Azure Sphere Pricing and Features: Security for Internet-Connected IoT Devices
Azure Sphere is an end-to-end security solution for internet-connected IoT devices, combining a secured microcontroller unit (MCU), a custom Linux-based operating system, and a cloud-based security service that provides continuous, renewable device security. Designed to address the Seven Properties of Highly Secure Devices outlined by Microsoft Research, Azure Sphere protects devices from the silicon level through the OS and into the cloud. EPC Group advises enterprise clients on IoT security architecture, including Azure Sphere deployment for mission-critical connected devices in healthcare, manufacturing, and critical infrastructure.
Overview of Azure Sphere
Azure Sphere takes a fundamentally different approach to IoT security by securing devices at every layer: hardware, operating system, and cloud. The Azure Sphere MCU includes a Microsoft-designed security subsystem (Pluton) with a hardware root of trust, the Azure Sphere OS is a hardened Linux kernel with defense-in-depth layers, and the Azure Sphere Security Service (AS3) provides certificate-based authentication, failure reporting, and over-the-air OS updates for the lifetime of the device.
Important update: In September 2024, Microsoft announced the evolution of Azure Sphere into a broader IoT security initiative. The Azure Sphere Security Service continues to operate, and existing deployments remain supported. EPC Group helps clients evaluate the current state of Azure Sphere and design security architectures for connected devices.
- Secured MCU: MediaTek MT3620 with Microsoft Pluton security subsystem, hardware root of trust, and ARM Cortex-A7 + dual Cortex-M4 cores
- Azure Sphere OS: Custom Linux-based OS with multiple security layers, secure boot, and mandatory code signing
- Azure Sphere Security Service (AS3): Cloud service for device authentication, certificate management, failure reporting, and OS updates
- 10+ year device security: Microsoft commits to OS updates and security patches for 10+ years per device
- Defense in depth: Seven layers of security from silicon through cloud
Key Features
- Hardware root of trust: Pluton security subsystem generates and protects cryptographic keys in tamper-resistant hardware
- Secure boot chain: Each boot stage is verified by the previous stage, from hardware through the application
- Mandatory code signing: Only Microsoft-signed OS components and customer-signed applications can execute
- Certificate-based authentication: Every device authenticates to AS3 with device-unique certificates generated during manufacturing
- Compartmentalization: Application code runs in isolated containers with minimal privileges and no direct hardware access
- Firewall: Network firewall that allows only explicitly configured outbound connections
- Error reporting: Devices report hardware and software failures to AS3 for fleet-wide monitoring
- OTA updates: Automatic OS and application updates delivered securely through AS3
- Wi-Fi connectivity: Dual-band 802.11 a/b/g/n Wi-Fi built into the MT3620 MCU
- Peripheral interfaces: GPIO, UART, SPI, I2C, ADC, and PWM for connecting sensors and actuators
Pricing
Azure Sphere pricing includes the hardware MCU cost and the cloud security service. The AS3 cloud service is included free for the lifetime of the device.
Hardware (MCU)
- MediaTek MT3620 MCU: Approximately $8–$15 per chip depending on volume
- Development kits: $40–$100 from Avnet, Seeed Studio, and other partners
- Guardian modules (brownfield devices): $30–$80 per module
- Volume pricing available through authorized distributors
Azure Sphere Security Service (AS3)
- Free for the lifetime of the device (10+ years)
- Includes device authentication, certificate management, and error reporting
- Includes OS updates and security patches
- No per-device monthly subscription fees
Azure Cloud Services (Optional)
- Azure IoT Hub: Standard Azure pricing for device telemetry and management
- Azure IoT Central: Per-device pricing for managed IoT application platform
- Azure Digital Twins, Power BI, and other analytics services: Standard pricing
Enterprise Use Cases
- HVAC and building systems: Secure connectivity for commercial HVAC controllers, thermostats, and building management systems
- Industrial equipment monitoring: Guardian modules that add secured cloud connectivity to existing industrial machinery
- Retail point-of-sale: Secure payment terminal connectivity with hardware-backed device authentication
- Medical devices: Connected medical equipment requiring hardware-level security and 10+ year lifecycle support
- Smart appliances: Consumer and commercial appliances with secured firmware updates and cloud connectivity
- Critical infrastructure: Water treatment, power grid, and transportation systems requiring defense-in-depth IoT security
- Brownfield IoT: Guardian modules that add Azure Sphere security to legacy equipment without replacing existing controllers
Integration with Other Azure Services
- Azure IoT Hub: Primary cloud endpoint for device telemetry, commands, and device twin management
- Azure IoT Central: Managed SaaS platform for monitoring and managing Azure Sphere device fleets
- Azure IoT Edge: Gateway scenario where Azure Sphere devices communicate through an IoT Edge gateway
- Azure Defender for IoT: Threat detection and security monitoring for Azure Sphere device fleets
- Azure Digital Twins: Model physical environments with Azure Sphere sensor data as real-time inputs
- Azure Functions: Serverless processing of device telemetry and events
- Power BI: Dashboards and analytics on device fleet data for operational intelligence
Best Practices for Enterprise Deployments
- Start with development kits: Prototype on Avnet or Seeed Studio dev kits before committing to custom hardware design
- Use Guardian modules for brownfield: Add Azure Sphere security to existing equipment without full device replacement
- Plan the network firewall: Azure Sphere blocks all outbound connections by default; explicitly configure required endpoints
- Implement application-level encryption: Use the Pluton security subsystem for application secrets and TLS client certificates
- Design for OTA updates: Structure application firmware for efficient delta updates over constrained networks
- Monitor error reports: Use AS3 error reporting to proactively detect fleet-wide hardware and software issues
- Plan manufacturing provisioning: Work with your contract manufacturer to integrate Azure Sphere device claiming into the production line
- Test with deferred updates: Use deferred update groups to test OS and application updates on pilot devices before fleet-wide rollout
Why Choose EPC Group for IoT Security
With 28+ years of enterprise Microsoft consulting, EPC Group brings deep expertise in IoT security architecture and compliance-driven device deployments. Our team advises on Azure Sphere implementation, IoT security strategy, and cloud architecture for connected devices in healthcare (HIPAA), financial services (SOC 2), government (FedRAMP), and critical infrastructure (NIST CSF).
We help organizations evaluate whether Azure Sphere, Azure IoT Edge, or alternative security approaches best fit their device requirements. Our security-first methodology ensures that connected devices meet enterprise compliance standards from the hardware level through the cloud, with continuous monitoring and incident response capabilities.
Ready to Secure Your IoT Devices?
Contact our IoT security architects for a free assessment of your connected device security requirements. We will evaluate your device fleet, recommend the optimal security architecture, and deliver an implementation roadmap that meets your compliance and operational requirements.
Frequently Asked Questions
What are the Seven Properties of Highly Secure Devices?
Microsoft Research defined seven essential properties: (1) hardware-based root of trust, (2) small trusted computing base, (3) defense in depth, (4) compartmentalization, (5) certificate-based authentication, (6) renewable security (OTA updates), and (7) failure reporting. Azure Sphere is designed to satisfy all seven properties, providing comprehensive security from silicon through the cloud for the lifetime of the device.
Can Azure Sphere work with existing industrial equipment?
Yes. Azure Sphere Guardian modules are designed specifically for brownfield scenarios. These modules add secured cloud connectivity to existing industrial equipment by connecting to sensors, PLCs, or serial interfaces on legacy machines. The Guardian module handles security, authentication, and cloud communication while the existing equipment continues operating unchanged.
How does Azure Sphere compare to AWS IoT Greengrass security?
Azure Sphere provides hardware-level security through a custom MCU with the Pluton security subsystem, while AWS IoT Greengrass is a software runtime that runs on existing hardware. Azure Sphere's integrated hardware-software-cloud approach provides deeper security guarantees but requires specific hardware. Greengrass offers more flexibility in hardware selection but depends on the underlying device's security capabilities.
What programming languages can I use with Azure Sphere?
Azure Sphere applications are written in C using the Azure Sphere SDK, which provides APIs for hardware access, networking, security, and Azure cloud connectivity. The development environment supports Visual Studio and Visual Studio Code on Windows and Linux. The SDK includes sample applications for common scenarios including IoT Hub connectivity, peripheral access, and inter-core communication between the A7 and M4 cores.
What is the expected lifespan of Azure Sphere support?
Microsoft commits to providing OS updates and security patches for Azure Sphere devices for a minimum of 10 years from the date the MCU is made available. This long-term commitment is critical for industrial and infrastructure devices that remain deployed for a decade or more. The Azure Sphere Security Service (AS3) continues operating for the full support lifecycle at no additional cost.