Azure Governance – Azure Blueprints

Azure blueprint is a new feature which allows organizations to define a package of artifacts (resource groups, Azure policies, role assignments & Resource Manager templates and more) which can be Targeted to one or multiple Azure subscriptions to create consistent and repeatable environments. Azure blueprints are part of Azure governance and currently in preview, which means more feature will be added once it becomes generally available (GA). 
In this blog post, we will see how to configure Azure blueprints and how to apply blueprints on an Azure Subscription.

Some facts about Azure Blueprints:

  • The default location where all the Azure blueprints can reside is Azure Management Groups
  • Azure Blueprint service is  backed by the Azure Cosmos DB and replicated to multiple Azure Regions to provide the high availability and disaster recovery capability
  • Blueprints can be applied to any subscription governed by single Azure Active Directory

How Azure Blueprints are different from an ARM Templates

  • Blueprints can be deployed using the CI/CD pipeline and can also help in designing the multiple environments which also consists, Resource groups, Policies, role assignments, and resource manager templates. 
  • the relationship between the Blueprint Definition and the blueprint assignment (What was deployed) is preserved. This connection supports improved tracking and auditing of deployment of the blueprint can also update several subscriptions at once that are governed by the same blueprint
  • ARM Templates don’t have any relationship with the deployed resources and once the resources are deployed with Blueprint, the relationship between the blueprint’s definition and blueprint assignment (What was deployed) is preserved. This connection supports improved tracking and auditing of deployment

How Azure Blueprints are different from the Azure Policy

  • A Blueprint is a focused container that also focuses specific set of standards, patterns, and requirements related to the implementation of Azure cloud services, security and design
  • Azure Policy is just allow / Deny type of system which is also only focused on resource properties during the deployment
  • Policy validates whether resources within a subscription adheres to requirements and standards
  • A Policy can be included in the Azure Blueprints but a policy cannt include Azure blueprints

How to configure Azure Blueprints:

Open Azure portal and locate All Services > Blueprints 

Select Blueprint Definition and click on Create Blueprint and fil in the information for your first blueprint, just remember that blueprints can only be saved on a Management Group.

Select Next and define the artifacts. In this example, we can add the following artifacts 
– A Resource Groups
– ARM Template
– Azure Policy
–  Role assignment

Select Resource Group and fill the information based on the print screen. you can also check the box if you want to fill this information during the assignment. Click Add

Select Policy and select the information you need and click Add

Select Azure Resource Manager Template and fill the information as mentioned in the print screen. you can also copy and paste the code available in this blog to create a storage account under newly created resource group RG1 and click Add

Select Role assignment and select a user you want to assign on either subscription or a resource group. in this example, I have added a new Helpdesk user as read only user on newly created resource group RG1

Once you have added all the artifcats, everything will look like below screen. click on Save Draft

Select Blueprint Definition and select the blueprint you have recently created, this will open up a new window and publish this newly created blueprint. you can’t assign a blueprint until its published. provide a version to the blueprint, if you edit this blueprint to add more artifacts, you can always add a new version. when you assign a blueprint to a subscription, latest version get’s applied. this versioning is helpful to determine which versioning has deployed what resources in your subscription.

Once published, we can now assign this blueprint to an Azure subscription. if the blueprint isn’t published, it can’t be assigned. now select the blueprint again and you will see Assign Blueprint will appear. select that and fill the information mentioned in below print screens. 

Once assigned, you can go back to Assigned Blueprints and select the assignment name, you used in previous step. this will show you the current progress of the assignment. if there was any failure, you wil be able to see it here. 

Now you can check the resources deployed by this blueprint in the subscription. if require, this blueprint can be further modified to update or add any new artifacts. if the blueprint isn’t in use, you can also delete the blueprint. deleting a blueprint doesn’t delete the resources it has deployed

Please also watch below youtube video to learn on how to configure Azure Blueprints


  • Jaikrit Negi

    Pretty informative