Dev Center

How to configure the Core, Identity and Access Management, Catalogs, Environments and Projects settings for the Dev Center
Tags:

Dev Center Configuration Guide

Overview

The devcenter.yaml file is the central configuration for the Microsoft Dev Box Accelerator. It defines the structure, governance, and operational parameters for a Dev Center resource in Azure, enabling organizations to provide secure, scalable, and role-specific developer workstations (Dev Boxes). This YAML orchestrates Dev Box pools, access controls, environment types, project boundaries, and integration with version-controlled catalogs, ensuring a modular and decoupled approach to developer environment management.

Key Roles of this YAML:

  • Centralizes Dev Center resource setup and policy.
  • Defines projects, environments, and access controls.
  • Integrates with Git-based catalogs for configuration-as-code.
  • Enables automated, role-specific Dev Box provisioning.

Configuration Sections

Below is a breakdown of each major section, its YAML representation, and an explanation of its purpose.

Dev Center Metadata

name: "devexp-devcenter"
  • name: Globally unique identifier for the Dev Center resource.

Global Settings

catalogItemSyncEnableStatus: "Enabled"
microsoftHostedNetworkEnableStatus: "Enabled"
installAzureMonitorAgentEnableStatus: "Enabled"
  • catalogItemSyncEnableStatus: Enables automatic sync of catalog items from source repositories.
  • microsoftHostedNetworkEnableStatus: Uses Microsoft-managed networking for Dev Boxes (simplifies setup).
  • installAzureMonitorAgentEnableStatus: Installs Azure Monitor agent for monitoring and compliance.

Identity and Access Control

identity:
  type: "SystemAssigned"
  roleAssignments:
    devCenter:
      - id: "b24988ac-6180-42a0-ab88-20f7382dd24c"
        name: "Contributor"
        scope: "Subscription"
      - id: "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
        name: "User Access Administrator"
        scope: "Subscription"
      - id: "4633458b-17de-408a-b874-0445c86b69e6"
        name: "Key Vault Secrets User"
        scope: "ResourceGroup"
      - id: "b86a8fe4-44ce-4948-aee5-eccb2c155cd7"
        name: "Key Vault Secrets Officer"
        scope: "ResourceGroup"
    orgRoleTypes:
      - type: DevManager
        azureADGroupId: "5a1d1455-e771-4c19-aa03-fb4a08418f22"
        azureADGroupName: "Platform Engineering Team"
        azureRBACRoles:
          - name: "DevCenter Project Admin"
            id: "331c37c6-af14-46d9-b9f4-e1909e1b95a0"
            scope: ResourceGroup
  • type: Managed identity type (SystemAssigned recommended for simplicity).
  • roleAssignments: Assigns Azure RBAC roles to the Dev Center and organizational groups for secure operations. Includes both resource-level (devCenter) and organization-level (orgRoleTypes) assignments, with explicit scopes for each role.

Catalogs

catalogs:
  - name: "customTasks"
    type: gitHub
    uri: "https://github.com/Evilazaro/DevExp-DevBox.git"
    branch: "main"
    path: "/.configuration/devcenter/tasks"
  • catalogs: List of Git-based repositories containing configuration scripts and templates for Dev Box customization. Use version-controlled repositories for configuration-as-code.

Environment Types

environmentTypes:
  - name: "dev"
    deploymentTargetId: ""
  - name: "staging"
    deploymentTargetId: ""
  - name: "UAT"
    deploymentTargetId: ""
  • environmentTypes: Defines deployment environments (e.g., dev, staging, UAT) for SDLC alignment.

Projects

Each project is a distinct logical unit with its own network, pools, catalogs, access controls, and tags.

Example Project Structure

projects:
  - name: "identityProvider"
    description: "Identity Provider project."
    network:
      name: identityProvider
      create: true
      resourceGroupName: "identityProvider-connectivity-RG"
      virtualNetworkType: Managed
      addressPrefixes:
        - 10.0.0.0/16
      subnets:
        - name: identityProvider-subnet
          properties:
            addressPrefix: 10.0.1.0/24
      tags:
        environment: dev
        division: Platforms
        team: DevExP
        project: DevExP-DevBox
        costCenter: IT
        owner: Contoso
        resources: Network
    identity:
      type: SystemAssigned
      roleAssignments:
        - azureADGroupId: "67a29bc3-f25c-4599-9cb1-4da19507e8ee"
          azureADGroupName: "Identity Provider Engineers"
          azureRBACRoles:
            - name: "Contributor"
              id: "b24988ac-6180-42a0-ab88-20f7382dd24c"
              scope: Project
            - name: "Dev Box User"
              id: "45d50f46-0b78-4001-a660-4198cbe8cd05"
              scope: Project
            - name: "Deployment Environment User"
              id: "18e40d4e-8d2e-438d-97e1-9528336e149c"
              scope: Project
            - name: "Key Vault Secrets User"
              id: "4633458b-17de-408a-b874-0445c86b69e6"
              scope: ResourceGroup
            - id: "b86a8fe4-44ce-4948-aee5-eccb2c155cd7"
              name: "Key Vault Secrets Officer"
              scope: ResourceGroup
    pools:
      - name: "backend-engineer"
        imageDefinitionName: "identityProvider-backend-engineer"
        vmSku: general_i_32c128gb512ssd_v2
      - name: "frontend-engineer"
        imageDefinitionName: "identityProvider-frontend-engineer"
        vmSku: general_i_16c64gb256ssd_v2
    environmentTypes:
      - name: "dev"
        deploymentTargetId: ""
      - name: "staging"
        deploymentTargetId: ""
    catalogs:
      environmentDefinition:
        name: "environments"
        type: gitHub
        uri: "https://github.com/Evilazaro/IdentityProvider.git"
        branch: "main"
        path: "/.configuration/devcenter/environments"
      imageDefinition:
        name: "imageDefinitions"
        type: gitHub
        uri: "https://github.com/Evilazaro/IdentityProvider.git"
        branch: "main"
        path: "/.configuration/devcenter/imageDefinitions"
    tags:
      environment: "dev"
      division: "Platforms"
      team: "DevExP"
      project: "DevExP-DevBox"
      costCenter: "IT"
      owner: "Contoso"
      resources: "Project"

Key Elements:

  • network: Project-level network configuration, including VNet, subnets, and network tags. Use Managed for Azure-managed networking.
  • identity: Project-level identity and RBAC assignments, with explicit scopes for each role.
  • pools: Role-specific Dev Box pools (e.g., backend, frontend) with VM SKU specified for each pool.
  • environmentTypes: Environments available to the project.
  • catalogs: Project-specific catalogs for IaC and image definitions. Note the path differences for each project.
  • tags: Resource tags for governance and cost tracking.

Top-Level Tags

tags:
  environment: "dev"
  division: "Platforms"
  team: "DevExP"
  project: "DevExP-DevBox"
  costCenter: "IT"
  owner: "Contoso"
  resources: "DevCenter"
  • tags: Applied to the Dev Center resource for consistent governance, cost allocation, and ownership tracking.

Best Practices

  • Use Azure AD Groups: Assign permissions via groups, not individuals, for easier management.
  • Leverage Tags: Apply consistent tags for cost tracking, ownership, and resource organization.
  • Keep Catalogs Modular: Separate environment and image definitions for flexibility and reuse.
  • Automate Sync: Enable catalog sync for up-to-date Dev Box provisioning.
  • Align Environments with SDLC: Define dev, staging, and UAT environments to match your release process.
  • Review RBAC Assignments: Grant only necessary permissions to minimize risk, and use explicit scopes.
  • Document Custom Pools: Clearly describe the purpose, configuration, and VM SKU of each Dev Box pool for maintainability.
  • Use the network section: Define project-level network configuration for each project to control connectivity and isolation.

References

Tip: To onboard a new team, add a new entry under projects with its own identity, pools, catalogs, and tags.
Use Case: Isolates access and configurations for different business units or applications.

Last modified August 4, 2025: Update Documentation (7630605)