This chapter covers Azure Blueprints, a service that enables cloud architects to define a repeatable set of Azure resources that adheres to organizational standards and compliance requirements. For the SC-900 exam, approximately 5-10% of questions relate to compliance solutions, and Azure Blueprints are a core tool within that domain (Objective 4.1: Describe the compliance management capabilities in Azure). Understanding Azure Blueprints is essential because they provide a declarative, versioned approach to deploying and maintaining compliant environments at scale. This chapter will explain what Azure Blueprints are, how they work, their key components, and how they differ from other Azure services like Azure Policy and ARM templates.
Jump to a section
Imagine a construction company that builds identical houses across multiple neighborhoods. Each house must follow the same floor plan, use the same materials, and comply with local building codes. Instead of drawing new plans for every house, the company creates a master blueprint that specifies every detail: the foundation dimensions, wall framing, electrical wiring layout, plumbing fixtures, and even the paint colors. This blueprint is then used to build each house consistently. However, each neighborhood has its own zoning laws and utility connections, so the blueprint must allow for minor adjustments—like moving the driveway or choosing a different roof tile color—without violating the core design. In Azure, a blueprint works similarly: it is a package of Azure resources (policies, role assignments, resource groups, ARM templates) that defines a compliant environment. When you assign a blueprint to a subscription, Azure deploys all the components automatically, ensuring every subscription adheres to the same baseline. Just as the construction blueprint locks in the house's structure but allows for parameterized choices (e.g., paint color), Azure Blueprints let you set parameters that administrators can customize at assignment time. The key difference from a simple ARM template is that the blueprint maintains a live linkage: Azure tracks which resources were deployed by the blueprint, so you can audit compliance and update all subscriptions by modifying a single blueprint version. If an inspector finds a house deviating from the blueprint, the builder can quickly revert to the approved plan. Similarly, Azure Blueprints can be used to enforce compliance by reapplying the blueprint or detecting drift.
What is Azure Blueprints?
Azure Blueprints is a service in Azure that enables you to define a repeatable set of Azure resources that implements and enforces standards, patterns, and compliance requirements. A blueprint is a package that consists of artifacts such as role assignments, policy assignments, Azure Resource Manager (ARM) templates, and resource groups. When you assign a blueprint to a subscription, Azure deploys all the artifacts in a consistent, orchestrated manner.
Why Azure Blueprints Exists
Organizations often need to deploy multiple subscriptions or environments that must adhere to the same regulatory or security baselines—for example, PCI DSS, HIPAA, or internal security standards. Without a blueprint, each subscription would be set up manually or via separate scripts, leading to configuration drift, inconsistent compliance, and increased operational overhead. Azure Blueprints solves this by providing a single, versioned, auditable definition that can be assigned to any number of subscriptions, with built-in tracking of which subscriptions are using which version.
How Azure Blueprints Works Internally
Azure Blueprints operates through a declarative model. You define a blueprint in a central location (the blueprint definition), which is stored as a JSON document in Azure. The blueprint includes: - Artifacts: Each artifact is a component that will be deployed. Artifacts can be: - Role assignments: Granting specific Azure RBAC roles to users, groups, or service principals. - Policy assignments: Applying Azure Policy definitions (built-in or custom) to enforce compliance rules. - ARM templates: Deploying Azure resources such as virtual networks, storage accounts, or virtual machines. - Resource groups: Creating empty resource groups as containers for resources. - Parameters: Blueprints support parameters that allow customization at assignment time. For example, you can define a parameter for the allowed location for resources, and then each subscription can choose a specific region. - Versions: Blueprints are versioned. You publish a blueprint with a version number, and you can update it later by publishing a new version. Assignments point to a specific version, so you can control when updates are applied.
When you assign a blueprint to a subscription, Azure performs the following steps: 1. Validation: Azure validates that the blueprint definition is valid and that all referenced artifacts (e.g., policies, roles) exist. 2. Orchestration: Azure creates the resources in the order defined by the blueprint. Dependencies are handled automatically—for example, if a role assignment depends on a resource group, the resource group is created first. 3. Deployment: Azure deploys each artifact sequentially. For ARM templates, it uses the same deployment engine as regular ARM deployments. For policy assignments, it creates the policy assignment resource. For role assignments, it creates the role assignment. 4. Locking: Optionally, you can apply resource locks to all resources deployed by the blueprint. This prevents accidental deletion or modification. 5. Tracking: Azure maintains a relationship between the blueprint assignment and the deployed resources. This allows you to see which resources were created by the blueprint and to audit compliance.
Key Components, Values, and Defaults
- Blueprint definition: The JSON file that defines the blueprint. It has a name, description, target scope (management group or subscription), and list of artifacts. - Blueprint assignment: The act of applying a blueprint to a subscription. Each assignment has a name, location, parameters, and a reference to the blueprint version. - Artifact: Any of the four types: role assignment, policy assignment, ARM template, resource group. - Parameters: Blueprints support two kinds of parameters: - Blueprint-level parameters: Defined at the blueprint level and can be used by multiple artifacts. - Artifact-level parameters: Defined per artifact, can override blueprint-level parameters. - Version: A published version of the blueprint. Versions follow semantic versioning (e.g., 1.0, 1.1, 2.0). You can have multiple published versions, and assignments can be updated to a newer version. - Locking: Two modes: - Don't lock: No locks applied. - Read Only: All resources are set to read-only. - Do Not Delete: Resources cannot be deleted but can be modified. - Default behavior: By default, blueprints do not lock resources. You must explicitly enable locking.
Configuration and Verification Commands
Azure Blueprints can be managed via the Azure portal, Azure CLI, PowerShell, or REST API. Here are common CLI commands:
Create a blueprint definition:
az blueprint create \
--name "MyBlueprint" \
--resource-group "MyRG" \
--description "My blueprint for compliance" \
--target-scope "subscription" \
--parameters '{"allowedLocation":{"type":"string","defaultValue":"eastus"}}'Add an artifact (e.g., a policy assignment):
az blueprint artifact policy add \
--blueprint-name "MyBlueprint" \
--artifact-name "audit-sql-encryption" \
--policy-definition-id "/providers/Microsoft.Authorization/policyDefinitions/..." \
--parameters '{"effect":{"value":"AuditIfNotExists"}}'Publish the blueprint:
az blueprint publish \
--blueprint-name "MyBlueprint" \
--version "1.0"Assign the blueprint to a subscription:
az blueprint assignment create \
--name "MyAssignment" \
--location "eastus" \
--blueprint-version "/providers/Microsoft.Blueprint/blueprints/MyBlueprint/versions/1.0" \
--subscription "00000000-0000-0000-0000-000000000000" \
--parameters '{"allowedLocation":{"value":"westus"}}'List all assignments:
az blueprint assignment list \
--subscription "00000000-0000-0000-0000-000000000000"Update an assignment to a newer version:
az blueprint assignment update \
--name "MyAssignment" \
--blueprint-version "/providers/Microsoft.Blueprint/blueprints/MyBlueprint/versions/1.1"How Azure Blueprints Interacts with Related Technologies
Azure Policy: Blueprints can include policy assignments as artifacts. However, Azure Policy is a separate service that evaluates resources for compliance. Blueprints deploy policies, but policies themselves are independent. A blueprint can assign a policy, but the policy's effect (e.g., audit, deny) is enforced by Azure Policy, not by Blueprints.
ARM Templates: Blueprints can include ARM templates as artifacts. However, ARM templates are static deployments; they do not maintain a live relationship with the blueprint. In contrast, Azure Blueprints tracks which resources were deployed by the blueprint, enabling auditing and version updates.
Azure Management Groups: Blueprints can be defined at a management group scope, and assignments can be made to subscriptions within that management group. This allows for hierarchical governance.
Azure Resource Graph: You can use Resource Graph to query resources deployed by a blueprint, using the blueprintResource table.
Azure DevOps: Blueprints can be integrated into CI/CD pipelines using the Azure Blueprints DevOps task or REST API.
Important Exam Details
Blueprints are versioned and auditable. This is a key differentiator from ARM templates.
Blueprints can be assigned to subscriptions only (not resource groups directly, though they can create resource groups).
Blueprints support resource locking to prevent modification of deployed resources.
Blueprints are not a replacement for Azure Policy; they complement it by providing a deployment package.
Blueprints are free; you only pay for the resources deployed.
The target scope can be a management group or a subscription, but assignments are always to a subscription.
Blueprints support parameters for customization at assignment time.
You can update an assignment to a newer version of the blueprint to apply changes.
Blueprints can be exported as JSON for version control.
The default lock mode is 'Don't Lock'.
Common Misunderstandings
Myth: Azure Blueprints and Azure Policy are the same thing. Reality: Azure Policy evaluates and enforces rules on existing resources; Blueprints deploy a set of resources and policies together. They are complementary.
Myth: Blueprints can be assigned to resource groups. Reality: Blueprints are assigned only to subscriptions. They can create resource groups within that subscription.
Myth: Once a blueprint is assigned, you cannot modify the resources. Reality: Unless you enable locking, resources can be modified. Locking is optional.
Myth: Blueprints are only for compliance. Reality: They can also be used for standardization, consistency, and automation of environments.
Exam Focus: Exactly What SC-900 Tests
SC-900 objective 4.1 expects you to describe the compliance management capabilities in Azure, including Azure Policy, Azure Blueprints, and Microsoft Purview Compliance Manager. For Azure Blueprints, the exam focuses on:
Understanding the purpose: to create a repeatable set of Azure resources that adheres to standards and compliance.
Knowing the components: artifacts (role assignments, policy assignments, ARM templates, resource groups).
Recognizing that blueprints are versioned and auditable.
Differentiating blueprints from ARM templates and Azure Policy.
Knowing that blueprints can lock resources.
Common wrong answers:
Selecting Azure Policy when the question asks about deploying a compliant environment (Policy only evaluates, does not deploy).
Thinking blueprints can be assigned to resource groups (they are assigned to subscriptions).
Confusing blueprints with ARM templates (blueprints maintain a live relationship; ARM templates do not).
Assuming blueprints automatically enforce compliance continuously (they deploy policies, but enforcement is done by Policy).
Edge cases:
Blueprints can be defined at management group scope, but assignments are always to subscriptions.
Blueprint parameters can have default values, but assignment parameters override them.
If you delete a blueprint definition, existing assignments continue to work, but you cannot create new assignments.
How to eliminate wrong answers: Focus on the words "deploy," "versioned," "auditable," and "package." If the question mentions deploying a set of resources with policies and roles, it's likely a blueprint. If it's about evaluating existing resources, it's Policy.
Define the Blueprint Artifacts
First, you identify the components your compliant environment needs. For example, you might require a specific set of Azure Policy definitions (like 'Allowed locations' or 'Require encryption'), role assignments (e.g., give the Security team Reader access), and an ARM template that deploys a virtual network with a subnet. You add these as artifacts in the blueprint definition. Each artifact is a JSON object that references the resource type, properties, and any parameters. The order of artifacts matters because Azure deploys them sequentially; you must ensure dependencies are met (e.g., resource group must exist before deploying resources into it).
Publish the Blueprint Version
After defining the artifacts, you publish the blueprint with a version number (e.g., 1.0). Publishing creates a read-only snapshot of the blueprint. You cannot modify a published version; you must create a new version. The version is stored in Azure and can be assigned to subscriptions. Publishing also makes the blueprint available for assignment. You can publish multiple versions over time to update the blueprint without affecting existing assignments until they are updated.
Assign the Blueprint to a Subscription
You select a subscription (or multiple subscriptions) and assign the blueprint version. During assignment, you specify values for any parameters defined in the blueprint (e.g., the allowed location). You can also choose the locking mode (Don't lock, Read Only, Do Not Delete). Azure then begins deploying the artifacts in order. The assignment creates a resource called 'blueprint assignment' in the subscription, which tracks the deployment status. The deployment is asynchronous; you can monitor progress in the portal or via CLI.
Monitor Deployment and Remediate Drift
Once the assignment is complete, you can view the deployed resources and their compliance status. If a resource is modified outside the blueprint (e.g., someone changes a policy assignment), Azure Blueprints detects drift. You can then update the assignment to the latest blueprint version to reapply the desired state. Alternatively, you can use Azure Policy to enforce compliance continuously. Blueprints themselves do not automatically remediate drift; you must trigger an update.
Update the Blueprint Assignment
When you publish a new version of the blueprint (e.g., 1.1), you can update existing assignments to the new version. This triggers a new deployment that adds, modifies, or removes resources as defined in the new version. For example, if version 1.1 adds a new policy assignment, that policy will be deployed to the subscription. If a resource was removed from the blueprint, Azure will not delete it automatically; you must manually delete it if needed. Updating an assignment is a controlled way to roll out changes across multiple subscriptions.
Enterprise Scenario 1: Financial Services Compliance
A large bank needs to deploy 50 Azure subscriptions for different business units, all of which must comply with PCI DSS. The compliance team creates a single Azure Blueprint that includes:
- Policy assignments for encryption at rest and in transit, network security group rules, and logging. - Role assignments for the central security team as 'Security Reader' on all subscriptions. - An ARM template that deploys a hub virtual network with Azure Firewall and a logging workspace. - Resource groups for 'Networking', 'Security', and 'Application'. The blueprint is published as version 1.0 and assigned to each subscription. Parameterization allows each business unit to choose their own region (e.g., East US or West Europe) while still enforcing the same policies. The bank uses resource locking (Read Only) on the networking resource group to prevent accidental changes. Over time, as compliance requirements evolve, the team publishes version 2.0 with additional policies and updates assignments. Misconfiguration: If the blueprint did not include a policy for encryption, some subscriptions might deploy unencrypted storage accounts, leading to audit findings.
Enterprise Scenario 2: Healthcare HIPAA Compliance
A healthcare provider uses Azure Blueprints to standardize environments for patient data processing. The blueprint includes:
- Policy assignments for HIPAA-relevant policies (e.g., audit diagnostic settings, require Azure Defender for SQL). - Role assignments for the data protection officer as 'Contributor' on the subscription. - An ARM template that deploys a virtual machine with a specific image and a managed disk with encryption. The blueprint is assigned to multiple subscriptions, each representing a different clinic. Because the blueprint is versioned, the provider can roll out security updates (e.g., a new policy for network isolation) by publishing version 1.1 and updating assignments. Scaling: With hundreds of subscriptions, the provider uses management groups to organize subscriptions and assigns the blueprint at the management group level (though assignment is still per subscription). Performance considerations: Blueprint deployment time depends on the number and complexity of artifacts; for large ARM templates, deployment can take up to 30 minutes. Common mistake: Not testing the blueprint in a non-production subscription first, leading to unexpected policy conflicts.
Enterprise Scenario 3: Internal Standardization for a SaaS Company
A SaaS company wants all development teams to use a consistent environment for their applications. The platform team creates a blueprint with:
- A resource group named 'AppRG'. - An ARM template that deploys an App Service plan and a web app with specific settings (e.g., always on, minimum TLS version). - A policy assignment that denies creation of resources outside of allowed SKUs. - A role assignment for the DevOps team as 'Website Contributor'. Each team gets their own subscription and assigns the blueprint with their own application name parameter. The blueprint ensures that every app follows the same security baseline. When the company decides to enforce HTTPS-only, they update the blueprint, publish version 2.0, and update all assignments. Without blueprints, each team would manually configure settings, leading to drift and security gaps.
Exam Focus: SC-900 Objective 4.1
Exactly What SC-900 Tests
SC-900 tests your understanding of Azure Blueprints as a compliance management tool. You should be able to:
Identify the purpose of Azure Blueprints: to create a repeatable set of Azure resources that adheres to organizational standards and compliance requirements.
Recognize that blueprints include artifacts such as role assignments, policy assignments, ARM templates, and resource groups.
Understand that blueprints are versioned and auditable, unlike ARM templates.
Know that blueprints can lock resources to prevent modification.
Differentiate between Azure Blueprints and Azure Policy (Policy evaluates, Blueprints deploys).
Identify the target scope: blueprints are assigned to subscriptions, not resource groups.
Common Wrong Answers and Why Candidates Choose Them
Azure Policy instead of Blueprints: A question asks: 'Which service should you use to deploy a set of resources that meet compliance requirements?' Candidates often choose Azure Policy because they associate Policy with compliance. However, Policy only enforces rules; it does not deploy resources. The correct answer is Azure Blueprints.
ARM templates instead of Blueprints: Candidates know ARM templates deploy resources, so they choose that. But ARM templates lack versioning, auditing, and the ability to include policies and role assignments as a package. Blueprints provide these features.
Assigning blueprints to resource groups: A question might say 'You need to apply a blueprint to a resource group.' Candidates think this is possible because blueprints can create resource groups, but assignments are always at the subscription level.
Blueprints automatically enforce compliance: Candidates think that once a blueprint is assigned, resources are continuously compliant. In reality, blueprints deploy policies, but the enforcement is done by Azure Policy. If someone modifies a resource, the blueprint does not automatically remediate; you must update the assignment.
Specific Numbers, Values, and Terms That Appear on the Exam
Artifact types: Role assignment, policy assignment, ARM template, resource group.
Versioning: Blueprints support semantic versioning (e.g., 1.0, 2.0).
Locking modes: 'Don't Lock', 'Read Only', 'Do Not Delete'.
Target scope: Management group or subscription (but assignment is to subscription).
Parameters: Blueprint-level and artifact-level parameters.
Free service: Azure Blueprints itself is free; you pay for deployed resources.
Edge Cases and Exceptions
If you delete a blueprint definition, existing assignments continue to work, but you cannot create new assignments.
Blueprints can be defined at a management group scope, but assignments are always to subscriptions within that management group.
Blueprint assignments can be updated to a new version, but this may cause conflicts if resources have been manually changed.
The 'Read Only' lock prevents modifications, but you can still delete the resource group if you have permissions (deleting the resource group removes the lock).
How to Eliminate Wrong Answers Using the Underlying Mechanism
If the question mentions deploying a set of resources, policies, and roles together, think Blueprints.
If the question mentions evaluating or auditing existing resources, think Azure Policy.
If the question mentions versioning and auditability, it's Blueprints.
If the question mentions resource locking, it's Blueprints (Policy does not lock resources).
If the question mentions subscription scope, it's likely Blueprints (Policy can be assigned to management groups, subscriptions, or resource groups).
If the question mentions customizing parameters at deployment, Blueprints supports this via parameters.
Exam Tip
When you see a question about 'repeatable deployment of compliant environments,' look for keywords like 'versioned,' 'package,' 'artifacts,' and 'lock.' These are giveaways for Azure Blueprints. If the question focuses on 'enforcing rules on existing resources,' it's Azure Policy.
Azure Blueprints deploy a repeatable set of Azure resources (artifacts) including role assignments, policy assignments, ARM templates, and resource groups.
Blueprints are versioned and auditable, enabling controlled rollouts and compliance tracking.
Blueprints can lock resources with modes: Don't Lock, Read Only, Do Not Delete.
Blueprints are assigned to subscriptions only; they cannot be assigned directly to resource groups.
Blueprints are free; you only pay for the resources deployed.
Blueprints complement Azure Policy: Blueprints deploy policies, but Policy enforces them.
Blueprints support parameters for customization at assignment time.
Updating a blueprint assignment to a new version triggers a new deployment to apply changes.
These come up on the exam all the time. Here's how to tell them apart.
Azure Blueprints
Deploys a package of resources, policies, and roles.
Versioned and auditable.
Can lock resources to prevent modification.
Assigned to subscriptions only.
Primarily used for creating compliant environments.
Azure Policy
Evaluates and enforces rules on existing resources.
Not versioned; policy definitions can be updated in place.
Cannot lock resources; only enforces effects like deny or audit.
Can be assigned to management groups, subscriptions, or resource groups.
Primarily used for continuous compliance evaluation.
Mistake
Azure Blueprints and Azure Policy are the same thing.
Correct
Azure Blueprints is a deployment service that packages policies, roles, and resources. Azure Policy is an evaluation service that enforces rules on resources. They are complementary: Blueprints can include Policy assignments as artifacts.
Mistake
Blueprints can be assigned to resource groups.
Correct
Blueprints are assigned to subscriptions only. They can create resource groups within a subscription, but the assignment scope is the entire subscription.
Mistake
Once a blueprint is assigned, resources are locked by default.
Correct
By default, blueprints do not lock resources. Locking is optional and must be explicitly enabled during assignment with one of three modes: Don't Lock, Read Only, or Do Not Delete.
Mistake
Blueprints automatically remediate configuration drift.
Correct
Blueprints do not automatically remediate drift. If a resource is modified after assignment, you must update the assignment to the latest blueprint version to reapply the desired state. Azure Policy can be used for continuous compliance evaluation.
Mistake
ARM templates are equivalent to Azure Blueprints.
Correct
ARM templates are static; they do not maintain a live relationship with the deployment. Blueprints provide versioning, auditing, and the ability to include policies and role assignments as a package. ARM templates are just one type of artifact in a blueprint.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Blueprints is a service that packages ARM templates along with other artifacts like role assignments and policy assignments. Unlike ARM templates, Blueprints are versioned, auditable, and maintain a live relationship with the deployed resources. This allows you to track which resources came from a blueprint and update them by assigning a new version. ARM templates are static and do not provide these governance capabilities.
No, Azure Blueprints can only be assigned to subscriptions. However, you can define a blueprint at a management group scope, and then assign it to any subscription within that management group. The assignment itself is always at the subscription level.
No, Azure Blueprints does not automatically remediate drift. If a resource is modified after the blueprint assignment, you must update the assignment to the latest version to reapply the desired state. For continuous compliance monitoring and automatic remediation, you should use Azure Policy with 'DeployIfNotExists' or 'Modify' effects.
An Azure Blueprint can include four types of artifacts: role assignments (granting Azure RBAC roles), policy assignments (applying Azure Policy definitions), ARM templates (deploying Azure resources), and resource groups (creating empty resource groups). Each artifact is defined in the blueprint JSON and deployed in order.
Azure Blueprints itself is a free service. You only pay for the Azure resources that are deployed by the blueprint, such as virtual machines, storage accounts, or networking components. There is no additional charge for the blueprint definitions or assignments.
First, publish a new version of the blueprint (e.g., version 2.0). Then, for each subscription that has an assignment, update the assignment to reference the new version. You can do this via the Azure portal, CLI, or PowerShell. Updating the assignment triggers a new deployment that applies the changes defined in the new version.
If you delete a blueprint definition, existing assignments continue to work and the deployed resources remain. However, you cannot create new assignments for that blueprint, and you cannot publish new versions. The assignments will still appear in the portal, but you will not be able to modify them.
You've just covered Azure Blueprints for Compliance — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?