Provide alternate authorization hook mechanism
Customer needs to support Authz at the IoT Hub end point. They need to ensure that the security token is valid, not tampered with and that the Tenant Id in the message is allowed to send data from the associated devices.
Support an Authentication mechanism that allows them to inject a module or a function in the pipeline and after or before messages are shredded.
Standing up a protocol gateway for this is not an acceptable workaround because they will need to manage another SF service just for this.
Please use a token provider pattern to support custom authentication.
Jon Gallant commented
Elio Damaggio commented
We currently propose two avenues (depending on the specifics of your scenario).
One way it to use a token service as delineated in https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security#custom-device-authentication).
The other way is to perform the check after the data has been sent to IoT Hub.
One has to consider that an external module (e.g. Function) called for each message that hits IoT Hub would still has to be scaled to the same performance targets as a protocol gateway.