microsoft/openclaw-dev

microsoft/openclaw-dev

Description: An OpenClaw agent hosted in the cloud for development, testing and single tenant use cases.

Language: Shell

License: MIT

Stars: 14

Forks: 1

Open issues: 8

Created: 2026-04-23T21:33:40Z

Pushed: 2026-06-13T06:06:54Z

Default branch: main

Fork: no

Archived: no

README:

🦞 openclaw-dev on Azure

A small dev tool that deploys OpenClaw to an ephemeral cloud sandbox you can chat with from the browser — always on, isolated from your laptop, reachable from any device. Uses Azure OpenAI in Foundry Models for the backend (default gpt-5-mini). Microsoft Teams is an optional add-on.

> Just want OpenClaw on your Windows machine? Use Microsoft Execution Containers (MXC) — a policy-driven runtime that contains the OpenClaw node + gateway on Windows, announced at Build 2026. This repo is for the cloud path: when you want an always-on, multi-device, throwaway sandbox instead.

Short link:

> ⚠️ Alpha. This is a developer tool with no production guarantees. Read [Security](#security) before pasting anything sensitive.


The idea: an ephemeral cloud sandbox for OpenClaw — gated by your Microsoft sign-in, calling the model with no API keys, always reachable from your phone, and rebuildable in 6 minutes. Local execution on Windows is already covered by MXC; this template is for when you want the cloud shape.

→ Jump to: [Quick start](#quick-start) · [Optional: Microsoft Teams](#teams-setup) · [Security](#security) · [Architecture](#architecture) · [Alpha caveats](#alpha) · [Ask Copilot](#need-help-ask-copilot)

Quick start

Prerequisites

• Azure CLI + Azure Developer CLI
• An Azure subscription (free) and tenant where you can create one Entra ID app registration (the Easy Auth login gate). A second Bot app registration is only created if you opt into the [Teams add-on](#teams-setup).
• Either local Docker Desktop running or use the default remoteBuild: true in [azure.yaml](azure.yaml) (no local Docker needed; ACR builds the image)
• PowerShell 7+ (pwsh) if you're on Windows and plan to use the optional Teams add-on (used to build the Teams sideload zip)

Deploy

git clone https://github.com/microsoft/openclaw-dev
cd openclaw-dev

# macOS/Linux/WSL
./devclaw up

# Windows (cmd or PowerShell)
.\devclaw.cmd up

On first run, azd prompts for a subscription, region, and environment name (a new resource group rg- is created automatically). First deploy takes ~6 minutes (provision ~2 min + remote build & deploy ~3.5 min). Subsequent devclaw deploy runs take ~3-4 minutes for a remote build, or ~30s if only the entrypoint changed.

Verify

devclaw status # Container state, FQDN, RG
devclaw logs # Tail logs until you see `[gateway] starting HTTP server`

devclaw test only prints a hint that points you at the in-container console. It does not exercise the model end-to-end. The fastest real smoke test is the WebChat UI below.

Open the WebChat UI

After deployment, open the URL from devclaw status in your browser. If Entra ID Easy Auth is configured, you'll be prompted to sign in with your Microsoft account. After that the chat UI loads automatically with no further credentials needed.

Optional: Microsoft Teams add-on

Microsoft Teams is not set up by default — devclaw up only provisions the browser experience (Container App + Easy Auth login). The Teams add-on adds a second Entra ID app registration (for the bot), an Azure Bot resource, and the Teams channel. Keep it off if your tenant blocks bot app registrations or you don't need phone access.

Enable Teams

# Opt in once, then run devclaw teams. It will re-provision and build the
# sideload zip in one go.
azd env set ENABLE_TEAMS true
devclaw teams

devclaw teams will, on first run:

• Re-provision so the preprovision hook creates the bot Entra ID app + Azure Bot
• Redeploy the container app so the MSTEAMS_* env vars take effect
• Enable the Microsoft Teams channel on the bot
• Build a sideloadable Teams app package (teams/openclaw-teams-app.zip)

On subsequent runs it just refreshes the channel + zip.

Install in Teams

1. Teams → Apps → Manage your apps → Upload a custom app 2. Select teams/openclaw-teams-app.zip 3. Add → DM the bot to test

Tenant policy considerations

Some corporate tenants block az ad app credential reset (the secret-creation step) or require a serviceManagementReference on new app registrations. If the preprovision hook fails when you set ENABLE_TEAMS=true, your tenant is restricted; leave Teams off and use the browser experience instead, or create the bot app registration manually and set BOT_APP_ID, BOT_APP_SECRET, and BOT_TENANT_ID via azd env set before running devclaw teams.

Restricted subscriptions / tenants

If your subscription or tenant has Azure Policy assignments that block common defaults (large corporate tenants/subscriptions are a common example), set these before devclaw up:

# Required service-management-reference GUID on every new app registration
# (set by some corporate tenants). Get the right value from your tenant admin.
azd env set SERVICE_MANAGEMENT_REFERENCE

# Azure Policy blocks shared-key storage. ACA file mounts need shared keys
# today, so skip the storage account + Azure Files volume mount.
# Trade-off: gateway token + sessions don't persist across replica restarts.
azd env set SKIP_STORAGE true

# Leave Teams off (default already) — bot secret creation is blocked.
# If you need Teams, supply a pre-created bot app reg:
# azd env set BOT_APP_ID
# azd env set BOT_APP_SECRET
# azd env set BOT_TENANT_ID
# azd env set ENABLE_TEAMS true

You don't need a separate SKIP_BOT_REGISTRATION flag — Teams is already off by default. Other policies handled automatically: ACR admin is disabled out of the box (the container app pulls images via its system-assigned managed identity).

How the Teams integration works (deep dive)

The Teams channel is handled by...