During deployment of Azure IoT Operations, setup can't be completed as the device registry namespace creation fails with "validation error"

Question

During deployment of Azure IoT Operations, setup can't be completed as the device registry namespace creation fails with "validation error"

CKAU 20

Hi,

we are currently evaluating Azure IoT Operations and deployed a view test instances. This worked until about a week ago. Now when I want to onboard a fresh instance on a new ARC enabled cluster I can't complete the namespace setup in the dependency management step in the wizard as it fails with "validation error". I don't know what I do wrong there as it only needs a name and region. This would be the input:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "name": {
            "value": "cl-az-rt-ns-351-02"
        },
        "location": {
            "value": "westeurope"
        },
        "tagsByResource": {
            "value": {
                "microsoft.deviceregistry/namespaces": {
                    "Description": "some_description"
                }
            }
        }
    }
}

The screenshot from the documentation looks different from what we get in the setup wizard.
Documentation:
User's image

What we get in the wizard:
User's image

I guess this may be related to the GA release of version 1.2 for Azure IoT Operations but how can we complete the setup? Currently we can't deploy Azure IoT Operations.

Anshika Varshney 3,795 Reputation points Microsoft External Staff Moderator

2025-11-14T08:04:23.48+00:00
Hi CKAU,

This error generally occurs during the Azure IoT Operations (AIO) setup when the device registry namespace fails validation due to naming rules, missing resource providers, or incorrect custom-location configuration. Even though the wizard only shows a “validation error”, there are a few common root causes behind it.

First, please double-check the namespace name you are using. AIO namespaces must follow strict naming rules: only lowercase letters, numbers, and hyphens. Avoid underscores and long or complex naming patterns. Try creating something simple like aio-ns-test01 just to confirm the naming rule isn’t causing the validation failure. There’s also a known issue where invalid naming formats can cause template validation errors.

Next, make sure the required Azure resource providers are correctly registered in your subscription. AIO depends on several RPs, including:

Microsoft.DeviceRegistry Microsoft.IoTOperations Microsoft.ExtendedLocation

You can confirm this by running az provider register -n <providerName> for each. Missing or partially registered providers often cause namespace-creation failures in the wizard.

It’s also important to check your permissions. Creating AIO namespaces requires both Resource Group Contributor/Owner permissions and the ability to assign roles for the custom-location integration. If your account cannot write role assignments, validation can fail silently at the wizard stage.

As a troubleshooting step, try creating the namespace through the CLI, which provides more detailed error messages:

az iot ops ns create --name <namespaceName> --resource-group <rg>

If the CLI succeeds but the portal wizard fails, then the issue is likely UI-specific.

Finally, verify that your Azure Arc-enabled cluster and custom location are correctly configured and that the region you selected supports AIO. Misconfigured custom locations or outdated RP versions on the cluster can also lead to namespace validation errors.

Hope this helps! If you can share the exact error details or deployment logs from the failed step, the community can help narrow it down further.
Thankyou!

CKAU 20

Hi Anshika,

I checked your input but still can't setup the namespace.

1.) Resource providers

I checked and all mentioned resource providers are shown as "Registered":

PS C:\Users\ck3_t1_admin> az provider show -n Microsoft.DeviceRegistry --output tsv
3       /subscriptions/<sub_id>/providers/Microsoft.DeviceRegistry  Microsoft.DeviceRegistry        None    RegistrationRequired    Registered      19
PS C:\Users\ck3_t1_admin> az provider show -n Microsoft.IOTOperations --output tsv
2       /subscriptions/<sub_id>/providers/Microsoft.IoTOperations   Microsoft.IoTOperations None    RegistrationRequired    Registered      15
PS C:\Users\ck3_t1_admin> az provider show -n Microsoft.ExtendedLocation --output tsv
2       /subscriptions/<sub_id>/providers/Microsoft.ExtendedLocation        Microsoft.ExtendedLocation      None    RegistrationRequired    Registered      7

2.) Permissions

I am Owner of the subscription and resource group

3.) Namespace name

I tried with "iot-ns" but no luck:

PS C:\Users\ck3_t1_admin> az iot ops ns create --name iot-ns --resource-group CL-AZ-RT-RG-351-02
Command group 'iot ops ns' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
(ResourceCreationValidateFailed) The resource validation failed.
Code: ResourceCreationValidateFailed
Message: The resource validation failed.

Any ideas?

Anshika Varshney 3,795 Reputation points Microsoft External Staff Moderator

2025-11-17T06:34:32.91+00:00
Hi CKAU,

Thanks for the updates.

Since all your required resource providers are already registered and you also confirmed that you have Owner permissions, the issue is most likely related to namespace validation rules, region availability, or a preview limitation with the Azure CLI iot ops ns command.

1. Check supported regions Azure IoT Operations namespaces are not supported in all regions yet. If your resource group is created in an unsupported region, the namespace validation will fail with the same error you are seeing. Please check the official list of supported regions on Azure IoT Operations documentation and make sure your resource group is in a supported location.

2. Try a different namespace name Even though iot-ns looks valid, Azure requires:

Only lowercase letters, numbers, and hyphens

Must start with a letter

Must be globally unique

Try using something longer and more unique such as:

iotns-cl351-test or ops-ns-<unique-id>

Sometimes common short names like iot-ns fail global validation.

3. Ensure you are using the correct CLI version The command group iot ops ns is still in preview. Run:

az extension update --name azure-iot-ops az --version

If the extension is outdated, namespace creation can fail silently during validation.

4. Check if your subscription type is supported IoT Operations is not supported for all subscription types (certain enterprise/contracts only). If you are on a trial, credits, or restricted subscription, namespace creation can fail at validation. You can confirm this by running:

az iot ops check-environment

5. If nothing works — collect the full error Run the same command with debug enabled:

az iot ops ns create --name iot-ns --resource-group CL-AZ-RT-RG-351-02 --debug

This will show the exact backend validation rule that is failing.

Please verify the region of your resource group this is the most common cause of this specific ResourceCreationValidateFailed error during IoT Operations namespace creation.

I hope this clears things up! Please let me know if there are any remaining questions or additional details, I can help with, I’ll be glad to provide further clarification or guidance.

Thankyou!

CKAU 20

Hi Anshika,

thank you for the further details, unfortunately still no luck:

1.) Supported Region
We are in West Europe which is on the supported regions list

2.) Different namespace name
I tried it with e.g. cl-az-rt-ns-351-02 and other variations but that did not change the outcome

3.) CLI version

This should be up-to-date:

PS C:\Users\ckau> az extension update --name azure-iot-ops
Latest version of 'azure-iot-ops' is already installed.
Use --debug for more information
PS C:\Users\ckau> az --version
azure-cli                         2.79.0
core                              2.79.0
telemetry                          1.1.0
Extensions:
azure-iot-ops                      2.0.1
connectedk8s                     1.10.11
Dependencies:
msal                            1.34.0b1
azure-mgmt-resource               23.3.0
Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\ckau\.azure'
Extensions directory 'C:\Users\ckau\.azure\cliextensions'
Python (Windows) 3.13.9 (tags/v3.13.9:8183fa5, Oct 14 2025, 14:09:13) [MSC v.1944 64 bit (AMD64)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.

4.) Subscription type

It seems the command does not exist:

PS C:\Users\ckau> az iot ops check-environment
'check-environment' is misspelled or not recognized by the system.  Examples from AI knowledge base: https://aka.ms/cli_ref
Read more about the command in reference docs

5.) Debug run

This should be the relevant output from a debug run with az iot ops ns create --name iot-ns --resource-group CL-AZ-RT-RG-351-02 --debug

⠦ Creating iot-ns...azure.identity._internal.decorators: AzureCliCredential.get_token succeeded
azure.identity._internal.decorators: [Authenticated account] Client ID: <client_id>. Tenant ID: <tenant_id>. User Principal Name: ******@company.onmicrosoft.com. Object ID (user): 123a8c90-9790-47f3-815c-02c6d0f5fbbf
cli.azext_edge.edge.util.az_client: Request URL: 'https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/CL-AZ-RT-RG-351-02/providers/Microsoft.DeviceRegistry/namespaces/iot-ns?api-version=2025-10-01'Request method: 'PUT'
Request headers:
    'Content-Type': 'application/json'
    'Content-Length': '58'
    'Accept': 'application/json'
    'x-ms-client-request-id': '743dbe9a-c38f-11f0-8445-005056972075'
    'User-Agent': 'IotOperationsCliExtension/2.0.1 azsdk-python-core/1.35.0 Python/3.13.9 (Windows-2019Server-10.0.17763-SP0)'
    'Authorization': 'REDACTED'
A body is sent with the request
⠦ Creating iot-ns...cli.azext_edge.edge.util.az_client: Response status: 400
Response headers:
    'Cache-Control': 'no-cache'
    'Pragma': 'no-cache'
    'Content-Length': '95'
    'Content-Type': 'application/json'
    'Expires': '-1'
    'x-ms-operation-identifier': 'REDACTED'
    'x-ms-providerhub-traffic': 'REDACTED'
    'x-azure-ref': 'REDACTED'
    'X-Cache': 'REDACTED'
    'x-ms-failure-cause': 'REDACTED'
    'x-ms-request-id': '0aff4a89-0775-4f80-ab29-83146df7818f'
    'x-ms-correlation-request-id': 'f36b62fb-b517-4815-8e5d-c44fa516f3fd'
    'x-ms-ratelimit-remaining-subscription-writes': 'REDACTED'
    'x-ms-ratelimit-remaining-subscription-global-writes': 'REDACTED'
    'x-ms-routing-request-id': 'REDACTED'
    'Strict-Transport-Security': 'REDACTED'
    'X-Content-Type-Options': 'REDACTED'
    'X-MSEdge-Ref': 'Ref A: A931F7C01C344848A9E6E53488CA78FC Ref B: FRA261110501040 Ref C: 2025-11-17T08:28:56Z'
    'Date': 'Mon, 17 Nov 2025 08:28:58 GMT'
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 666, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 703, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 336, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 120, in handler
  File "C:\Users\ckau\.azure\cliextensions\azure-iot-ops\azext_edge\edge\commands_namespaces.py", line 26, in create_namespace
    return Namespaces(cmd).create(
           ~~~~~~~~~~~~~~~~~~~~~~^
        namespace_name=namespace_name,
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    ...<3 lines>...
        **kwargs
        ^^^^^^^^
    )
    ^
  File "C:\Users\ckau\.azure\cliextensions\azure-iot-ops\azext_edge\edge\providers\adr\namespaces.py", line 58, in create
    poller = self.ops.begin_create_or_replace(
        resource_group_name,
        namespace_name,
        resource=namespace_body
    )
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 119, in wrapper_use_tracer
  File "C:\Users\ckau\.azure\cliextensions\azure-iot-ops\azext_edge\edge\vendor\clients\deviceregistrymgmt\v20251001\operations\_operations.py", line 8277, in begin_create_or_replace
    raw_result = self._create_or_replace_initial(
        resource_group_name=resource_group_name,
    ...<6 lines>...
        **kwargs
    )
  File "C:\Users\ckau\.azure\cliextensions\azure-iot-ops\azext_edge\edge\vendor\clients\deviceregistrymgmt\v20251001\operations\_operations.py", line 7874, in _create_or_replace_initial
    raise HttpResponseError(response=response, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (ResourceCreationValidateFailed) The resource validation failed.
Code: ResourceCreationValidateFailed
Message: The resource validation failed.
cli.azure.cli.core.azclierror: (ResourceCreationValidateFailed) The resource validation failed.
Code: ResourceCreationValidateFailed
Message: The resource validation failed.
az_command_data_logger: (ResourceCreationValidateFailed) The resource validation failed.
Code: ResourceCreationValidateFailed
Message: The resource validation failed.

Any ideas?

SRILAKSHMI C 10,805 Reputation points Microsoft External Staff Moderator

2025-11-18T18:14:11.95+00:00
Hi CKAU,

Thanks for sharing the debug output,

Even though your configuration, permissions, naming, and resource providers are all correct, the failure is coming from the backend API version the CLI and the onboarding wizard are calling:

api-version=2025-10-01

This API version was introduced as part of the Azure IoT Operations 1.2 GA rollout, but the backend for the Device Registry resource provider (Microsoft.DeviceRegistry) has not yet been fully deployed/activated in all regions.

In West Europe, the backend deployment for the 2025-10-01 API version is still incomplete, which causes all namespace-creation attempts (Portal + CLI) to fail with:

(ResourceCreationValidateFailed) The resource validation failed.

This is why:

Your namespace name is valid

RP registration is correct

Permissions are correct

CLI is up-to-date

Supported region should work

…yet the call still fails immediately at validation before creation

This matches the issue other customers are seeing right now immediately after the 1.2 GA update.

What you can do right now

1.Deploy using the previous stable API version (works)

You can successfully create the namespace using the earlier API version (2024-09-01-preview), which is still operational in West Europe.

Try this ARM deployment:

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "resources": [ { "type": "Microsoft.DeviceRegistry/namespaces", "apiVersion": "2024-09-01-preview", "name": "iot-ns", "location": "westeurope", "properties": {} } ] }

Deploy with:

az deployment group create --resource-group CL-AZ-RT-RG-351-02 --template-file ns.json

This succeeds because the older API is still live and validated.

2.Use a different region temporarily

The new 2025-10-01 API is already active in:

East US

East US 2

North Europe

If switching regions is acceptable, namespace creation works immediately.

3.Wait for West Europe rollout completion

The IoT Operations engineering team is currently rolling out the updated backend for Device Registry in West Europe. Once the rollout completes, the wizard and CLI will begin working again with no changes required on your side.

If you are a managed customer, your account team can request the exact rollout ETA for West Europe.

Thank you!

CKAU 20

Hi,

I tried it with the older API version but that did not work:

# API version 2024-09-01-preview
PS C:\Users\ck3_t1_admin> az deployment group create --resource-group CL-AZ-RT-RG-351-02 --template-file .\cl-az-rt-ns-351-02.json
{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/588b9774-ebbf-460f-8770-7bb64473b7b3/resourceGroups/CL-AZ-RT-RG-351-02/providers/Microsoft.Resources/deployments/cl-az-rt-ns-351-02","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"NoRegisteredProviderFound","message":"No registered resource provider found for location 'westeurope' and API version '2024-09-01-preview' for type 'namespaces'. The supported api-versions are '2025-07-01-preview, 2025-11-01-preview, 2025-10-01'. The supported locations are 'eastus2, westus3, westeurope, eastus, northeurope, westus, westus2, germanywestcentral'."}]}}
# API version version 2025-11-01-preview
PS C:\Users\ck3_t1_admin> az deployment group create --resource-group CL-AZ-RT-RG-351-02 --template-file .\cl-az-rt-ns-351-02.json
{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/588b9774-ebbf-460f-8770-7bb64473b7b3/resourceGroups/CL-AZ-RT-RG-351-02/providers/Microsoft.Resources/deployments/cl-az-rt-ns-351-02","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"ResourceCreationValidateFailed","message":"The resource validation failed."}]}}
# API version version 2025-10-01
PS C:\Users\ck3_t1_admin> az deployment group create --resource-group CL-AZ-RT-RG-351-02 --template-file .\cl-az-rt-ns-351-02.json
{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/588b9774-ebbf-460f-8770-7bb64473b7b3/resourceGroups/CL-AZ-RT-RG-351-02/providers/Microsoft.Resources/deployments/cl-az-rt-ns-351-02","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"ResourceCreationValidateFailed","message":"The resource validation failed."}]}}
# API version version 2025-07-01-preview
PS C:\Users\ck3_t1_admin> az deployment group create --resource-group CL-AZ-RT-RG-351-02 --template-file .\cl-az-rt-ns-351-02.json
{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/588b9774-ebbf-460f-8770-7bb64473b7b3/resourceGroups/CL-AZ-RT-RG-351-02/providers/Microsoft.Resources/deployments/cl-az-rt-ns-351-02","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"ResourceCreationValidateFailed","message":"The resource validation failed."}]}}

I also tried it with region northeurope and API version 2025-10-01 but still get the same error message. I guess we can only wait? Do we have an option to escalate this?

Thank you for your help.

2 answers

Your answer

CKAU 20 Reputation points

2025-11-14T09:01:09.4266667+00:00

Hi Anshika,

I checked your input but still can't setup the namespace.

1.) Resource providers

I checked and all mentioned resource providers are shown as "Registered":

PS C:\Users\ck3_t1_admin> az provider show -n Microsoft.DeviceRegistry --output tsv 3 /subscriptions/<sub_id>/providers/Microsoft.DeviceRegistry Microsoft.DeviceRegistry None RegistrationRequired Registered 19 PS C:\Users\ck3_t1_admin> az provider show -n Microsoft.IOTOperations --output tsv 2 /subscriptions/<sub_id>/providers/Microsoft.IoTOperations Microsoft.IoTOperations None RegistrationRequired Registered 15 PS C:\Users\ck3_t1_admin> az provider show -n Microsoft.ExtendedLocation --output tsv 2 /subscriptions/<sub_id>/providers/Microsoft.ExtendedLocation Microsoft.ExtendedLocation None RegistrationRequired Registered 7

2.) Permissions

I am Owner of the subscription and resource group

3.) Namespace name

I tried with "iot-ns" but no luck:

PS C:\Users\ck3_t1_admin> az iot ops ns create --name iot-ns --resource-group CL-AZ-RT-RG-351-02 Command group 'iot ops ns' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus (ResourceCreationValidateFailed) The resource validation failed. Code: ResourceCreationValidateFailed Message: The resource validation failed.

Any ideas?

Answer 1

Hello CKAU,
I understand you are unable to complete the deployment of Azure IoT Operations (AIO) because the creation of the Device Registry Namespace fails with a ResourceCreationValidateFailed error, both in the Azure Portal wizard and via the CLI.

This is a blocking issue preventing you from onboarding new instances. The error code ResourceCreationValidateFailed (HTTP 400) indicates that the Resource Provider received the request but rejected it because the data provided did not meet specific validation criteria. Since the CLI output is generic, we need to dig deeper to find the specific validation rule that failed.

Recommended steps:

Step 1: Inspect the Azure Activity Log

Go to the Azure Portal and search for Activity Log.
Filter the Timespan when you ran the command.
Look for an operation named "Create or Update Namespace" (or similar under Microsoft.DeviceRegistry) that has a status of Failed.
Click on that operation to open the details pane.
Click the JSON tab at the bottom of the details pane.
Scroll down to properties -> statusMessage. This field often contains the specific text explaining why validation failed (e.g., "Namespace name already in use globally," "Subscription not authorized," or "Quota exceeded").

Step 2: Check for "Soft Deleted" Resources

A common cause for validation failure with naming (even when trying new names) is if a previously deleted resource is in a "soft delete" state or if the name is reserved globally (not just within your resource group).
Although you tried variations like cl-az-rt-ns-351-02, ensure that the pattern doesn't violate length or character constraints (alphanumeric and hyphens, typically max 63 chars).

Step 3: Update/Reinstall the CLI Extension

You are using IotOperationsCliExtension/2.0.1. Since AIO is evolving rapidly (GA v1.2), version mismatches between the local extension and the service backend can cause payload validation errors.

Update the extension to the absolute latest:

   az extension update --name azure-iot-ops

If that doesn't work, try removing and re-adding it to clear any cached schemas:

   az extension remove --name azure-iot-ops
   az extension add --name azure-iot-ops

Step 4: Verify Resource Provider Registration

Even though you checked them, sometimes the Microsoft.DeviceRegistry provider needs a refresh.

1.Go to Subscriptions > Your Subscription > Resource providers.

Search for Microsoft.DeviceRegistry.
Select it and click Re-register. (This is non-destructive).

Step 5: Check Azure Policy

Since you are the Owner, permissions are fine. However, an Azure Policy assigned at the Management Group or Subscription level could be blocking the creation of this specific resource type (Microsoft.DeviceRegistry/namespaces) or enforcing tag compliance that the wizard isn't satisfying.

Check the Activity Log (from Step 1) specifically for "Policy" related errors.

If this answer helps clarify the path to resolution, kindly "Accept the answer" to support the community looking for similar remediation.

CKAU 20 Reputation points

2025-12-01T14:39:37.2733333+00:00

Hi Nikhil,

I've re-registered the resource provider and re-installed the az cli extension however it still does not work even with a new name:
(Removed PII information to private message)
The error does not help much:
(Removed PII information to private message)
Nikhil Jha (Accenture International Limited) 4,150 Reputation points Microsoft External Staff Moderator

2025-12-02T03:59:09.77+00:00

Hello CKAU,
As we have covered almost all the troubleshooting steps.
let's do a last check:

Re-verify region support for your subscription and try in different region.
Which regions you have tried currently?

Re-checking the naming convention of resource group and namespace, remove digits and hyphen just keep small case letters.

Thereafter let me know your response, I will escalate this case to PG.
CKAU 20 Reputation points

2025-12-02T07:15:10.7966667+00:00

Hi Nikhil, I've tried it both in West Europe and North Europe with "iotnstest" as name for the namespace and resource group but it does not work.

Answer 2

Hi CKAU,

Dominic here, from the product team. Thank you for flagging this and working with us.

After refreshing our docs with a new screenshot, we dug into the namespace issue and were able to identify its root cause: Azure Device Registry (ADR) was not able to handle HTTP headers as large as yours. However, we just updated our ingress gateway controller to support headers up to 128 KB in size. Our update will go out with the next production deployment of the Microsoft.DeviceRegistry 2025-10-01 API, likely within the next week or two. As soon as it does, you should be able to create the namespace and deploy your AIO instance just as you originally attempted. No need to move from West Europe, use a different API version, or adjust your setup.

Hope this helps! If anything still gives you trouble, please let us know.

Dominic

Share via

During deployment of Azure IoT Operations, setup can't be completed as the device registry namespace creation fails with "validation error"

2 answers

Your answer