create new.
Enter a name for your device, such as sse-connector. To add the endpoint for the connector for SSE, select New on the Microsoft.SSEHttp tile.
Add the details of the endpoint for the connector for SSE including any authentication credentials:

Select Apply to save the endpoint.
On the Device details page, select Next to continue.
On the Add custom property page, add any other properties you want to associate with the device. For example, you might add a property to indicate the manufacturer of the camera. Then select Next to continue.
On the Summary page, review the details of the device and select Create to create the asset.
After the device is created, you can view it in the Devices list:

Run the following commands:

az iot ops ns device create -n sse-connector-cli -g {your resource group name} --instance {your instance name} 

az iot ops ns device endpoint inbound add sse --device sse-connector-cli -g {your resource group name} -i {your instance name}  --name sse-connector-0 --endpoint-address "https://sse-connector-0:443/base-path"

To learn more, see az iot ops ns device.

Deploy the following Bicep template to create a device with an inbound endpoint for the SSE connector. Replace the placeholders <AIO_NAMESPACE_NAME> and <CUSTOM_LOCATION_NAME> with your Azure IoT Operations namespace name and custom ___location name respectively:

param aioNamespaceName string = '<AIO_NAMESPACE_NAME>'
param customLocationName string = '<CUSTOM_LOCATION_NAME>'

resource namespace 'Microsoft.DeviceRegistry/namespaces@2025-10-01' existing = {
  name: aioNamespaceName
}

resource customLocation 'Microsoft.ExtendedLocation/customLocations@2021-08-31-preview' existing = {
  name: customLocationName
}

resource device 'Microsoft.DeviceRegistry/namespaces/devices@2025-10-01' = {
  name: 'sse-connector'
  parent: namespace
  ___location: resourceGroup().___location
  extendedLocation: {
    type: 'CustomLocation'
    name: customLocation.id
  }
  properties: {
    endpoints: {
      outbound: {
        assigned: {}
      }
      inbound: {
        'sse-connector-0': {
          endpointType: 'Microsoft.SSEHttp'
          address: 'https://sse-connector-0:443/base-path'
        }
      }
    }
  }
}

Configure a device to use a username and password

The previous example uses the Anonymous authentication mode. This mode doesn't require a username or password.

To use the Username password authentication mode, complete the following steps:

In the operations experience, when you add the inbound endpoint and choose the Username password authentication mode, select Add reference to add the secret references for the username and password. The operations experience offers two options:

Create a new secret: uploads the value to Azure Key Vault and synchronizes it to the cluster as a synced secret.
Add from Azure Key Vault: synchronizes an existing Key Vault secret to the cluster.

The operations experience saves both the username and password references in a single synced secret resource on the cluster, and you give that synced secret a name.

To learn more, see Add and use secrets.

Make sure the username and password are stored as secrets in Azure Key Vault. To learn more, see Add secrets to Azure Key Vault.
Create a single synced secret on the cluster that references both Key Vault secrets. The following example creates a synced secret named my-endpoint-creds that maps the Key Vault secrets my-kv-username and my-kv-password to the keys username and password:
```
az iot ops secretsync secret set \
  --instance <your-instance-name> \
  --resource-group <your-resource-group> \
  --name my-endpoint-creds \
  --secret target=username source=my-kv-username \
  --secret target=password source=my-kv-password
```
For more information, see az iot ops secretsync secret set.
Use the az iot ops ns device endpoint inbound add command with the --user-ref and --pass-ref parameters to reference the synced secret name and key for the username and password (for example, my-endpoint-creds/username and my-endpoint-creds/password).

Note

This Azure CLI flow partially overlaps with the operations experience. The operations experience can also upload the secret to Azure Key Vault as part of the same step, while the Azure CLI flow assumes the secret already exists in Azure Key Vault.

Make sure the username and password are stored as secrets in Azure Key Vault, and that a synced secret on the cluster references both Key Vault secrets. You can create the synced secret either through the operations experience or by using the Azure CLI. To learn more, see Manage secrets for your Azure IoT Operations deployment.

Modify the authentication block of your Bicep configuration for the connector to reference the synced secret on the cluster. The usernameSecretName and passwordSecretName values use the form <synced-secret-name>/<key>:

authentication: {
    method: 'UsernamePassword'
        usernamePasswordCredentials: {
            usernameSecretName: 'my-endpoint-creds/username'
            passwordSecretName: 'my-endpoint-creds/password'
        }
}

Note

The Azure CLI flow for creating the synced secret partially overlaps with the operations experience. The operations experience can also upload the secret to Azure Key Vault as part of the same step, while the Azure CLI flow assumes the secret already exists in Azure Key Vault.

Configure a device to use an X.509 certificate

In the operations experience, when you add the inbound endpoint and choose the X509 certificate authentication mode, select Add reference to add the secret reference for the client certificate and private key. The operations experience offers two options:

Create a new secret: uploads the certificate and private key files to Azure Key Vault and synchronizes them to the cluster as a synced secret.
Add from Azure Key Vault: synchronizes existing Key Vault secrets to the cluster.

The operations experience saves the certificate and key references in a single synced secret resource on the cluster, and you give that synced secret a name.

To learn more, see Sync a client certificate and private key for mutual TLS.

Make sure the client certificate and private key are stored as secrets in Azure Key Vault. To learn more, see Sync a client certificate and private key for mutual TLS.
Create a single synced secret on the cluster that references both Key Vault secrets. The following example creates a synced secret named my-endpoint-cert that maps the Key Vault secrets my-kv-client-cert and my-kv-client-key to the keys certificate and privateKey:
```
az iot ops secretsync secret set \
  --instance <your-instance-name> \
  --resource-group <your-resource-group> \
  --name my-endpoint-cert \
  --secret target=certificate source=my-kv-client-cert \
  --secret target=privateKey source=my-kv-client-key
```
For more information, see az iot ops secretsync secret set.
Use the az iot ops ns device endpoint inbound add command with the --cert-ref and --key-ref parameters to reference the synced secret name and key for the certificate and private key (for example, my-endpoint-cert/certificate and my-endpoint-cert/privateKey). To include intermediate certificates, add --icr my-endpoint-cert/intermediateCerts.

Note

This Azure CLI flow partially overlaps with the operations experience. The operations experience can also upload the certificate and private key to Azure Key Vault as part of the same step, while the Azure CLI flow assumes the secrets already exist in Azure Key Vault.

Make sure the client certificate and private key are stored as secrets in Azure Key Vault, and that a synced secret on the cluster references both Key Vault secrets. You can create the synced secret either through the operations experience or by using the Azure CLI. To learn more, see Sync a client certificate and private key for mutual TLS.
Modify the authentication block of your Bicep configuration for the device inbound endpoint to reference the synced secret on the cluster. The certificateSecretName and keySecretName values use the form <synced-secret-name>/<key>:
```
authentication: {
    method: 'Certificate'
        x509Credentials: {
            certificateSecretName: 'my-endpoint-cert/certificate'
            keySecretName: 'my-endpoint-cert/privateKey'
        }
}
```

Create an asset

To define an asset that publishes events from the SSE endpoint, follow these steps:

In the operations experience web UI, select Assets in the left navigation pane. Then select Create asset.
Select the inbound endpoint for the connector for SSE that you created in the previous section.
Enter a name for your asset, such as my-sse-source.
Add any custom properties you want to associate with the asset. For example, you might add a property to indicate the manufacturer of the camera. Select Next to continue.

A dataset defines where the connector sends the data it collects from a collection of data points. An SSE asset can have multiple datasets. To create a dataset:

Select Create dataset.
Enter the details for the dataset such as its name, data source, and destination. For SSE assets, the data source is the path on the SSE endpoint. The destination is either an MQTT topic or a broker state store key.
Select Create and next to create the dataset.

Tip

Use the Manage default settings option to configure default dataset settings.

An event group defines where the connector sends the data it receives from a collection of events. An SSE asset can have multiple event groups. To create an event group:

Select Create event group.
Enter a name for the event group and the destination MQTT topic.
Select Create and next to create the event group and go to the events page.
Select Add event to add an event to the group. For example:

Add details for each event including the SSE event identification as the data source and the MQTT topic to publish to as the destination. Select Next to continue.
On the Review page, review the details of the asset and select Create to create the asset. After a few minutes, the asset is listed on the Assets page:

Run the following command:

az iot ops ns asset sse create --name mysseasset --instance {your instance name} -g {your resource group name} --device sse-connector-cli --endpoint sse-connector-0

az iot ops ns asset sse dataset add --asset mysseasset --instance {your instance name} -g {your resource group name} --name weatherdata --data-source "/api/weather" --dest topic="azure-iot-operations/data/erp" retain=Never qos=Qos1 ttl=3600

az iot ops ns asset sse event-group add --asset mysseasset --instance {your instance name} -g {your resource group name} --name alerts --data-source "" --dest topic="azure-iot-operations/events/mysseasset" retain=Never qos=Qos1 ttl=3600

az iot ops ns asset sse event add --asset mysseasset --instance {your instance name} -g {your resource group name} --event-group alerts --name temperaturethreshold --data-source "/events/temperaturethreshold" --dest topic="azure-iot-operations/events/mysseasset" retain=Never qos=Qos1 ttl=3600

To learn more, see az iot ops ns asset sse.

Deploy the following Bicep template to create an asset that publishes messages from the device shown previously to an MQTT topic. The data source of the dataset defines the path on the REST endpoint to query. Replace the placeholders <AIO_NAMESPACE_NAME> and <CUSTOM_LOCATION_NAME> with your Azure IoT Operations namespace name and custom ___location name respectively:

param aioNamespaceName string = '<AIO_NAMESPACE_NAME>'
param customLocationName string = '<CUSTOM_LOCATION_NAME>'

resource namespace 'Microsoft.DeviceRegistry/namespaces@2025-10-01' existing = {
  name: aioNamespaceName
}

resource customLocation 'Microsoft.ExtendedLocation/customLocations@2021-08-31-preview' existing = {
  name: customLocationName
}

resource asset 'Microsoft.DeviceRegistry/namespaces/assets@2025-10-01' = {
  name: 'mysseasset'
  parent: namespace
  ___location: resourceGroup().___location
  extendedLocation: {
    type: 'CustomLocation'
    name: customLocation.id
  }
  properties: {
    displayName: 'mysseasset'
    description: 'An example SSE asset'
    enabled: true

    deviceRef: {
      deviceName: 'sse-connector'
      endpointName: 'sse-connector-0'
    }

    defaultDatasetsConfiguration: '{}'
    defaultEventsConfiguration: '{}'

    datasets: [
      {
        name: 'weatherdata'
        dataSource: '/api/weather'
        destinations: [
          {
            target: 'Mqtt'
            configuration: {
              topic: 'azure-iot-operations/data/erp'
              qos: 'Qos1'
              retain: 'Never'
              ttl: 3600
            }
          }
        ]
      }
    ]

    eventGroups: [
      {
        name: 'alerts'
        eventGroupConfiguration: '{}'
        events: [
          {
            name: 'temperaturethreshold'
            dataSource: '/events/temperaturethreshold'
            eventConfiguration: '{}'
            destinations: [
              {
                target: 'Mqtt'
                configuration: {
                  topic: 'azure-iot-operations/events/mysseasset'
                  qos: 'Qos1'
                  retain: 'Never'
                  ttl: 3600
                }
              }
            ]
          }
        ]
      }
    ]
  }
}

Feedback

Was this page helpful?

Last updated on 2026-05-28

Configure the connector for SSE

Prerequisites

SSE connector template instance

Configure a certificate trust list for the connector

Create a device

Configure a device to use a username and password

Configure a device to use an X.509 certificate

Create an asset

Feedback

Additional resources