Azure · yonzhan · May 21, 2021 · May 14, 2021 · May 17, 2021 · May 17, 2021
@@ -5,4 +5,4 @@
 
 certificate_help = """For a detailed explanation of CA certificates in Azure IoT Hub,
                       see https://docs.microsoft.com/azure/iot-hub/iot-hub-x509ca-overview """
-SYSTEM_IDENTITY = '[system]'
+SYSTEM_ASSIGNED_IDENTITY = '[system]'
@@ -404,7 +404,7 @@
         az iot hub create --resource-group MyResourceGroup --name MyIotHub --location westus --tags a=b c=d
   - name: Create an IoT Hub with a system-assigned managed identity, and assign a role and scope to a storage account for the created identity.
     text: >
-        az iot hub create --resource-group MyResourceGroup --name MyIotHub --location westus --assign-identity [system] --role "Storage Blob Data Contributor" --scopes {resourceId}
+        az iot hub create --resource-group MyResourceGroup --name MyIotHub --location westus --mi-system-assigned --role "Storage Blob Data Contributor" --scopes {resourceId}
 """
 
 helps['iot hub delete'] = """
@@ -440,12 +440,12 @@
 type: command
 short-summary: Assign managed identities to an IoT Hub
 examples:
-  - name: Assign a user-assigned managed identity to an IoT Hub
+  - name: Assign user-assigned managed identities to an IoT Hub
     text: >
-        az iot hub identity assign --name MyIoTHub --resource-group MyResourceGroup --identities {resourceId}
+        az iot hub identity assign --name MyIoTHub --resource-group MyResourceGroup --user-assigned {resourceId1} {resourceId2}
   - name: Assign a system-assigned managed identity to an IoT Hub and assign a role to that identity.
     text: >
-        az iot hub identity assign --name MyIoTHub --resource-group MyResourceGroup --identities [system] --role "Storage Blob Data Contributor" --scopes {resourceId}
+        az iot hub identity assign --name MyIoTHub --resource-group MyResourceGroup --system-assigned --role "Storage Blob Data Contributor" --scopes {resourceId}
 """
 
 helps['iot hub identity show'] = """
@@ -463,10 +463,25 @@
 examples:
   - name: Remove a user-assigned managed identity from an IoT Hub
     text: >
-        az iot hub identity remove --name MyIoTHub --resource-group MyResourceGroup --identities {resourceId}
+        az iot hub identity remove --name MyIoTHub --resource-group MyResourceGroup --user-assigned {resourceId}
   - name: Remove a system-assigned managed identity from an IoT Hub.
     text: >
-        az iot hub identity remove --name MyIoTHub --resource-group MyResourceGroup --identities [system]
+        az iot hub identity remove --name MyIoTHub --resource-group MyResourceGroup --system-assigned
+"""
+
+helps['iot hub identity update'] = """
+type: command
+short-summary: Update managed identity type for an IoT Hub.
+examples:
+  - name: Enable only user-assigned managed identities for an IoT Hub (removes system-assigned identity). Requires at least one user-assigned managed identity to be assigned previously.
+    text: >
+        az iot hub identity update --name MyIoTHub --resource-group MyResourceGroup --type user_assigned
+  - name: Enable only system-assigned managed identities for an IoT Hub (removes all user-assigned identities, enables system-assigned identity if not previously enabled).
+    text: >
+        az iot hub identity update --name MyIoTHub --resource-group MyResourceGroup --type system_assigned
+  - name: Remove all identities from an IoT Hub.
+    text: >
+        az iot hub identity update --name MyIoTHub --resource-group MyResourceGroup --type none
 """
 
 helps['iot hub list'] = """

@@ -19,6 +19,7 @@
                                                           AllocationPolicy,
                                                           AccessRightsDescription)
 from azure.cli.command_modules.iot.shared import (EndpointType,
+                                                  IdentityUpdateType,
                                                   RouteSourceType,
                                                   EncodingFormat,
                                                   RenewKeyType,
@@ -187,21 +188,40 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
                    type=str, help='Specify the minimum TLS version to support for this hub. Can be set to'
                                   ' "1.2" to have clients that use a TLS version below 1.2 to be rejected.')
         c.argument('tags', tags_type)
-        c.argument('identities', options_list=['--assign-identity'],
-                   nargs='*', help="Accepts system or user-assigned managed identities separated by spaces. "
-                   "Use '[system]' to refer to the system-assigned identity or a resource ID to refer to "
-                   "a user-assigned identity.")
+        c.argument('system_identity', options_list=['--mi-system-assigned'],
+                   arg_type=get_three_state_flag(),
+                   help="Enable system-assigned managed identity for this hub")
+        c.argument('user_identities', options_list=['--mi-user-assigned'],
+                   nargs='*', help="Enable user-assigned managed identities for this hub. "
+                   "Accept space-separated list of identity resource IDs.")
         c.argument('identity_role', options_list=['--role'],
                    help="Role to assign to the hub's system-assigned managed identity.")
         c.argument('identity_scopes', options_list=['--scopes'], nargs='*',
                    help="Space separated list of scopes to assign the role (--role) "
                    "for the system-assigned managed identity.")
 
-    with self.argument_context('iot hub identity') as c:
-        c.argument('identities', options_list=['--identities'],
-                   nargs='*', help="Accepts system or user-assigned managed identities separated by spaces. "
-                   "Use '[system]' to refer to the system-assigned identity or a resource ID to refer to a "
-                   "user-assigned identity.")
+    with self.argument_context('iot hub identity assign') as c:
+        c.argument('system_identity', options_list=['--system-assigned', '--system'],
+                   arg_type=get_three_state_flag(),
+                   nargs='*', help="Assign a system-assigned managed identity to this hub.")
+        c.argument('user_identities', options_list=['--user-assigned', '--user'],
+                   nargs='*', help="Assign user-assigned managed identities to this hub. "
+                   "Accept space-separated list of identity resource IDs.")
+
+    with self.argument_context('iot hub identity update') as c:
+        c.argument('identity_type', options_list=['--type'],
+                   arg_type=get_enum_type(IdentityUpdateType),
+                   help="Update hub's system or user-assigned managed identities. "
+                   "Use 'system_assigned' to remove all user identities, 'user_assigned' to "
+                   "remove all user-assigned identities, or 'none' to remove all identities.")
+
+    with self.argument_context('iot hub identity remove') as c:
+        c.argument('system_identity', options_list=['--system-assigned', '--system'],
+                   arg_type=get_three_state_flag(),
+                   nargs='*', help="Remove a system-assigned managed identity from this hub.")
+        c.argument('user_identities', options_list=['--user-assigned', '--user'],
+                   nargs='*', help="Remove user-assigned managed identities from this hub. "
+                   "Accept space-separated list of identity resource IDs.")
 
     for subgroup in ['consumer-group', 'policy', 'certificate', 'routing-endpoint', 'route']:
         with self.argument_context('iot hub {}'.format(subgroup)) as c:

@@ -122,6 +122,7 @@ def load_command_table(self, _):  # pylint: disable=too-many-statements
         g.custom_command('assign', 'iot_hub_identity_assign')
         g.custom_show_command('show', 'iot_hub_identity_show')
         g.custom_command('remove', 'iot_hub_identity_remove')
+        g.custom_command('update', 'iot_hub_identity_update')
 
     # iot hub policy commands
     with self.command_group('iot hub policy', client_factory=iot_hub_service_factory) as g: