|
| 1 | +# Azure DevOps Services vs Azure DevOps Server – Technical Recap |
| 2 | + |
| 3 | +Costa Rica |
| 4 | + |
| 5 | +[](https://github.com/) |
| 6 | +[brown9804](https://github.com/brown9804) |
| 7 | + |
| 8 | +Last updated: 2025-07-17 |
| 9 | + |
| 10 | +---------- |
| 11 | + |
| 12 | +<img width="1867" height="548" alt="image" src="https://github.com/user-attachments/assets/d7920c93-9c86-4107-89d6-6019fbbd0287" /> |
| 13 | + |
| 14 | +From [Pricing for Azure DevOps](https://azure.microsoft.com/en-us/pricing/details/devops/azure-devops-services/) |
| 15 | + |
| 16 | +| Feature | Azure DevOps Services (Cloud) | Azure DevOps Server (On-Premises) | |
| 17 | +|------------------------|-------------------------------|------------------------------------| |
| 18 | +| Hosting | Microsoft-managed cloud | Self-hosted infrastructure | |
| 19 | +| Cost Model | Pay-as-you-go | Licensing + infrastructure | |
| 20 | +| Maintenance | Automatic updates | Manual updates and patching | |
| 21 | +| Scalability | Elastic, global | Limited by hardware | |
| 22 | +| Security | Microsoft Entra ID, RBAC | Full control, custom policies | |
| 23 | +| Integration | Azure, GitHub, cloud-native | Legacy systems, custom tools | |
| 24 | +| Offline Use | Not supported | Fully supported | |
| 25 | +| Compliance | Meets most standards | Best for strict regulatory needs | |
| 26 | + |
| 27 | + |
| 28 | +<details> |
| 29 | +<summary><strong>Hosting </strong></summary> |
| 30 | + |
| 31 | +Definition: |
| 32 | +- Cloud: Microsoft hosts the entire service stack (web UI, APIs, storage, backups, HA). |
| 33 | +- On-Premises: You host the application tier, SQL Server, storage and networking in your environment. |
| 34 | + |
| 35 | +Operational impact: |
| 36 | +- Cloud: minimal ops, fast onboarding, dependency on internet and Microsoft availability. |
| 37 | +- On-Premises: full control over network, physical access and data locality; requires staff to operate. |
| 38 | + |
| 39 | +Pros / Cons: |
| 40 | +- Cloud pros: low operational burden, automatic HA, global endpoints. Cons: less control over maintenance windows, compliance exceptions may apply. |
| 41 | +- On-Prem pros: absolute control over network and storage location. Cons: CAPEX and dedicated admin teams. |
| 42 | + |
| 43 | +Checklist if you choose On‑Prem: |
| 44 | +- Size SQL Server (IOPS, memory), design backups and DR. |
| 45 | +- Plan maintenance windows and staging upgrades. |
| 46 | +- Define network segmentation and firewall rules. |
| 47 | +</details> |
| 48 | + |
| 49 | +<details> |
| 50 | +<summary><strong>Cost Model </strong></summary> |
| 51 | + |
| 52 | +What it means: |
| 53 | +- Pay-as-you-go: Ongoing OPEX for users, parallel jobs, hosted minutes and artifact storage. |
| 54 | +- Licensing + infrastructure: Upfront server and CAL licenses plus hardware/network costs. |
| 55 | + |
| 56 | +Financial implications: |
| 57 | +- Cloud: predictable monthly billing, easier to scale up/down; watch usage spikes like pipeline minutes and artifact storage. |
| 58 | +- On‑Prem: higher upfront cost, possible lower long-term marginal cost, but staff & power are recurring. |
| 59 | + |
| 60 | +Optimization tips: |
| 61 | +- Use self-hosted agents to reduce hosted pipeline minute costs. |
| 62 | +- Audit and reclaim licenses and inactive accounts monthly. |
| 63 | +</details> |
| 64 | + |
| 65 | +<details> |
| 66 | +<summary><strong>Maintenance </strong></summary> |
| 67 | + |
| 68 | +- Cloud behavior: Microsoft pushes feature updates, security patches and platform improvements continuously. No server maintenance required. |
| 69 | +- On‑Prem responsibilities: You must plan upgrades, test migrations, apply security patches to OS/SQL, and maintain backups. |
| 70 | + |
| 71 | +Best practices: |
| 72 | +- Cloud: follow Microsoft release notes; test critical pipelines in isolated projects after major changes. |
| 73 | +- On‑Prem: maintain a test/staging environment for upgrades and automate backups with restore drills. |
| 74 | + |
| 75 | +</details> |
| 76 | + |
| 77 | +<details> |
| 78 | +<summary><strong>Scalability </strong></summary> |
| 79 | + |
| 80 | +- Cloud advantages: Elastic compute for hosted agents, storage scaled by the provider, and global endpoints for distributed teams. |
| 81 | +- On‑Prem constraints: Scale requires provisioning additional VMs/servers, storage and possibly database sharding/replication. |
| 82 | + |
| 83 | +Capacity planning: |
| 84 | +- Cloud: rely on autoscaling and pay-as-you-grow. |
| 85 | +- On‑Prem: implement monitoring, capacity reserves and purchase cycles. |
| 86 | + |
| 87 | +</details> |
| 88 | + |
| 89 | +<details> |
| 90 | +<summary><strong>Security </strong></summary> |
| 91 | + |
| 92 | +- Cloud controls: Integrates with Microsoft Entra ID: SSO, MFA, Conditional Access and RBAC at organization/project level. |
| 93 | +- On‑Prem controls: Use AD, ADFS or custom auth; implement internal SIEM, bespoke firewall rules, HSMs and advanced network segmentation. |
| 94 | + |
| 95 | +Trade-offs: |
| 96 | +- Cloud reduces operational security burden but implies a shared responsibility model. |
| 97 | +- On‑Prem grants total control but requires mature security ops. |
| 98 | + |
| 99 | +Operational checklist: |
| 100 | +- Enforce least privilege, enable MFA, centralize audit logs, and periodically review access. |
| 101 | +</details> |
| 102 | + |
| 103 | +<details> |
| 104 | +<summary><strong>Integration </strong></summary> |
| 105 | + |
| 106 | +- Cloud strengths: Native connectors to Azure services, GitHub, marketplace extensions, webhooks and SaaS tooling. |
| 107 | +- On‑Prem strengths: Direct network access to internal systems (databases, legacy build systems, SCADA), enabling simpler internal integrations. |
| 108 | +- Bridging strategies: Use self-hosted agents or secure gateway/proxy patterns to enable hybrid connectivity. |
| 109 | + |
| 110 | +</details> |
| 111 | + |
| 112 | +<details> |
| 113 | +<summary><strong>Offline Use </strong></summary> |
| 114 | + |
| 115 | +Explanation: |
| 116 | +- Cloud requires internet access to reach Microsoft-managed endpoints; not suitable for strictly air‑gapped environments. |
| 117 | +- On‑Prem can be fully offline, supporting builds, releases and artifact storage without external connectivity. |
| 118 | + |
| 119 | +- When to choose On‑Prem: Classified projects, OT/manufacturing environments, or government systems mandating network isolation. |
| 120 | +- Operational tips: For air‑gapped On‑Prem, plan internal distribution of updates and secure artifact promotion procedures. |
| 121 | + |
| 122 | +</details> |
| 123 | + |
| 124 | +<details> |
| 125 | +<summary><strong>Compliance </strong></summary> |
| 126 | + |
| 127 | +- Cloud compliance:Microsoft maintains many certifications (ISO, SOC, GDPR, HIPAA etc.) and provides attestation packages. |
| 128 | +- On‑Prem compliance: Enables physical control, in-country data residency and customized retention/audit policies required by some regulations. |
| 129 | +- Decision guidance: Map specific regulatory controls to cloud provider attestations; choose On‑Prem if any required control cannot be satisfied by cloud attestations. |
| 130 | + |
| 131 | +</details> |
| 132 | + |
| 133 | + |
| 134 | +## Billing Explained |
| 135 | + |
| 136 | +> Even if you're using Microsoft 365 (Office 365), billing for Azure DevOps is handled through an **Azure subscription**. `Why billing goes through Azure`: Azure DevOps Services consumes Azure billing constructs: the organization must be linked to an Azure subscription (owner/billing admin) to pay for paid features, parallel jobs and other billable resources. |
| 137 | +
|
| 138 | +Billing Options: |
| 139 | + |
| 140 | +| Billing Type | Credit Card Required? | Notes | |
| 141 | +|----------------------------|-----------------------|--------------------------------| |
| 142 | +| Pay-As-You-Go | Yes (by default) | Can request invoice billing | |
| 143 | +| Enterprise Agreement (EA) | No | Invoiced billing | |
| 144 | +| Cloud Solution Provider (CSP) | No | Partner-managed billing | |
| 145 | +| Invoice Billing (Pay-As-You-Go) | No (after approval) | Requires credit check | |
| 146 | + |
| 147 | +<details> |
| 148 | +<summary><strong>Pay‑As‑You‑Go</strong></summary> |
| 149 | + |
| 150 | +- Description: Standard Azure subscription billing with monthly charges tied to consumption and purchased licenses. |
| 151 | +- When to choose: Small organizations, pilots, or projects with variable usage. |
| 152 | +- Pros: Quick setup, flexible, integrates with Azure Cost Management. |
| 153 | +- Cons: Default requires a credit card; invoice billing requires approval. |
| 154 | + |
| 155 | +Operational tips: |
| 156 | +- Use budgets + alerts to prevent surprises. |
| 157 | +- Move heavy CI workloads to self‑hosted agents where cost-effective. |
| 158 | +- Enable caching and incremental builds to reduce minutes. |
| 159 | +</details> |
| 160 | + |
| 161 | +<details> |
| 162 | +<summary><strong>Enterprise Agreement (EA)</strong></summary> |
| 163 | + |
| 164 | +- Description: Volume licensing and consolidated invoicing for large organizations. |
| 165 | +- When to choose: Large enterprises with predictable spend and procurement processes. |
| 166 | +- Benefits: Consolidated invoices, procurement alignment, potential negotiated terms. |
| 167 | + |
| 168 | +</details> |
| 169 | + |
| 170 | +<details> |
| 171 | +<summary><strong>Cloud Solution Provider (CSP)</strong></summary> |
| 172 | + |
| 173 | +- Description: Partner-managed billing (billing handled by a CSP). |
| 174 | +- When to choose: Organizations that want partner-managed billing, consolidated vendor support or managed services. |
| 175 | +- Notes: Simplifies procurement but ties invoicing/support to the partner. |
| 176 | + |
| 177 | +</details> |
| 178 | + |
| 179 | +<details> |
| 180 | +<summary><strong>Invoice Billing (Pay-As-You-Go → Invoice)</strong></summary> |
| 181 | + |
| 182 | +- Description: Convert Pay‑As‑You‑Go to invoice billing for PO-driven organizations. |
| 183 | +- Requirements: Credit checks and Azure support engagement; expect lead time. |
| 184 | +- Operational note: Prepare procurement contacts and documentation before requesting conversion. |
| 185 | + |
| 186 | +</details> |
| 187 | + |
| 188 | +Primary cost drivers: |
| 189 | +- Paid user licenses beyond free tiers |
| 190 | +- Microsoft-hosted pipeline minutes and parallel jobs |
| 191 | +- Azure Artifacts storage and retention |
| 192 | +- Marketplace paid extensions and premium Test Plans |
| 193 | + |
| 194 | +Billing roles (examples): |
| 195 | +- Billing owner: Azure subscription Owner, responsible for payment methods and invoices. |
| 196 | +- Organization billing admin: Azure DevOps organization owner, links org to subscription and purchases organization licenses. |
| 197 | + |
| 198 | +Cost controls & best practices: |
| 199 | +- Use self-hosted agents: offload heavy builds to reduce hosted-minute cost. |
| 200 | +- Apply artifact retention policies: delete stale artifacts automatically. |
| 201 | +- Assign Stakeholder access for non-devs: reduce paid Basic seats. |
| 202 | + |
| 203 | +</details> |
| 204 | + |
| 205 | + |
| 206 | +## Free Licenses in Azure DevOps |
| 207 | + |
| 208 | + |
| 209 | +| Plan | Users | Cost | |
| 210 | +|--------------------|---------------|-------------------| |
| 211 | +| Basic | First 5 users | Free | |
| 212 | +| Basic (6+ users) | Each additional | $6/user/month | |
| 213 | +| Basic + Test Plans | Per user | $52/user/month | |
| 214 | + |
| 215 | +- Applies **per organization**, regardless of billing method. |
| 216 | +- Includes: |
| 217 | + - Azure Boards |
| 218 | + - Azure Repos |
| 219 | + - Azure Pipelines (1 free Microsoft-hosted job) |
| 220 | + - Azure Artifacts (2 GiB free) |
| 221 | + |
| 222 | + |
| 223 | +<details> |
| 224 | +<summary><strong>Basic (first 5 users free)</strong></summary> |
| 225 | + |
| 226 | +- What it covers: Up to five Basic users are free per organization, full access to core DevOps features. |
| 227 | +- When to use: Small teams or initial pilot orgs; use Stakeholder role for non-developer contributors. |
| 228 | +- Management tip: Periodically audit active users and reclaim unused Basic seats. |
| 229 | + |
| 230 | +</details> |
| 231 | + |
| 232 | +<details> |
| 233 | +<summary><strong>Basic (paid) & Basic + Test Plans </strong></summary> |
| 234 | + |
| 235 | +- Cost control: Assign Stakeholder access where appropriate; use Azure AD groups to manage license assignment. |
| 236 | +- Test Plans: Use Basic + Test Plans only for roles that require manual/exploratory testing features; automate tests in pipelines as a lower-cost alternative. |
| 237 | + |
| 238 | +</details> |
| 239 | + |
| 240 | +<img width="1036" height="765" alt="image" src="https://github.com/user-attachments/assets/ae605a5d-1c96-4bd5-9597-d0b05212c61c" /> |
| 241 | + |
| 242 | +> Click here to understand more about [Pricing for Azure DevOps](https://azure.microsoft.com/en-us/pricing/details/devops/azure-devops-services/) |
| 243 | +
|
| 244 | +## How to Configure Billing |
| 245 | + |
| 246 | +> [!NOTE] |
| 247 | +> Azure DevOps and Microsoft 365 can share the same **Microsoft Entra ID tenant**, but billing is **not unified**. |
| 248 | +
|
| 249 | +Setup: |
| 250 | + |
| 251 | +1. **Create or use an Azure subscription** (EA, CSP, or Pay-As-You-Go). |
| 252 | +2. Go to `https://dev.azure.com/{your-org}`. |
| 253 | +3. Navigate to **Organization Settings > Billing**. |
| 254 | +4. Click **Set up billing** and select your Azure subscription. |
| 255 | +5. Save and confirm. |
| 256 | + |
| 257 | +## Recommended Architecture: GitHub + Azure DevOps |
| 258 | + |
| 259 | +| Component | Recommended Tool | Reason | |
| 260 | +|--------------------|------------------------|-----------------------------------------| |
| 261 | +| Source Code | GitHub | Developer familiarity, GitHub Advanced Security | |
| 262 | +| CI/CD Pipelines | Azure Pipelines | Enterprise-grade workflows, hybrid agents | |
| 263 | +| Project Tracking | Azure Boards | Agile tools, sprint planning | |
| 264 | +| Dashboards & Reporting | Azure DevOps | Custom dashboards, work item analytics | |
| 265 | +| Security | GitHub + Azure DevOps | Secret scanning, RBAC, audit logs | |
| 266 | + |
| 267 | +> Why GitHub for Repos: |
| 268 | +- Rich collaboration features (PRs, reviews) |
| 269 | +- GitHub Advanced Security |
| 270 | +- Open-source friendliness |
| 271 | +- IDE integration (VS Code, Copilot) |
| 272 | + |
| 273 | +<details> |
| 274 | +<summary><strong>Why GitHub for Repos</strong></summary> |
| 275 | + |
| 276 | +- Overview: GitHub is built for collaborative Git workflows (PRs, reviews, issues) and excels at developer ergonomics and open-source integration. |
| 277 | +- Key benefits: |
| 278 | + - Rich collaboration: PRs, draft PRs, required reviews, inline suggestions and code owners. |
| 279 | + - Security: GitHub Advanced Security (SAST, secret scanning, dependency alerts). |
| 280 | + - Ecosystem: Actions, Marketplace apps, Codespaces and large community libraries. |
| 281 | + - Developer experience: Tight IDE/CLI integration (VS Code, Copilot, GH CLI) and instant dev environments (Codespaces). |
| 282 | +- Practical examples: |
| 283 | + - Protect branches with required checks and CODEOWNERS for automatic reviewers. |
| 284 | + - Run code scanning + dependency checks in PR pipelines to block risky merges. |
| 285 | + - Use Actions or external CI to publish artifacts to registries (use LFS for large files). |
| 286 | +- Implementation checklist: |
| 287 | + - Define branch protection rules and PR templates. |
| 288 | + - Configure CODEOWNERS and required status checks. |
| 289 | + - Enable GitHub Advanced Security features where available. |
| 290 | + - Decide storage strategy for large binaries (Git LFS or external artifact store). |
| 291 | +- Common pitfalls: |
| 292 | + - Storing large binaries directly in Git (use LFS). |
| 293 | + - Missing pre-merge security checks (adds risk). |
| 294 | + - Over-permissive merge policies or no CODEOWNERS (reduces review quality). |
| 295 | +</details> |
| 296 | + |
| 297 | + |
| 298 | +> Why Azure DevOps for Pipelines & Boards: |
| 299 | +- Multi-stage CI/CD |
| 300 | +- Kanban boards and work item tracking |
| 301 | +- Test plans and artifacts |
| 302 | +- Enterprise integration with Azure |
| 303 | + |
| 304 | +<details> |
| 305 | +<summary><strong>Why Azure DevOps for Pipelines & Boards</strong></summary> |
| 306 | + |
| 307 | +- Overview: Azure DevOps Pipelines + Boards provide enterprise-grade CI/CD orchestration and end-to-end traceability from backlog to release. |
| 308 | +- Key benefits: |
| 309 | + - Multi-stage CI/CD: YAML pipelines, artifact promotion, approvals and release gates. |
| 310 | + - Hybrid agent model: Microsoft-hosted agents for low ops and self-hosted agents inside your network for sensitive workloads. |
| 311 | + - Traceability: Link work items → commits → builds → releases for audit and reporting. |
| 312 | + - Test & artifacts: Integrated Test Plans and Azure Artifacts with retention controls. |
| 313 | +- Practical examples: |
| 314 | + - Implement a multi-stage YAML pipeline that promotes an artifact dev → staging → prod with approval gates. |
| 315 | + - Deploy self-hosted agent pools inside a VNet to access internal DBs or private registries. |
| 316 | + - Use Azure Boards to link backlog items to PRs and pipeline runs for release notes and compliance evidence. |
| 317 | +- Implementation checklist: |
| 318 | + - Store pipeline YAML in repo and enable pipeline protections. |
| 319 | + - Design environments and approval gates for production rollouts. |
| 320 | + - Choose agent strategy (hosted vs self-hosted) and size pools to match concurrency needs. |
| 321 | + - Integrate secrets with Azure Key Vault and grant pipelines least privilege. |
| 322 | +- Common pitfalls: |
| 323 | + - Not monitoring hosted-agent minutes (unexpected costs). |
| 324 | + - Weak environment gating causing unsafe promotions. |
| 325 | + - Failing to link work items to commits/PRs (loses traceability). |
| 326 | + |
| 327 | +## Use Case Matrix |
| 328 | + |
| 329 | +| Use Case | Azure DevOps Services | Azure DevOps Server | |
| 330 | +|---------------------|-----------------------|---------------------| |
| 331 | +| Small Agile Teams | Supported | Overkill | |
| 332 | +| Global Collaboration| Supported | Requires VPN | |
| 333 | +| CI/CD Pipelines | Microsoft-hosted agents | Self-hosted agents | |
| 334 | +| Azure Integration | Seamless | Manual setup | |
| 335 | +| GitHub Integration | Native | Manual | |
| 336 | +| Compliance Needs | Most standards | Full control | |
| 337 | +| Offline Development | Not supported | Ideal | |
| 338 | +| Legacy Systems | Limited | Easier integration | |
| 339 | +| Custom Security | Entra ID only | Full control | |
| 340 | +| Cost Management | Elastic | Upfront investment | |
| 341 | + |
| 342 | +<details> |
| 343 | +<summary><strong>What "Full control" means (expand)</strong></summary> |
| 344 | + |
| 345 | +- Definition: Full control covers complete ownership of infrastructure, identity providers, physical access, logging, retention and custom security appliances (HSMs, firewalls). It includes the ability to: |
| 346 | + - Enforce network isolation and bespoke firewall rules. |
| 347 | + - Use custom or legacy identity systems (AD/ADFS) and on-prem HSMs. |
| 348 | + - Retain raw logs, run in-house SIEMs, and store data entirely within a specific geographic location. |
| 349 | + |
| 350 | +- Implications: |
| 351 | + - Higher operational cost and staffing needs. |
| 352 | + - Greater ability to meet strict regulatory or contractual requirements. |
| 353 | + - Requires formal processes for backups, DR, patching and audit evidence. |
| 354 | + |
| 355 | +</details> |
| 356 | + |
| 357 | +<details> |
| 358 | +<summary><strong>What "Entra ID only" means</strong></summary> |
| 359 | + |
| 360 | +- Definition: The cloud Service relies on Microsoft Entra ID for authentication/authorization, conditional access and MFA. Custom identity models are limited and must be federated through Entra ID. |
| 361 | +- Implication: Simpler central management but less flexibility for legacy auth requirements; use federation if on-prem identity must be preserved. |
| 362 | + |
| 363 | +</details> |
| 364 | + |
| 365 | +<details> |
| 366 | +<summary><strong>Offline / Air‑gapped workflows</strong></summary> |
| 367 | + |
| 368 | +- When to choose On‑Prem: Classified projects, OT/manufacturing, or government systems that cannot accept external connectivity. |
| 369 | +- Operational checklist for air‑gapped deployments: |
| 370 | + - Plan internal distribution of updates and signed packages. |
| 371 | + - Implement strict artifact promotion and verification processes. |
| 372 | + - Run internal build agents and maintain private artifact registries. |
| 373 | +</details> |
| 374 | + |
| 375 | +<!-- START BADGE --> |
| 376 | +<div align="center"> |
| 377 | + <img src="https://img.shields.io/badge/Total%20views-1403-limegreen" alt="Total views"> |
| 378 | + <p>Refresh Date: 2025-09-05</p> |
| 379 | +</div> |
| 380 | +<!-- END BADGE --> |
0 commit comments