This chapter covers Azure Blueprints, a service that enables cloud architects to define a repeatable set of Azure resources that adhere to organizational standards, patterns, and compliance requirements. For the AZ-104 exam, understanding Blueprints is essential for the 'Manage Governance' section under Identity Governance (Objective 1.2). Expect roughly 5-10% of exam questions to touch on Blueprints, often in comparison to Azure Policy, Resource Manager Templates, and Management Groups. You'll need to know the lifecycle of a blueprint, how to create and assign blueprints, and the difference between blueprint artifacts and policy assignments.
Jump to a section
Azure Blueprints work like an architectural blueprint for constructing a building that must meet strict government regulations. Imagine you are a developer building 50 identical office buildings across a city, all needing to comply with fire codes, accessibility standards, and energy efficiency rules. Instead of designing each building from scratch and manually checking every detail, you create a master blueprint that specifies everything: the exact type of fire sprinklers, the width of doorways for wheelchair access, the brand of HVAC system, and even the color of exit signs. This blueprint is then used by the construction team to order materials and build each building exactly the same way. But here's the key: the blueprint itself becomes a living document. If the fire code changes, you update the master blueprint, and then you can 're-blueprint' each building—meaning you automatically apply the new sprinkler requirements to all existing buildings that were built from that blueprint. The city inspector doesn't just check one building; they check that every building adheres to the latest blueprint version. In Azure, Blueprints are that master plan: they define a set of Azure resources (like policies, role assignments, resource groups, and ARM templates) that must be applied to a subscription. When you assign a blueprint to a subscription, Azure ensures that those resources are deployed and maintained. If you update the blueprint, you can publish a new version and update existing assignments to bring them into compliance. The 'building inspector' is Azure Policy, which continuously evaluates resources against the blueprint's policies. This mechanism ensures that every subscription under management conforms to a known, auditable standard, just like every building conforms to the master blueprint.
What is Azure Blueprints?
Azure Blueprints is a service that enables you to define a repeatable set of Azure resources that implement and adhere to an organization's standards, patterns, and requirements. It is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as role assignments, policy assignments, ARM templates, and resource groups. Blueprints are designed to help you create and manage cloud environments that are compliant with internal and external regulations, such as SOC 2, ISO 27001, or PCI DSS.
How It Works Internally
When you create a blueprint definition, you are essentially creating a package of artifacts. The blueprint is stored at a management group or subscription scope. When you assign a blueprint to a subscription, Azure Blueprints creates a blueprint assignment resource that tracks the deployment and ensures that the artifacts are deployed in the correct order. The blueprint assignment is a separate resource that holds the parameters and settings for that specific assignment. The service uses Azure Resource Manager (ARM) to deploy the artifacts, but it adds a layer of orchestration and versioning.
Key Components
Blueprint Definition: The master copy of the blueprint, including the list of artifacts and their parameters. It has a version number.
Blueprint Artifact: Each component within the blueprint, such as a policy assignment, role assignment, ARM template, or resource group.
Blueprint Assignment: The application of a blueprint definition to a specific subscription. It can include parameters specific to that assignment.
Versioning: Blueprints support versioning. When you update a blueprint definition, you publish a new version. Existing assignments can be updated to the latest version.
Locks: Blueprints can apply resource locks to protect resources from accidental deletion or modification. Locking is optional and can be set to 'Do Not Delete' or 'Read Only'.
Defaults and Timers
There is no default timer for blueprint assignments. They are deployed immediately and remain until explicitly removed.
The maximum number of blueprints per management group is 200.
The maximum number of artifacts per blueprint is 200.
Blueprint definitions can be exported as JSON files.
Configuration and Verification Commands
Azure Blueprints can be managed via the Azure portal, Azure CLI, or PowerShell. Here are some key commands:
Azure CLI:
# Create a blueprint definition from a JSON file
az blueprint create --name "MyBlueprint" --management-group "mg1" --blueprint-file "blueprint.json"
# Assign a blueprint to a subscription
az blueprint assignment create --name "MyAssignment" --subscription "sub1" --blueprint-name "MyBlueprint" --parameters "params.json"
# List blueprint assignments
az blueprint assignment list --subscription "sub1"
# Update an existing assignment to the latest version
az blueprint assignment update --name "MyAssignment" --subscription "sub1" --blueprint-version "v2"PowerShell:
# Create a blueprint definition
New-AzBlueprint -Name "MyBlueprint" -ManagementGroupId "mg1" -BlueprintFile "blueprint.json"
# Assign a blueprint
New-AzBlueprintAssignment -Name "MyAssignment" -SubscriptionId "sub1" -BlueprintName "MyBlueprint" -ParameterFile "params.json"
# Get assignment status
Get-AzBlueprintAssignment -SubscriptionId "sub1" -Name "MyAssignment"How It Interacts with Related Technologies
Azure Policy: Blueprints can include policy assignments. Policy is used to audit or enforce compliance, while Blueprints orchestrate the deployment of policies along with other resources.
Azure Resource Manager Templates: Blueprints can include ARM templates as artifacts. The templates are deployed as part of the blueprint assignment.
Management Groups: Blueprints are defined at the management group or subscription scope. Assigning a blueprint at a management group scope can apply it to all child subscriptions.
Role-Based Access Control (RBAC): Blueprints can include role assignments to grant permissions to security principals at the subscription or resource group level.
Resource Groups: Blueprints can create resource groups and define their location. This is useful for organizing resources.
Lifecycle
Create: Define the blueprint with artifacts.
Publish: Publish a version of the blueprint (e.g., v1.0).
Assign: Assign the blueprint to a subscription. The assignment deploys all artifacts.
Update: Modify the blueprint definition and publish a new version.
Update Assignment: Existing assignments can be updated to the new version, which will deploy or modify resources as needed.
Unassign: Remove the blueprint assignment. This does not delete the resources that were deployed; it only removes the tracking relationship. Resources must be manually cleaned up if desired.
Exam-Relevant Details
Blueprints are not a replacement for ARM templates or Azure Policy. They are a wrapper that combines multiple artifacts.
Blueprints can be exported as JSON for version control.
The blueprint resource type is Microsoft.Blueprint/blueprints.
Blueprint assignments are tracked in the Azure Activity Log.
You can use blueprint locks to prevent modification of resources. If a lock is set, you must remove the lock before modifying the resource.
Blueprint assignments can be updated to a new version, but you cannot change the scope of an existing assignment.
The publish operation creates an immutable version. You cannot modify a published version; you must create a new version.
Blueprints can be shared across subscriptions via management groups.
Define the Blueprint
Start by creating a blueprint definition in the Azure portal, CLI, or PowerShell. You specify the scope (management group or subscription) where the blueprint will be stored. Within the definition, you add artifacts: resource groups, ARM templates, policy assignments, and role assignments. Each artifact can have parameters that are filled in at assignment time. For example, you might define a resource group named 'Networking' with a location parameter. The blueprint definition is stored as a JSON file in the Azure Blueprints service. You can also import an existing blueprint definition from a JSON file.
Publish the Blueprint
After defining the blueprint, you must publish it to create an immutable version. Publishing assigns a version number (e.g., 1.0). Once published, the blueprint definition cannot be modified. If you need to make changes, you must create a new version by updating the draft and publishing again. The versioning allows you to track changes and roll back if necessary. You can publish multiple versions over time. The published version is what gets assigned to subscriptions.
Assign the Blueprint
To apply the blueprint to a subscription, you create a blueprint assignment. You specify the target subscription, the blueprint version to use, and provide values for any parameters defined in the artifacts. The assignment triggers the deployment of all artifacts in the specified order. The order is determined by the blueprint: resource groups are created first, then ARM templates, then policy and role assignments. The assignment creates a new resource of type 'Microsoft.Blueprint/blueprintAssignments' that tracks the deployment status and version.
Monitor Assignment Status
After assignment, you can monitor the deployment status in the Azure portal under the Blueprints blade. Each artifact's deployment status is shown individually. If any artifact fails (e.g., an ARM template deployment fails), the entire assignment can be marked as failed. You can view detailed error messages and retry the assignment after fixing the issue. The assignment status is also available via Azure CLI and PowerShell commands. The Activity Log records all operations related to blueprint assignments.
Update the Blueprint Assignment
If you publish a new version of the blueprint, you can update existing assignments to use the new version. This is done by modifying the assignment and selecting the new version. The update process will deploy any new artifacts and update existing ones as necessary. For example, if you added a new policy assignment in version 2.0, it will be deployed to the subscription. If you removed an artifact, it will not be removed from the subscription; you must manually delete it. The update does not affect resources that were deployed by previous versions unless the artifact itself is updated (e.g., a new ARM template).
Enterprise Scenario 1: Financial Services Compliance
A large bank must ensure that all Azure subscriptions used for development and production comply with PCI DSS. The compliance team creates a blueprint named 'PCI-DSS-Env' that includes: a policy assignment to enforce encryption at rest for all storage accounts, a policy assignment to deny public network access for SQL databases, a role assignment granting the Security Operations team 'Reader' access to all resources, and an ARM template that deploys a central logging resource group with a Log Analytics workspace. The blueprint is published and assigned to all 50 subscriptions under a management group. When a new subscription is created, the blueprint is automatically assigned (via Azure Policy 'DeployIfNotExists' effect that triggers blueprint assignment). The security team can update the blueprint when new PCI requirements emerge, and then update all assignments to maintain compliance.
Enterprise Scenario 2: Multi-Tenant SaaS Provider
A SaaS company manages multiple customer environments in separate Azure subscriptions. Each customer environment must have the same baseline: a virtual network with a specific address space, network security groups, a key vault for secrets, and a set of diagnostic settings. The company creates a blueprint 'CustomerBaseline' that includes an ARM template for the VNet and NSGs, a resource group for the key vault, and a policy assignment to enforce diagnostic logging. When a new customer signs up, the operations team assigns the blueprint to the customer's subscription, providing parameters like VNet address space and key vault name. This ensures consistency across all customers. If a new security requirement mandates a firewall, the blueprint is updated and all existing assignments are updated, deploying the firewall to every customer subscription.
Common Misconfigurations
Not publishing a version: If you assign a blueprint that hasn't been published, the assignment will fail. Always publish first.
Forgetting to update assignments: After updating a blueprint, existing assignments remain on the old version. You must explicitly update them.
Removing artifacts without understanding impact: If you remove an artifact from a blueprint and update assignments, the artifact is not removed from the subscription. This can lead to resource sprawl.
Locking resources too aggressively: Using 'Read Only' locks on resources that need to be updated by automated processes (e.g., Azure Backup) can cause failures. Plan lock levels carefully.
What AZ-104 Tests
Azure Blueprints is tested under Objective 1.2 'Manage Governance' in the 'Identity Governance' domain. The exam expects you to:
Differentiate between Azure Blueprints and Azure Policy.
Understand the blueprint lifecycle: create, publish, assign, update.
Know the types of artifacts: policy assignment, role assignment, ARM template, resource group.
Recognize that blueprints are stored at management group or subscription scope.
Understand that blueprint assignments can be updated to a new version.
Know that blueprint locks are optional and can be 'Do Not Delete' or 'Read Only'.
Be aware that blueprints are not a replacement for ARM templates; they orchestrate multiple artifacts.
Common Wrong Answers
'Blueprints replace Azure Policy' – Wrong. Blueprints can include policy assignments, but Policy is a separate service for auditing and enforcing compliance. Blueprints orchestrate deployment.
'Blueprint assignments automatically update when the blueprint is updated' – Wrong. You must manually update assignments or use automation (like Azure Policy DeployIfNotExists) to trigger updates.
'Blueprints can be assigned to resource groups' – Wrong. Blueprints are assigned only to subscriptions or management groups (which then apply to child subscriptions).
'Blueprints can be used to delete resources' – Wrong. Blueprints deploy resources; they do not delete them. Removing a blueprint assignment does not delete the resources.
Specific Numbers and Terms
Maximum 200 blueprints per management group.
Maximum 200 artifacts per blueprint.
Blueprint version format: e.g., 1.0, 2.0.
Lock levels: 'Do Not Delete' and 'Read Only'.
Artifact types: 'template', 'policyAssignment', 'roleAssignment', 'resourceGroup'.
The resource provider is 'Microsoft.Blueprint'.
Edge Cases
If you assign a blueprint to a subscription that already contains some of the resources, the assignment may fail if there is a conflict (e.g., resource group already exists with a different location). Blueprints do not modify existing resources; they only create new ones.
Blueprint assignments can be paused? No, once assigned, they run to completion or fail.
Blueprints cannot be assigned across tenants.
How to Eliminate Wrong Answers
If a question asks about 'continuously enforcing compliance', the answer is likely Azure Policy, not Blueprints.
If the question mentions 'deploying a set of resources in a specific order', the answer is Blueprints.
If the question mentions 'versioning of compliance artifacts', think Blueprints.
If the question mentions 'remediation tasks', think Azure Policy.
Azure Blueprints orchestrate the deployment of ARM templates, policy assignments, role assignments, and resource groups as a single package.
Blueprints must be published (versioned) before they can be assigned to a subscription.
Blueprint assignments are updated manually; updating the blueprint definition does not automatically update existing assignments.
Blueprint locks can be set to 'Do Not Delete' or 'Read Only' to protect resources.
Blueprints are scoped to management groups or subscriptions, not resource groups.
Removing a blueprint assignment does not delete the deployed resources.
Maximum of 200 blueprints per management group and 200 artifacts per blueprint.
Use Azure CLI 'az blueprint' or PowerShell 'Az.Blueprint' module for management.
These come up on the exam all the time. Here's how to tell them apart.
Azure Blueprints
Orchestrates deployment of multiple resource types (ARM templates, policies, roles, resource groups).
Supports versioning of the entire definition.
Assignable to subscriptions and management groups.
Can include resource locks to protect deployed resources.
Primarily used for initial deployment and updates of environments.
Azure Policy
Only defines and enforces rules (policies) on existing resources.
No built-in versioning for policy definitions (though you can use different definition names).
Assignable to management groups, subscriptions, and resource groups.
Does not deploy resources; only audits or modifies existing ones (with DeployIfNotExists or Modify effects).
Primarily used for continuous compliance evaluation and remediation.
Mistake
Azure Blueprints are the same as Azure Policy.
Correct
Azure Blueprints are a packaging and orchestration service that can include policy assignments, but they are not the same. Policy is for auditing and enforcing compliance rules; Blueprints are for deploying a consistent set of resources and configurations.
Mistake
Updating a blueprint automatically updates all assignments.
Correct
No. When you publish a new version of a blueprint, existing assignments remain on the old version. You must manually update each assignment to the new version, or use automation (e.g., Azure Policy DeployIfNotExists) to trigger updates.
Mistake
Blueprints can be assigned to resource groups.
Correct
Blueprints are assigned to subscriptions or management groups. They can create resource groups within the subscription, but the assignment scope is always a subscription or management group.
Mistake
Removing a blueprint assignment deletes all resources deployed by the blueprint.
Correct
Removing a blueprint assignment only removes the tracking relationship. The resources remain in the subscription and must be manually deleted if no longer needed.
Mistake
Blueprints can only be created in the Azure portal.
Correct
Blueprints can be created and managed using Azure CLI, PowerShell, and REST API, in addition to the portal. They can also be exported and imported as JSON files.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
ARM templates are JSON files that define the infrastructure and configuration for a deployment. Azure Blueprints are a higher-level service that can package multiple ARM templates along with other artifacts like policy assignments and role assignments. Blueprints provide versioning, locking, and orchestration. While ARM templates deploy resources, Blueprints orchestrate the deployment of multiple templates and other artifacts in a coordinated manner.
Yes, you can assign a blueprint to a management group. When assigned to a management group, the blueprint applies to all subscriptions under that management group. However, the assignment itself is created at the management group scope, and each subscription will have the blueprint artifacts deployed. This is useful for applying organization-wide standards.
In the Azure portal, navigate to the Blueprints blade, select the assignment, and click 'Update assignment'. Then select the new version from the dropdown. In Azure CLI, use 'az blueprint assignment update --name <assignment-name> --subscription <sub> --blueprint-version <new-version>'. The update will deploy any new artifacts and modify existing ones as defined in the new version.
If any artifact deployment fails, the entire assignment is marked as failed. You can view the error details in the assignment's status. You can fix the issue (e.g., correct a parameter value) and retry the assignment. The assignment will attempt to deploy only the failed artifacts, not all artifacts from scratch.
Blueprints are primarily for initial deployment and updates. For ongoing compliance enforcement, you should use Azure Policy. However, you can include policy assignments in a blueprint to ensure that policies are applied at deployment time. Blueprints do not continuously evaluate resources; that's the job of Azure Policy.
In the Azure portal, go to the blueprint definition and select 'Export blueprint'. This downloads a JSON file. You can also use Azure CLI: 'az blueprint export --name <blueprint-name> --management-group <mg> > blueprint.json'. The exported JSON includes all artifacts and parameters.
Blueprint locks are optional settings on a blueprint assignment that prevent resources deployed by the blueprint from being deleted or modified. There are two levels: 'Do Not Delete' (prevents deletion but allows modifications) and 'Read Only' (prevents both deletion and modification). Locks are applied to all resources in the assignment. To modify a locked resource, you must first remove the lock from the assignment or update the assignment to remove the lock.
You've just covered Azure Blueprints for Compliance — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?