Microsoft Dev Box Not Working? Fix It Fast
Why This Is Happening
You've just been handed access to Microsoft Dev Box , your team's self-service cloud workstation setup , and something has gone sideways. Maybe the developer portal won't show any dev boxes. Maybe you clicked "Create dev box" and got an access denied error. Maybe your Dev Box pool keeps failing to provision, or a newly created box won't join the network properly. I've seen this exact situation on dozens of enterprise tenants, and the root cause is almost always the same: a gap somewhere in the three-layer permission and configuration model that Microsoft Dev Box depends on.
Microsoft Dev Box isn't a plug-and-play service. It's an enterprise-grade cloud development environment built on top of Azure, Microsoft Intune, and Microsoft Entra ID (formerly Azure Active Directory). That means when something breaks, the error message rarely tells you which layer is broken. You get a vague "provisioning failed" or a blank developer portal and no idea where to start.
Here's what's actually happening under the hood. The service is designed around three distinct organizational roles: platform engineers who configure infrastructure and security, developer team leads (called Project Admins in the DevCenter) who manage pools and resources, and developers themselves who self-serve dev boxes from those pools. If any one of those three layers is misconfigured, wrong role assignment, missing network connection, bad image definition YAML, the whole chain breaks down. The developer at the end sees nothing or gets an error, and the platform engineer wonders why.
Microsoft Dev Box setup problems are especially common right now because the service is actively transitioning. Since November 1, 2025, Microsoft stopped accepting net new customers directly. Net new tenant onboarding now requires a request through Azure Support to get the tenant allowlisted. If your organization recently tried to spin up a brand new tenant and nothing is working, that's the first thing to check, your tenant may simply not be allowlisted yet.
For existing customers, though, the service continues as normal. Most Microsoft Dev Box access denied issues, Dev Box pool configuration errors, and network connectivity failures I see are caused by: incorrect role assignments in the DevCenter, pools pointing at image definitions that haven't been validated, network configurations that place the dev box in a region without proper connectivity back to company resources, or Intune enrollment failures blocking device management. All of these are fixable. Let's work through them systematically.
I know this is frustrating, especially when it's blocking your whole development team from getting work done. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go deep into network configs and YAML image definitions, run this fast check. About 60% of the Microsoft Dev Box not working cases I encounter come down to one thing: the developer hasn't been assigned the DevCenter Dev Box User role on the correct project.
Here's what to do right now:
- Open the Azure portal at portal.azure.com and navigate to your DevCenter resource.
- In the left menu, click Projects and select the project the developer should be working in.
- Click Access control (IAM) in the left blade.
- Click Role assignments and look for the affected user in the list.
- If the user doesn't have the DevCenter Dev Box User role assigned, click + Add → Add role assignment.
- Search for "DevCenter Dev Box User", select it, then assign it to the user or their security group.
- Save and give the permissions 2–5 minutes to propagate through Microsoft Entra ID.
After the role propagates, have the developer return to the developer portal at https://devportal.microsoft.com, sign out and sign back in, and check whether the project's dev box pools are now visible. In many cases, this single fix is all you need.
If the user already has that role and is still seeing nothing, check that at least one dev box pool exists in that project and that the pool's status is listed as Running. A pool in a failed or provisioning state won't surface any options to the developer no matter what their permissions are.
Microsoft Dev Box uses a specific three-tier role structure, and each tier must be configured independently. Missing even one breaks the chain. Here's what each role does and where to assign it.
DevCenter Dev Box User, This goes on the Project resource. Without it, developers can't see or create dev boxes. Go to your DevCenter → Projects → [Your Project] → Access control (IAM).
DevCenter Project Admin, This goes on the Project resource as well, but for team leads who need to create and manage pools. If your team lead is getting "insufficient permissions" when trying to create a pool, this role is missing.
For platform engineers who need full DevCenter control, they'll need the appropriate Azure RBAC role (typically Contributor or Owner) at the DevCenter resource level, not just the project level. That's a common mistake, assigning Contributor at the project level when the engineer needs to manage shared resources like network connections and image galleries that live at the DevCenter level.
To check all role assignments quickly, run this in the Azure Cloud Shell:
az role assignment list \
--scope /subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/Microsoft.DevCenter/projects/{projectName} \
--output tableReplace the placeholders with your actual subscription ID, resource group name, and project name. You should see at least one entry with DevCenter Dev Box User for your developer's user or group. If the list is empty, that's your problem, no one has been given access to that project yet.
After adding the role, you should see the affected user's dev box pools appear in the developer portal within 5–10 minutes. They'll show up as selectable options under the project name on the portal home screen.
A misconfigured dev box pool is one of the most common Microsoft Dev Box setup problems I encounter. Pools can be created using one of three image sources: YAML-based image definitions (the newest approach), custom images stored in Azure Compute Gallery, or preconfigured marketplace images like the Visual Studio ones. Each source has its own failure modes.
To check your pool's status, go to your DevCenter → Projects → [Your Project] → Dev box pools. Look at the Status column. If any pool shows Failed or Provisioning failed, click into it and look at the Health checks section, this is where Microsoft surfaces the actual error.
Common pool health check failures and their fixes:
- "Image not found", The image definition or gallery image the pool references has been deleted or renamed. Update the pool to point to a valid image.
- "Network connection failed", The network connection attached to the pool is broken. This usually means the associated Azure Virtual Network has changed (subnet deleted, NSG blocking traffic, etc.). See Step 4 for network fixes.
- "SKU not available", The compute SKU you selected for the pool isn't available in the region your network connection is configured for. Change the region in the network connection or select a different SKU.
If you're using YAML-based image definitions and seeing Dev Box image definition YAML errors, check the syntax carefully. The YAML-based customization format is strict about indentation and supported keys. Microsoft's schema currently supports tasks like installing WinGet packages, running PowerShell scripts, and setting environment variables. An invalid task name or incorrect indentation will cause the whole image build to fail silently in some cases, you'll just see the pool stuck in provisioning.
Once a pool's health checks all show green checkmarks, go back to the developer portal and refresh. A healthy pool in a Running state is what the developer sees when they hit the "New dev box" button.
A lot of the Microsoft Dev Box access denied issues I troubleshoot aren't permission problems at all, they're configuration completeness problems. The DevCenter needs several components wired together before anything works end-to-end, and the portal won't always tell you which piece is missing.
Go through this checklist in your DevCenter:
1. Network connections: Your DevCenter needs at least one network connection configured. Navigate to DevCenter → Networking → Network connections. If this list is empty, no dev box can ever be provisioned because there's nowhere to place it. You need to create a network connection that points to a virtual network in your Azure subscription.
2. Attached network in projects: Even if a network connection exists at the DevCenter level, it must also be attached to the specific project. Go to Projects → [Your Project] → Dev box pools and make sure the pool has a network connection selected. A DevCenter-level network connection that was never attached to a project pool is invisible to developers.
3. Compute gallery (for custom images): If you're using Azure Compute Gallery images rather than marketplace images, the gallery must be attached to the DevCenter. Go to DevCenter → Azure Compute Gallery and verify your gallery appears there. If it doesn't, click + Add and attach it.
4. Dev box definitions: Navigate to DevCenter → Dev box definitions. There should be at least one definition here that specifies the image source and storage configuration. If this section is empty, pools have nothing to build from.
After verifying all four of these components exist and are linked correctly, go back to your pool's health checks. They should all pass within a few minutes of the configuration being complete. If they still don't, check the Azure Activity Log for your DevCenter resource, it captures every configuration change and associated error with full detail.
Network configuration issues are the sneakiest Microsoft Dev Box problems because they don't always surface immediately. The dev box might provision successfully, connect fine through the developer portal, but then have no access to internal company resources, source code repos on-premises, internal package feeds, or corporate databases. The developer gets a working machine that can't actually do the job.
The network connection you attach to a pool determines two things: the Azure region where dev boxes are physically created, and the virtual network they join. Both of those decisions have downstream consequences you need to plan for.
Region selection: Dev boxes are created in the region of the network connection, not the region of your DevCenter. This is a critical detail that trips up a lot of platform engineers. If your company's internal resources are in East US and you accidentally configure your network connection to point to a virtual network in West Europe, your developers will have terrible latency to everything they need. Match the network connection region to where your corporate resources live.
Network Security Groups (NSGs): Check that the subnet your dev boxes use doesn't have NSG rules blocking required Microsoft service endpoints. Dev Box needs outbound connectivity to the Microsoft Intune management endpoints, Windows activation services, and the developer portal backend. A blanket "deny all outbound" NSG rule with no allow exceptions for Microsoft services will cause Intune enrollment failures and may prevent the dev box from appearing in the portal after provisioning.
Run this from within a dev box (via Remote Desktop or the browser-based connection) to test basic Microsoft service reachability:
Test-NetConnection -ComputerName manage.devcenter.microsoft.com -Port 443
Test-NetConnection -ComputerName login.microsoftonline.com -Port 443Both should return TcpTestSucceeded: True. If either fails, your NSG or corporate firewall is blocking essential Microsoft Dev Box network traffic and needs an explicit allow rule added for those endpoints on port 443.
For organizations using Microsoft Dev Box in a corporate network with a proxy, make sure the proxy settings are included in the image (either the marketplace image configuration or your YAML customization tasks) so developers don't have to manually configure proxy settings every time a new dev box is created.
Every dev box that gets provisioned automatically enrolls in Microsoft Intune, that's by design, and it's one of the core enterprise management features of the service. But sometimes that auto-enrollment fails, leaving you with a dev box that shows as provisioned but can't be fully managed through Intune, or worse, one where the developer can't log in at all because a conditional access policy is requiring a compliant device.
The first thing to check is whether your Microsoft Intune subscription is properly linked to the same Microsoft Entra ID tenant your DevCenter is in. If your organization has multiple Entra tenants (common in large enterprises or post-merger environments), the Intune subscription needs to be in the same tenant as the DevCenter project. Cross-tenant Intune enrollment isn't supported for Dev Box.
To check Intune enrollment status for a specific dev box:
- Open the Microsoft Intune admin center at intune.microsoft.com.
- Navigate to Devices → All devices.
- Search for the dev box by name (it will appear with the name you gave it in the developer portal).
- If it's not there, the enrollment failed. If it's there, check the Compliance column.
If enrollment failed entirely, the most common cause is an Entra ID group policy or conditional access policy blocking device enrollment. Work with your Intune admin to check Devices → Enroll devices → Enrollment restrictions and make sure dev boxes (Windows corporate devices) aren't being blocked by a restriction policy.
Once Intune enrollment is working correctly, you can manage dev boxes exactly like any other Windows device in your fleet, applying configuration profiles, deploying applications, and running compliance checks. That's one of the major operational advantages of the service: your existing Intune policies apply automatically without extra setup.
Advanced Troubleshooting
If you've worked through all five steps above and things still aren't working, you're dealing with something deeper. Here's how to dig further without spending hours guessing.
Azure Activity Log Analysis
The Activity Log is your best friend for diagnosing provisioning failures that don't surface meaningful errors in the portal UI. In the Azure portal, navigate to your DevCenter resource and click Activity log in the left menu. Filter by Timespan: Last 24 hours and Status: Failed. Every failed DevCenter operation appears here with a JSON detail payload that contains the actual error message from the backend service. Look for operations named Microsoft.DevCenter/projects/devBoxes/write, failed entries there will tell you exactly what blocked provisioning.
Dev Box Pool Policy Enforcement
Platform engineers can configure project policies to control which resources development teams are allowed to use, specific networks, approved images, and allowed SKUs. If a Project Admin is trying to create a pool with a resource that isn't on the approved list for that project, the operation will silently fail or return a permission denied error even though the admin's Azure RBAC role technically allows it. Navigate to DevCenter → Projects → [Your Project] → Policies to review what's allowed. If the image or network they need isn't listed, either add it to the policy or work with the platform engineering team to get it approved.
Dev Box User Role Assignment via Group vs. Direct
In large organizations, it's tempting to assign the DevCenter Dev Box User role to individual users directly rather than through a security group. Don't do this at scale, it becomes a management nightmare and causes problems when people change teams. Assign the role to an Entra ID security group and manage membership through the group. Also check that the security group is not a dynamic group with a membership rule that's excluding the developer you expect to be included. Dynamic group membership evaluation can lag by 15–30 minutes in large tenants, which explains why someone has "just been added" but still can't access the developer portal.
New Tenant Allowlisting (Post-November 2025)
If you're trying to onboard a brand new Azure tenant to Microsoft Dev Box and nothing works at all, no DevCenter resource type showing up in Azure Marketplace, no provisioning options, this is almost certainly because the tenant hasn't been allowlisted. Since November 1, 2025, new tenant onboarding requires submitting a request through Azure Support. Go to portal.azure.com → Help + support → Create a support request, select service type Microsoft Dev Box, and request allowlisting for your new tenant. Expect a response within 1–3 business days.
When to Call Microsoft Support
Escalate to Microsoft Support when you've confirmed role assignments are correct, network connectivity passes all health checks, Intune enrollment is working, and dev boxes are still failing to provision or are provisioning but immediately going into a broken state. Also escalate immediately if you're seeing consistent authentication errors in the developer portal (HTTP 401 or 403 responses visible in browser dev tools) after a confirmed working period, this can indicate a backend service issue or Entra ID token endpoint problem that you can't resolve on your end. Keep your tenant ID, DevCenter resource ID, and the specific error JSON from the Activity Log ready before you call, it'll save you 30 minutes of back-and-forth with the support engineer.
Prevention & Best Practices
Getting Microsoft Dev Box working is one challenge. Keeping it working as your team grows and your project requirements change is another. These are the practices that separate teams who have a smooth Dev Box experience from the ones who are constantly fire-fighting provisioning failures.
Use security groups for all role assignments. Never assign DevCenter Dev Box User or Project Admin roles directly to individual users. Always go through Entra ID security groups. When someone joins or leaves the team, you update group membership, you don't need to touch Azure RBAC at all. This scales cleanly to 500 developers across 50 projects.
Validate image definitions in a test pool before rolling out broadly. YAML-based image definitions can fail at build time for subtle reasons, a WinGet package ID that changed, a PowerShell script that assumes a certain working directory, a dependency that needs to install before another task runs. Always create a test dev box pool that points to a new image definition and provision one box in it before you add that pool to a production project. One test box caught in staging beats 40 broken developer environments caught in production.
Lock down your pool SKU and region choices early. Dev Box pool region selection affects latency for every developer who uses it, and changing it later requires recreating the pool. Get input from your developer teams about where they're located and where company resources live, then standardize on 2–3 regional network connections that cover your user base. Document these decisions so future Project Admins don't accidentally create pools in the wrong region.
Set up autostop schedules from day one. Every dev box that runs overnight costs money and provides no value. Autostop schedules let you define when dev boxes should automatically shut down. Configure these at the pool level when you first create the pool, don't leave it as a "we'll add it later" item. Also enable hibernation support where possible, which gives developers a faster resume experience compared to a full cold start.
Monitor Intune device compliance regularly. Because dev boxes enroll in Intune automatically, your existing device compliance policies apply to them. If your organization tightens compliance requirements (requiring BitLocker, mandating specific Windows versions, etc.) and dev boxes fall out of compliance, conditional access policies may start blocking developer access to company resources from within the dev box. Set up an Intune compliance report filter specifically for dev box device names so you can spot compliance drift early.
- Assign the DevCenter Dev Box User role to Entra ID security groups, never to individual accounts
- Always test new image definitions in a staging pool before pushing to developer-facing projects
- Configure autostop schedules on every pool at creation time to control cloud costs
- Enable the hibernation feature on pools where supported to give developers faster dev box resume times
Frequently Asked Questions
Why can't I see any dev boxes in the developer portal even though I've been given access?
The most common reason is that you have the role but it was assigned at the wrong resource level. The DevCenter Dev Box User role must be assigned specifically on the Project resource, not on the DevCenter itself or the subscription. Ask your platform engineer to go to DevCenter → Projects → [Your Project] → Access control (IAM) and verify your user or group is listed there with the Dev Box User role. Also make sure at least one dev box pool in that project has a status of Running, a pool in a failed state produces no options in the developer portal.
My company just tried to set up Microsoft Dev Box on a new tenant and nothing is appearing in Azure. What's going on?
As of November 1, 2025, Microsoft stopped accepting net new customers directly for standalone Dev Box. New tenants now need to be allowlisted before the service becomes available. You need to submit a request through Azure Support, go to the Azure portal, click Help + support, create a new support request, and select Microsoft Dev Box as the service. Your account team can also help expedite this. Once your tenant is allowlisted, the DevCenter resource type will appear in the Azure Marketplace and you can begin your setup.
How do I fix a Microsoft Dev Box pool that's stuck in "Provisioning" or showing as "Failed"?
Go to the pool in the Azure portal and look at the Health checks section, this shows exactly which component failed. Common failures include a missing or broken network connection, an image that no longer exists, or a compute SKU that isn't available in the selected region. Fix the underlying issue (reconnect the network, update the image reference, or select a different SKU), then save the pool configuration. The health checks will re-run automatically and the pool status should update to Running within a few minutes.
Can I use Microsoft Dev Box if I'm still evaluating it and want to add more tenants after November 2025?
Yes, but with an extra step. If you've already been a customer and tested Dev Box but need to onboard additional tenants after November 1, 2025, you submit a request through Azure Support to get those new tenants allowlisted. It's not a full block, it's an allowlisting process that Microsoft uses to manage the transition of Dev Box capabilities into Windows 365. Existing tenants where Dev Box is already set up continue operating with no changes required.
Why does my dev box show as enrolled in Intune but marked as "Not compliant"?
Dev boxes enroll in Intune automatically and your existing device compliance policies apply to them immediately, including policies that may require specific Windows versions, BitLocker encryption status, or Defender configuration. Open the Intune admin center, find your dev box under Devices → All devices, and click on the device. You'll see a Device compliance section that lists every policy it's being evaluated against and which specific checks are failing. Resolve those specific compliance gaps (usually by ensuring the base image is up to date and that required security features are configured in your image definition or a startup script).
What's the difference between a platform engineer and a Project Admin role in Microsoft Dev Box, and who should be what?
Platform engineers handle the infrastructure foundation, creating the DevCenter, setting up network connections, attaching Azure Compute Galleries, and defining organization-wide governance policies. They typically have Contributor or Owner access at the DevCenter level. Project Admins (assigned the DevCenter Project Admin role on a specific project) are usually senior developers or tech leads who know the project's specific tooling needs. They create and manage dev box pools within their project using the resources the platform engineers have made available. Developers themselves only need the DevCenter Dev Box User role, they can create and manage their own dev boxes but can't touch pool configuration or project settings.