Streamlining engineering at Microsoft with Azure DevOps

Mar 27, 2024   |  

Two male engineers work in front of a multi-monitor setup in a darkened room.
We build the future of technology at Microsoft and our teams use our own products to get that done. Microsoft Azure DevOps is a tool that allows our developers to be as productive as possible while shifting left with advances in security.

Microsoft Digital storiesMicrosoft runs on Microsoft technology. We are the proving ground for our products and when we say that software is enterprise-ready this means that we have already built it for and run it at scale in our own enterprise.

We are in the business of building the future of technology. And more often than not, our software is built using Microsoft Azure DevOps.

Microsoft is undergoing a mission to transform the way we work. There are three key pillars to this strategy: tools, processes, and people.

—Heather Pfluger, general manager of Infrastructure & Engineering Services in Microsoft Digital Employee Experience

Microsoft Azure DevOps was designed to support enterprise teams who need a collaboration and product management tool with organizational structures and robust security controls that meet the real world of how teams are actually run. With Microsoft Azure DevOps we can smartly plan our projects, improve collaboration, and ship our products faster with increased visibility, security, and efficiency.

“Microsoft is undergoing a mission to transform the way we work. There are three key pillars to this strategy: tools, processes, and people,” says Heather Pfluger, general manager of Infrastructure & Engineering Services in Microsoft Digital Employee Experience (MDEE), the company’s IT organization. “But the operative change is to our culture.”

We take pride in developing our software through the real-world use of our global teams. We refer to ourselves in these cases as “Customer Zero,” where we effectively are the launch customer for our product engineering teams. This allows our employees to use leading-edge solutions before our customers to improve our products based on our real-world usage.

Shifting left: building a tool for the modern engineering environment

This story begins with the launch of Windows Azure in 2008, which became Microsoft Azure in 2010 and really started to come of age by 2014. That’s when MDEE, and nearly every other team at Microsoft, began migrating their legacy workloads to Azure. The team that became MDEE team was faced with a momentous leap forward due to the cloud, enabling an opportunity to revolutionize our engineering processes.

One way that we describe this culture shift internally is “shifting left.” We are moving our engineering focus closer to our dev teams by giving them more tools and more power to efficiently drive their progress right at the early stage of development.

A graphical timeline of cloud technology implementation.
Our timeline for moving the company to the cloud.

They have what they need to do their job at hand while at the same time introducing efficiencies in team structure, organization, and security. What used to take a large team of engineers and testers to accomplish is now taken care of by leaner, more agile developer teams themselves with the aid of automations and Microsoft Azure’s inherent security features.

Microsoft Azure DevOps is all about productivity for developers, and over many years of refining our processes we’ve increased both the quality and velocity of our output. We have the entire MDEE organization running on a single Azure DevOps instance, which gives unprecedented visibility and accountability for our processes.

In an organization our size, which has been creating software for as long as we have, a recurring concern is the long-term traceability and maintenance of our code. Today, we have new processes in place to better organize our output and make it easier for future Microsoft engineers to understand what we’ve built.

“Using area paths, we mapped out the entire organization and created a hard chain of custody for every line of code, in every repo,” says Martin O’Flaherty, principal PM manager of the MDEE Engineering Systems team. “If you create something, it will be tied to a repo, which will be tied to a team. No longer will there be code that can’t be accounted for – it’s all hard-wired in the backend. If something goes wrong, we immediately have a point of contact for the person who is accountable to remediate the issue.”

[However] the journey never ends, as technology is always evolving.

—Martin O’Flaherty, principal PM manager of the MDEE Engineering Systems team

On our single Microsoft Azure DevOps instance, we have thousands of daily active users, thousands of repos, and more than 20,000 build and release pipelines. We’ve shown that Azure DevOps, right out of the box, can not only handle our scale but it excels at it. Azure DevOps is propelling us forward and accelerating our progress.

Get clean and stay clean

A significant opportunity we had with moving our entire engineering team to a common deployment of Microsoft Azure DevOps was cataloging and consolidating all our services. This process, which started five years ago, led to the retirement of nearly 30 percent of our legacy applications, while enabling us to deploy what remained rest to the cloud. By carefully selecting the applications and processes to continue and others to sunset, we quickly improved our security posture. We refer to this era as “getting clean.”

“[However] the journey never ends, as technology is always evolving,” O’Flaherty says. “What we considered secure in 2017 is so rudimentary to how we approach things now. This is why we must ‘stay clean’ by continually monitoring the guardrails we put in place for our developers.”

Pursuing the mission of maintaining a strong security posture throughout our Microsoft Azure DevOps instance supports a simple imperative: if our primary tool for developing code isn’t secure, nothing we produce will be secure.

A visualized graphic depicting the vertical distribution of Azure assets in a portfolio.
A potential distribution of an Azure portfolio that aims to reduce complexity.

To accomplish “staying clean,” we have designed, enacted, and maintained a clear security and compliance framework within Microsoft Azure DevOps. We’ve streamlined our pipelines and deployed common protocols to all our teams, which ensures all our releases are held to the same high security standards.

Security, across the board

Gray and O’Flaherty pose for portraits in this composite image.
Damon Gray (left) and Martin O’Flaherty are two members of the Microsoft Digital Employee Experience team who have lead efforts with bringing our team on board Azure DevOps.

We have also “shifted left” our application security posture. We’ve moved our security focus closer to the developer by utilizing breakthroughs in technology and strategy like GitHub Advanced Security for Microsoft Azure DevOps. This new tool, currently in public preview, automatically scans new code to ensure there are no secret leaks or exposures in your Microsoft Azure repos.

This is a powerful advance in security technology that pushes the boundary of our security posture to the code itself, right as it is being written. It alerts the developer in real time to potential errors or security concerns. By moving security and testing earlier in the development process we further enhance security during product development and reduce the risk of errors being released.

The security revolution powered by Microsoft Azure DevOps and running on a single instance is paying dividends for MDEE. Now, we universally apply and monitor security policies rather than relying on each team to set their own parameters. By utilizing common guardrails, we are able to monitor and apply policies across the board. We’ve baked in security early in the development cycle, and it’s done automatically and consistently.

Mature software that is enterprise ready

New customers to Microsoft Azure DevOps gain from all of the efficiencies and learnings MDEE has pioneered as customer zero. It’s now a mature product with a lengthy track record, and it works right out of the box.

“If I was advising a new enterprise just starting out with Azure DevOps, I would tell them to not just copy our way of doing things,” says Damon Gray, principal group engineering manager for Optimization, Engineering & Networking Services in MDEE. “They can smartly set up their instance themselves and add the guardrails that fit their organization over time. Within the day, right out of the box, they’ll be securely submitting and releasing code to the cloud.”

Companies of our scale require robust and customizable solutions to allow teams to build with the freedom to push the envelope of what’s possible. Microsoft Azure DevOps was designed, built, tested, and optimized to make our teams as efficient and secure as they need to be. We build the future of software at Microsoft, and this software is built with Azure DevOps.

“Azure DevOps is the tool that we utilize company-wide to allow our teams to build the future, wherever in the world they are working,” Pfluger says.

Key Takeaways
Here are some tips you can use to help you get started with Microsoft Azure DevOps:

  • Azure DevOps is a powerful productivity and security tool right out of the box. You can release code the same day you set up your instance and you will be able to dial in your security guardrails over time.
  • Azure DevOps scales with you, whether you’re a small team or a large enterprise, or a small team with dreams of becoming much larger. Build with confidence.
  • “Get Clean/Stay Clean” is an operative philosophy that produced immediate security gains for our team.

Try it out
Try Microsoft Azure DevOps by signing up for a Microsoft or GitHub account.

Related links

Tags: , , ,