A company is adopting Azure and wants to ensure that every new subscription automatically includes a standard set of governance artifacts: two custom Azure Policy definitions (one for allowed locations, one for resource tagging), a custom Role-Based Access Control (RBAC) assignment for the security team, and an initial resource group with an Azure Resource Manager (ARM) template that sets up a network topology. The company wants to version these artifacts and update them over time, ensuring that new subscriptions always use the latest approved version. Which Azure service should the company use to package and deploy this standardized environment?
Azure Blueprints is the correct service. It allows you to define a repeatable set of Azure resources that follow organizational standards, including policies, role assignments, ARM templates, and resource groups. Blueprints support versioning and can be assigned to management groups or subscriptions to ensure every new environment is automatically provisioned with the approved artifacts.
Why this answer
Azure Blueprints is the correct service because it is designed to orchestrate the deployment of a repeatable, versioned environment that includes policies, RBAC assignments, resource groups, and ARM templates. It allows you to define a blueprint with these artifacts, publish versions, and assign the latest approved version to new subscriptions, ensuring consistent governance across the organization.
Exam trap
The trap here is that candidates confuse Azure Policy Initiatives (which only handle policies) with Azure Blueprints (which package policies, RBAC, templates, and resource groups together), missing the requirement for versioning and multi-artifact deployment.
How to eliminate wrong answers
Option A is wrong because Azure Management Groups are a hierarchical container for organizing subscriptions and applying governance at scale, but they cannot package or version multiple artifacts like custom policies, RBAC assignments, and ARM templates into a single deployable unit. Option B is wrong because Azure Policy Initiatives group related policy definitions (including custom ones) for enforcement, but they do not include RBAC assignments, resource groups, or ARM templates, nor do they support versioning of the entire environment.