Following on from my colleague Mitch Denny's Federated Identity in Visual Studio Online, I have expanded his work on the directory architecture and partner integration for Visual Studio Online, and expanded to include the other architectural components of a VSO environment such as build servers, deployment targets, and cloud-based load testing.
AAD-VSO linking
The Visual Studio Online account can be linked to an Azure Active Directory in a development subscription, with users imported from the main directory.
A Microsoft Account can be given the required permissions in both environments and used to bootstrap this process.
Partner linking
This allows users to also be imported from federated partners without exposing core infrastructure, and also provides an Azure subscription where developers can be given advanced rights.
In house federation
It is possible to utilise VSO simply by leveraging the federation available in Azure Active Directory to provide Org IDs (using dirsync to synchronise with your on premises Active Directory).
In fact, this provides a neat solution as all the infrastructure required for the federation provider is already redundant (and geographically distributed).
A more advanced scenario (shown in the diagram) is to have the federation redirect to ADFS servers managed in house. While this provides an improved single sign on experience (for those on the corporate network), it requires significant additional infrastructure.
To ensure high availability, the federation endpoint needs to have redundant servers (both federation servers and proxies), preferably redundant Internet connections, and if possible geographically dispersed.
Development environments
As the source control is hosted in the cloud it can be accessed (securely) from development environments located anywhere.
This can also include specialised development environments hosted in Azure if necessary (not shown on diagram).
Build servers
Build can take advantage of the cloud based build services or, for more complex build scenarios, can be connected to custom build servers (either on premises or in Azure).
It is also possible to set up private network connections between Azure and on premises resources if needed (not shown on diagram).
Deployment targets
Continuous deployment can be configured, from the VSO source control (either TFVC or Git) to Azure Websites.
Apart from that the final deployment can be to on premises servers, hosted servers in the Azure subscription, or to other Azure subscriptions.
Cloud-based load testing
The load testing service within Visual Studio Online can be pointed at any publicly accessible web site, such as those running in the Azure development environment.
It can also run against sites hosted elsewhere, including on premises sites, if appropriately exposed (not shown on diagram).
Summary
There are several related components in delivering a Visual Studio Online solution, and it is important to understand where they all reside and how they relate to each other.