This chapter covers Azure Notification Hubs, a scalable push notification engine for sending millions of notifications to mobile and desktop platforms. For the AZ-305 exam, Notification Hubs appear under objective 4.4 (Design a messaging solution) and are typically the focus of 2–3% of questions. You will need to understand its architecture, how it integrates with Platform Notification Systems (PNS), and when to choose it over other Azure messaging services like Event Grid or Service Bus.
Jump to a section
Azure Notification Hubs acts like a national postal service that sends out millions of letters to subscribers. Imagine you have a message (notification) that needs to reach every person in a city. Instead of personally delivering each letter, you hand them all to the postal service. The postal service (Notification Hub) has a central sorting facility that knows each subscriber's address (device token or registration), regardless of whether they receive mail via doorstep (Apple Push Notification Service - APNS), mailbox (Firebase Cloud Messaging - FCM), or pigeon post (Windows Push Notification Services - WNS). When you drop off a batch of identical letters (broadcast), the service automatically duplicates and routes each letter through the correct delivery channel. If a subscriber moves (device token changes), the postal service updates its records. Critically, if a subscriber's mailbox is full (device unreachable), the postal service doesn't keep retrying indefinitely—it may discard the letter after a few attempts (expiry). The postal service also handles load balancing: during peak times like holidays, it scales out its sorting capacity (automatic scaling) to handle millions of letters per second. Without this centralized service, you would need to build and maintain separate delivery systems for each type of mail carrier, track every address change yourself, and manage retries—a massive engineering effort.
What is Azure Notification Hubs and Why Does It Exist?
Azure Notification Hubs (NH) is a fully managed, multi-platform push notification engine that enables sending high-volume push notifications to any platform (iOS, Android, Windows, Kindle, Baidu) from a single backend. It abstracts the complexity of interacting with each Platform Notification System (PNS) – such as APNs (Apple), FCM (Google), WNS (Microsoft), MPNS (deprecated), and Baidu Cloud Push – by providing a unified API. The primary reason NH exists is to solve the 'fan-out' problem: sending the same notification to millions of devices across different platforms without managing per-platform connections, retries, and token management. Without NH, each application backend would need to maintain persistent connections to every PNS, handle authentication, manage device tokens, and implement retry logic with exponential backoff. NH handles all of this at scale, with built-in telemetry and monitoring.
How It Works Internally
When a backend application sends a notification, it calls the NH REST API (or uses SDKs). The hub receives the message and performs the following steps:
Ingestion and Validation: The hub validates the message structure (JSON/XML), checks the target tags or tag expressions, and ensures the message size is within limits (typically 4 KB for APNs, 4 KB for FCM, and 5 KB for WNS).
Tag Matching: The hub evaluates the tag expression against the registered devices. Tags are strings that categorize devices (e.g., "sports", "news", "userID:123"). Tag expressions support logical operators (&&, ||, !) and parentheses. For example, (sports || news) && !userID:456 sends only to devices tagged with "sports" or "news" but not to user 456. The hub maintains an in-memory index of tags to device registrations for fast lookup.
Registration Lookup: Each device registration contains a PNS handle (device token/registration ID), platform type, tags, and expiry. The hub retrieves the set of registrations matching the tag expression. Registrations can be stored in the hub's internal database or in an external Azure Storage table (if using the older SDK). The default maximum number of registrations per hub is 10 million, but you can request an increase.
Message Formatting: The hub transforms the generic notification payload into platform-specific formats. For example, an APNs message requires the aps dictionary, while FCM expects a data or notification object. The hub handles this via templates (see below).
Sending to PNS: The hub maintains persistent HTTP/2 connections to each PNS (APNs uses HTTP/2, FCM uses HTTP/2 or XMPP, WNS uses HTTP/1.1). It sends the formatted message to the PNS endpoint. The hub uses a token-based authentication with each PNS (e.g., APNs uses TLS with a provider certificate or token-based authentication).
Feedback Handling: The PNS returns a response indicating success or failure. Common failures include invalid tokens (device unregistered), expired tokens, or payload too large. The hub processes these responses and updates the registration status (e.g., marks a registration as expired). For APNs, the hub also receives feedback via the APNs feedback service (deprecated in favor of token-based feedback) or via HTTP/2 response headers.
Retry and Expiry: If a PNS is temporarily unavailable, the hub retries with exponential backoff (up to a configurable number of retries, default 3). Messages have a Time-to-Live (TTL) value (default 1 day for APNs, 4 weeks for FCM). If the message cannot be delivered within TTL, it is discarded.
Telemetry and Monitoring: The hub emits metrics such as incoming messages, successful deliveries, failed deliveries, and PNS errors. These are available via Azure Monitor, and you can set alerts.
Key Components, Values, Defaults, and Timers
- Namespace: A container for one or more notification hubs. Each namespace provides a unique endpoint (e.g., https://mynamespace.servicebus.windows.net/).
- Notification Hub: The logical entity where registrations are stored and messages are sent. Each hub has a unique connection string (access policy) with listen, send, or manage permissions.
- Access Policies: Shared Access Signature (SAS) keys with permissions: Listen (for client devices to register), Send (for backend to send), Manage (for full control). Default policies: DefaultFullSharedAccessSignature and DefaultListenSharedAccessSignature.
- Device Registration: Contains:
- Platform: e.g., apple, gcm, windows, kindle, baidu.
- Handle: Device token (APNs) or registration ID (FCM).
- Tags: Up to 60 tags per registration, each up to 120 characters.
- Expiry: Registration expires after 90 days of inactivity by default (configurable via SDK).
- TTL (Time-to-Live): Default values: APNs – 1 day (24 hours), FCM – 4 weeks (28 days), WNS – 3 days. Can be overridden per message.
- Message Size Limits: APNs – 4 KB (4096 bytes), FCM – 4 KB, WNS – 5 KB. For APNs with VoIP payloads, limit is 5 KB.
- Template Notifications: Allow sending a single message that is rendered differently per platform. For example, a template can use variables like {{message}} and {{title}}. The hub substitutes values during send.
- Batch Send: Up to 1 million devices per send operation. For larger audiences, use multiple sends or use tag expressions for segmentation.
- Scale Limits: By default, a namespace supports up to 100 notification hubs. Each hub can have up to 10 million registrations (soft limit, can be increased). Throughput: up to 10 million messages per hour per namespace for the Standard tier.
- Pricing Tiers: Free (1 million messages/month, 500 active devices), Basic (10 million messages/month, 200,000 active devices), Standard (unlimited messages, unlimited devices, includes advanced telemetry and scheduling).
Configuration and Verification Commands
To create a notification hub via Azure CLI:
# Create a namespace
az notification-hub namespace create --resource-group myRG --name myNamespace --location eastus --sku Basic
# Create a hub within the namespace
az notification-hub create --resource-group myRG --namespace-name myNamespace --name myHub
# List access policies
az notification-hub authorization-rule list --resource-group myRG --namespace-name myNamespace --notification-hub-name myHub
# Get connection string for send policy
az notification-hub authorization-rule keys list --resource-group myRG --namespace-name myNamespace --notification-hub-name myHub --name DefaultFullSharedAccessSignatureTo test sending a notification via REST:
POST https://myNamespace.servicebus.windows.net/myHub/messages?api-version=2015-01 HTTP/1.1
Authorization: SharedAccessSignature sr=myNamespace&sig=...&se=...&skn=DefaultFullSharedAccessSignature
Content-Type: application/json;charset=utf-8
ServiceBusNotification-Format: apple
{
"aps": {"alert": "Hello from NH!"}
}Interaction with Related Technologies
Azure Event Grid: Event Grid is for event-driven architectures (e.g., reacting to blob storage changes). Notification Hubs is for push notifications to mobile devices. They are complementary – you might use Event Grid to trigger an Azure Function that sends a notification via Notification Hubs.
Azure Service Bus: Service Bus is for reliable message queuing and pub/sub with topics. Notification Hubs is specifically for push notifications to platforms. Service Bus can queue messages for backend processing, but it does not interface with PNS directly.
Azure Functions: Commonly used as a backend to send notifications. A Function can be triggered by HTTP, timer, or Event Grid, then use the Notification Hubs output binding to send.
Azure Logic Apps: Can send notifications via the Notification Hubs connector, but for high volume, use Functions or SDKs.
Platform Notification Systems (PNS) Details
APNs (Apple Push Notification service): Uses HTTP/2 with TLS. Authentication: token-based (using a .p8 key) or certificate-based. The hub sends to the APNs production endpoint (api.push.apple.com:443) or sandbox (api.development.push.apple.com:443). Device tokens are 32-byte hex strings. APNs returns a :status header (200=success, 410=unregistered). The hub processes 410 to mark the registration as expired.
FCM (Firebase Cloud Messaging): Uses HTTP/2 or XMPP. Authentication: server key (legacy) or OAuth 2.0 (FCM v1). The hub sends to fcm.googleapis.com/fcm/send. Registration IDs are strings. FCM returns a JSON response with message_id on success or error on failure (e.g., InvalidRegistration, NotRegistered).
WNS (Windows Push Notification Services): Uses HTTP/1.1. Authentication: OAuth 2.0 with client secret. The hub sends to https://wns.notify.windows.com/. Device URIs are returned by Windows Notification Platform. WNS returns HTTP status codes (200=success, 410=channel expired).
Advanced Features
Scheduled Notifications: Standard tier allows scheduling notifications up to 7 days in advance.
Localized Notifications: Use templates with locale-specific strings.
Per-User Notifications: Tag devices with a user ID (e.g., user:123) to send to all devices of a user.
Direct Send: Send to a single device by specifying its handle directly (bypasses tags). Useful for testing.
Import/Export Registrations: Bulk import/export via Azure Storage blobs (Standard tier).
Common Pitfalls
Expired Registrations: If the device token changes (e.g., app reinstall), the old registration becomes stale. The hub relies on PNS feedback to detect this. Without proper cleanup, you may send to invalid tokens, causing failures.
Tag Expression Complexity: Complex expressions can increase latency. Use simple expressions for high throughput.
Message Size: Exceeding PNS limits causes silent failure. Always test payload size.
Throttling: Each PNS has its own rate limits. NH manages this internally, but excessive failures can slow down delivery.
Monitoring and Troubleshooting
Azure Monitor Metrics: Incoming Messages, Successful Messages, Failed Messages, PNS Errors. Use these to detect issues.
Diagnostic Logs: Enable logs for OperationalLogs (send operations) and PNSLogs (PNS responses).
Test Send: Use the Azure portal's 'Test Send' feature to verify payload and delivery.
Common Error Codes: 404 (hub not found), 401 (unauthorized), 403 (quota exceeded), 410 (registration expired).
Create a Notification Hub namespace and hub
In the Azure portal, navigate to 'Notification Hubs' and click 'Create'. You must first create a namespace (a container that provides a unique endpoint, e.g., `https://<namespace>.servicebus.windows.net`). Choose a pricing tier (Free, Basic, or Standard). Then create a hub within the namespace. Each hub has its own access policies. The namespace and hub names must be globally unique within the `servicebus.windows.net` domain. Typical step duration: 2 minutes.
Configure Platform Notification System (PNS) credentials
In the hub's settings, under 'Apple (APNs)', upload your .p8 key or certificate. For Google (FCM), enter the server key (legacy) or provide FCM v1 credentials. For Windows (WNS), provide the Package SID and client secret. The hub uses these credentials to authenticate with each PNS when sending notifications. Without correct credentials, the hub cannot deliver. Credentials are stored securely and can be rotated. Typical step duration: 5 minutes.
Register client devices with the hub
On the client app, use the platform-specific SDK (e.g., Azure Notification Hubs SDK for iOS/Android) to obtain a device token from the PNS (e.g., APNs token). Then call the hub's registration endpoint (via REST or SDK) to create a registration. The registration includes the device token, platform type, and optional tags (e.g., 'sports', 'userID:123'). The hub stores the registration in its internal database. Registrations have an expiry of 90 days by default; the client should refresh periodically. This step is critical for the hub to know where to send notifications.
Send a notification from the backend
The backend application (e.g., a web API, Azure Function) constructs a notification payload and sends it to the hub's REST endpoint. The payload can be platform-specific (e.g., JSON for APNs) or use templates. The hub receives the message, evaluates the tag expression (e.g., `sports && !userID:456`), looks up matching registrations, and formats the message for each platform. It then sends the formatted message to the respective PNS over persistent connections. The hub returns a response (e.g., `201 Created`) to the backend. The entire process typically takes milliseconds to seconds.
Monitor delivery and handle feedback
After sending, the hub receives feedback from each PNS. For successful deliveries, the PNS returns a success response. For failures (e.g., invalid token, expired registration), the hub updates the registration status (marks as expired). The hub emits metrics to Azure Monitor, such as 'Successful Messages' and 'Failed Messages'. The backend can also query the hub's telemetry or enable diagnostic logs to see per-message details. The hub retries failed deliveries up to a configurable number of times (default 3) within the TTL. If the TTL expires, the message is dropped.
Scenario 1: Breaking News App for a Major Media Company
A global news organization needs to push breaking news alerts to 50 million mobile devices across iOS, Android, and Windows. They choose Azure Notification Hubs Standard tier because of its unlimited devices and advanced telemetry. They tag each device with categories like world, sports, tech, and per-user tags like user:123. When a breaking story occurs, the backend sends a single notification with a tag expression like world && !user:456 to exclude a specific user. The hub handles the fan-out to all matching registrations (up to 10 million per hub). They use templates to localize the message: the payload includes variables {{title}} and {{body}}, and the hub substitutes locale-specific strings. Performance: they send up to 5 million notifications per minute during peak events. They monitor PNS errors closely; a common issue is expired APNs tokens when users delete and reinstall the app. The hub automatically marks these registrations as expired, but the client must re-register. They also use scheduled notifications for non-urgent stories, queuing them up to 7 days in advance.
Scenario 2: E-Commerce Order Updates
An e-commerce platform sends push notifications for order status changes (e.g., 'Shipped', 'Delivered'). They use Notification Hubs to send per-user notifications. Each device is tagged with the user ID (e.g., user:789). When an order status changes, the backend sends a notification with tag user:789. The hub delivers to all devices of that user (phone, tablet). They use direct send for testing. A common misconfiguration: they initially used the Free tier, but exceeded the 1 million messages/month limit, causing throttling (HTTP 403). They upgraded to Basic tier. They also encountered issues with FCM registration IDs expiring after 4 weeks of inactivity; they implemented a background refresh on the client every 2 weeks. They use Azure Monitor alerts to detect spikes in failed deliveries (e.g., >5% failure rate).
Scenario 3: Multi-Platform Gaming Notifications
A game studio sends invites and friend requests to players. They have 10 million daily active users. They use Notification Hubs with tags like game:fortnite and region:na. They send broadcast notifications for server maintenance. A challenge: they needed to send different payloads to iOS (badge, sound) vs Android (data-only). They use templates with platform-specific rendering. They also use the 'scheduled send' feature for maintenance announcements. A critical incident: during a global event, they sent a broadcast to all 10 million devices, but the hub's tag index lookup caused a few seconds of latency. They optimized by splitting the audience into smaller segments (e.g., by region) and sending multiple messages. They also discovered that the hub's default TTL of 1 day for APNs was too long for time-sensitive invites; they set TTL to 1 hour. They monitor PNS error codes: InvalidRegistration from FCM indicated a corrupted registration ID, which they fixed by updating the client SDK.
What AZ-305 Tests
Objective 4.4: 'Design a messaging solution' includes selecting the appropriate Azure messaging service for push notifications. The exam expects you to differentiate Notification Hubs from Event Grid, Service Bus, and Event Hubs. Key decision criteria: - Push notifications to mobile devices → Notification Hubs - Event-driven architectures (e.g., reacting to blob storage) → Event Grid - Message queuing with competing consumers → Service Bus - Ingesting high-volume telemetry → Event Hubs
Common exam scenario: 'A company needs to send breaking news alerts to millions of iOS and Android devices. Which Azure service should they use?' Correct answer: Notification Hubs. Wrong answer: Event Grid (because it doesn't interface with PNS).
Common Wrong Answers and Why Candidates Choose Them
Choosing Event Grid because it supports 'push': Event Grid pushes events to subscribers (e.g., webhooks), but it cannot send to APNs/FCM. Candidates confuse 'push' in general with 'push notification to mobile devices'.
Choosing Service Bus Topics: Service Bus supports pub/sub, but it doesn't format messages for PNS. Candidates think topics can fan-out to devices, but they lack the device registration and PNS integration.
Choosing Azure Functions directly: Candidates think a Function can call APNs directly. While possible, it's not scalable; the exam expects a managed service like Notification Hubs.
Selecting the wrong tier: The exam may ask which tier supports scheduled notifications or unlimited devices. Standard tier is required for scheduling and unlimited devices (Basic has a 200k device limit).
Specific Numbers and Terms That Appear on the Exam
Default TTL values: APNs = 1 day, FCM = 4 weeks, WNS = 3 days.
Maximum registrations per hub: 10 million (soft limit).
Maximum message size: 4 KB for APNs/FCM, 5 KB for WNS.
Tags: Up to 60 tags per registration, 120 characters each.
Pricing tiers: Free (500 devices, 1M msgs/month), Basic (200k devices, 10M msgs/month), Standard (unlimited).
Supported platforms: Apple (APNs), Google (FCM), Windows (WNS), Kindle (ADM), Baidu (Android in China).
Authentication: SAS tokens (not Azure AD for sending).
Edge Cases and Exceptions
Baidu Cloud Push: For Android devices in China, Google Play Services may be unavailable. Use Baidu Cloud Push via Notification Hubs.
APNs Sandbox vs Production: The hub must be configured with the correct environment. Mixing them causes delivery failures.
FCM v1 vs Legacy: The exam may test that FCM v1 uses OAuth 2.0 tokens, while legacy uses a server key.
Template Limitations: Templates cannot contain conditional logic; they are simple string substitutions.
How to Eliminate Wrong Answers
If the question mentions 'mobile devices', 'push notifications', 'iOS/Android', the answer is Notification Hubs.
If the question mentions 'event-driven', 'react to blob storage', 'webhook', it's Event Grid.
If the question mentions 'reliable queuing', 'competing consumers', 'ordered delivery', it's Service Bus.
If the question mentions 'ingest millions of events per second', 'telemetry', 'stream processing', it's Event Hubs.
Look for keywords: 'device tokens', 'PNS', 'tags', 'platform-specific'. Those are Notification Hubs terms.
Notification Hubs is the only Azure service that integrates directly with Platform Notification Systems (APNs, FCM, WNS).
Default TTL: APNs = 1 day, FCM = 4 weeks, WNS = 3 days.
Maximum registrations per hub: 10 million (soft limit).
Tags: up to 60 per registration, 120 chars each.
Message size: 4 KB (APNs/FCM), 5 KB (WNS).
Standard tier required for scheduled notifications and unlimited devices.
Authentication uses SAS tokens, not Azure AD.
Registrations expire after 90 days of inactivity (configurable).
These come up on the exam all the time. Here's how to tell them apart.
Azure Notification Hubs
Designed for push notifications to mobile devices via PNS (APNs, FCM, etc.)
Maintains device registrations with tags for segmentation
Uses SAS tokens for authentication
Supports scheduled notifications (Standard tier)
Handles PNS feedback (invalid tokens, expiry)
Azure Event Grid
Designed for event-driven architectures (e.g., blob storage, resource events)
Pushes events to subscribers via webhooks, Azure Functions, or Service Bus
Uses Azure AD authentication for topics and subscriptions
Does not support scheduled delivery
Does not manage device tokens or PNS feedback
Mistake
Notification Hubs can send notifications to any HTTP endpoint.
Correct
Notification Hubs only sends to Platform Notification Systems (APNs, FCM, WNS, ADM, Baidu). It does not send to generic webhooks or HTTP endpoints. For that, use Event Grid or Service Bus.
Mistake
Notification Hubs uses Azure AD for authentication.
Correct
Notification Hubs uses Shared Access Signature (SAS) tokens for authentication, not Azure AD. Access policies (Listen, Send, Manage) are associated with SAS keys.
Mistake
You can send notifications without registering devices first.
Correct
Device registration is mandatory. The hub needs a valid device token/registration ID from the PNS to deliver. Without registration, the hub has no target.
Mistake
Notification Hubs guarantees exactly-once delivery.
Correct
Notification Hubs provides at-most-once delivery. Messages may be lost if the PNS is unreachable or the device token is invalid. For reliable delivery, use Service Bus with duplicate detection.
Mistake
The Free tier supports unlimited devices.
Correct
The Free tier supports up to 500 active devices. For unlimited devices, you need the Standard tier.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Notification Hubs is specifically for push notifications to mobile devices via platform notification services (APNs, FCM, WNS). It manages device registrations, tags, and PNS feedback. Event Grid is for event-driven architectures, pushing events to subscribers like webhooks or Azure Functions. Event Grid cannot send to APNs or FCM directly. For AZ-305, if the scenario involves mobile push notifications, choose Notification Hubs.
By default, a Notification Hub supports up to 10 million device registrations. This is a soft limit that can be increased by contacting support. For sending, you can send to up to 1 million devices per API call using tag expressions or broadcast. For larger audiences, you can send multiple messages or use multiple hubs.
No, Notification Hubs does not support web push notifications (e.g., via Web Push API). For browser push, you would need to implement a custom solution using Service Workers and a service like Firebase Cloud Messaging for web. Notification Hubs supports only native mobile platforms and Windows desktop via WNS.
Notification Hubs automatically processes feedback from PNS (e.g., APNs returns 410 for invalid tokens) and marks the registration as expired. The hub will not attempt to send to expired registrations. However, it is recommended that client apps refresh their registration periodically (e.g., every 30 days) to ensure tokens are up to date. You can also manually clean up registrations via the API.
There are three tiers: Free (up to 500 active devices, 1 million messages/month), Basic (up to 200,000 active devices, 10 million messages/month), and Standard (unlimited devices and messages, includes scheduled notifications and advanced telemetry). For AZ-305, remember that scheduled notifications require Standard tier.
Yes, by tagging each device registration with a user identifier (e.g., 'user:123'). Then send a notification with that tag, and all devices registered with that user tag will receive it. This is called per-user push.
In the Azure portal, navigate to your Notification Hub, select 'Test Send' under the 'Troubleshooting' section. You can choose the platform (e.g., Apple, Google), enter a device handle, and send a test payload. This is useful for verifying credentials and payload format.
You've just covered Azure Notification Hubs for Push at Scale — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?