Bird
Raised Fist0
Azurecloud~5 mins

Blueprint for environment setup in Azure - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Setting up cloud environments can be complex and error-prone. Azure Blueprints help you create a repeatable environment setup with policies, roles, and resources all defined in one place.
When you want to quickly create multiple environments with the same settings and rules.
When you need to enforce company policies across all your cloud resources automatically.
When you want to save time by automating the setup of resource groups, role assignments, and policies.
When you want to ensure compliance by applying security rules consistently.
When you want to share a standard environment setup with your team or organization.
Config File - blueprint.json
blueprint.json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "resources": [
    {
      "type": "Microsoft.Blueprint/blueprints",
      "apiVersion": "2018-11-01-preview",
      "name": "environmentSetupBlueprint",
      "properties": {
        "description": "Blueprint to set up environment with resource group, role assignment, and policy",
        "targetScope": "subscription",
        "parameters": {},
        "resourceGroups": {
          "appResourceGroup": {
            "description": "Resource group for application resources",
            "metadata": {
              "displayName": "App Resource Group"
            }
          }
        },
        "policies": [
          {
            "name": "allowedLocations",
            "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/allowedLocations",
            "parameters": {
              "listOfAllowedLocations": {
                "value": ["eastus", "westus"]
              }
            }
          }
        ],
        "roleAssignments": [
          {
            "name": "readerRoleAssignment",
            "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
            "principalIds": ["00000000-0000-0000-0000-000000000000"]
          }
        ]
      }
    }
  ]
}

This JSON file defines an Azure Blueprint named environmentSetupBlueprint. It sets the target scope to a subscription and includes:

  • A resource group called appResourceGroup for application resources.
  • A policy to allow only specific locations (eastus and westus).
  • A role assignment giving Reader access to a specific user or service principal (replace the principal ID with your own).

This blueprint helps automate and standardize environment setup.

Commands
This command creates a new Azure Blueprint named environmentSetupBlueprint in the specified subscription. It starts the blueprint definition.
Terminal
az blueprint create --name environmentSetupBlueprint --description "Blueprint to set up environment with resource group, role assignment, and policy" --subscription 12345678-1234-1234-1234-123456789abc
Expected OutputExpected
{ "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprints/environmentSetupBlueprint", "name": "environmentSetupBlueprint", "type": "Microsoft.Blueprint/blueprints", "properties": { "description": "Blueprint to set up environment with resource group, role assignment, and policy", "targetScope": "subscription", "version": "1.0" } }
--name - Sets the blueprint name
--subscription - Specifies the Azure subscription ID
Adds a resource group artifact named appResourceGroup to the blueprint. This defines a resource group to be created when the blueprint is assigned.
Terminal
az blueprint artifact resource-group add --blueprint-name environmentSetupBlueprint --resource-group appResourceGroup --subscription 12345678-1234-1234-1234-123456789abc
Expected OutputExpected
{ "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprints/environmentSetupBlueprint/artifacts/appResourceGroup", "name": "appResourceGroup", "type": "Microsoft.Blueprint/blueprints/artifacts", "properties": { "artifactType": "resourceGroup", "resourceGroup": { "name": "appResourceGroup" } } }
--blueprint-name - Specifies which blueprint to add the artifact to
--resource-group - Names the resource group artifact
Adds a policy artifact to the blueprint that restricts resource locations to eastus and westus.
Terminal
az blueprint artifact policy add --blueprint-name environmentSetupBlueprint --name allowedLocations --policy-definition-id /providers/Microsoft.Authorization/policyDefinitions/allowedLocations --parameters '{"listOfAllowedLocations":{"value":["eastus","westus"]}}' --subscription 12345678-1234-1234-1234-123456789abc
Expected OutputExpected
{ "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprints/environmentSetupBlueprint/artifacts/allowedLocations", "name": "allowedLocations", "type": "Microsoft.Blueprint/blueprints/artifacts", "properties": { "artifactType": "policyAssignment", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/allowedLocations", "parameters": { "listOfAllowedLocations": { "value": ["eastus", "westus"] } } } }
--policy-definition-id - Specifies the policy to assign
--parameters - Sets parameters for the policy
Publishes the blueprint version 1.0 so it can be assigned to subscriptions.
Terminal
az blueprint publish --name environmentSetupBlueprint --version 1.0 --subscription 12345678-1234-1234-1234-123456789abc
Expected OutputExpected
{ "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprints/environmentSetupBlueprint/versions/1.0", "name": "1.0", "type": "Microsoft.Blueprint/blueprints/versions", "properties": { "version": "1.0", "published": true } }
--version - Sets the blueprint version
Assigns the published blueprint to the subscription, creating the defined resources and applying policies.
Terminal
az blueprint assignment create --name environmentSetupAssignment --blueprint-name environmentSetupBlueprint --version 1.0 --subscription 12345678-1234-1234-1234-123456789abc
Expected OutputExpected
{ "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprintAssignments/environmentSetupAssignment", "name": "environmentSetupAssignment", "type": "Microsoft.Blueprint/blueprintAssignments", "properties": { "blueprintId": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprints/environmentSetupBlueprint/versions/1.0", "provisioningState": "Succeeded" } }
--name - Names the blueprint assignment
Key Concept

If you remember nothing else from this pattern, remember: Azure Blueprints let you package and automate environment setup with policies, roles, and resources in one reusable template.

Common Mistakes
Not publishing the blueprint before assignment
Blueprints must be published to a version before they can be assigned; otherwise, assignment fails.
Always run az blueprint publish with a version number before assigning the blueprint.
Using incorrect subscription ID or principal IDs
Wrong IDs cause commands to fail or assign roles to wrong users.
Double-check subscription and principal IDs with az account show and az ad user list before running commands.
Skipping adding required artifacts like resource groups or policies
Blueprints without artifacts do not create resources or enforce policies as intended.
Add all necessary artifacts to the blueprint before publishing and assigning.
Summary
Create an Azure Blueprint to define environment setup including resource groups, policies, and role assignments.
Add artifacts like resource groups and policies to the blueprint using Azure CLI commands.
Publish the blueprint version and assign it to a subscription to deploy the environment automatically.

Practice

(1/5)
1. What is the main purpose of an Azure Blueprint in environment setup?
easy
A. To monitor resource usage and billing
B. To manually configure each resource individually
C. To automate and standardize the deployment of Azure resources
D. To create virtual machines only

Solution

  1. Step 1: Understand the role of Azure Blueprints

    Azure Blueprints help automate and standardize how environments are set up by defining a repeatable set of resources and policies.

  2. Step 2: Compare options with blueprint purpose

    Options A, B, and D describe manual configuration, monitoring, or limited resource creation, which are not the main goals of Blueprints.

  3. Final Answer:

    To automate and standardize the deployment of Azure resources -> Option C

  4. Quick Check:

    Blueprints automate setup = C [OK]
Hint: Blueprints automate setup, not manual or monitoring tasks [OK]
Common Mistakes:
  • Confusing Blueprints with monitoring tools
  • Thinking Blueprints only create VMs
  • Assuming manual setup is automated by Blueprints
2. Which Azure CLI command is used to publish a blueprint after creation?
easy
A. az blueprint create
B. az blueprint publish
C. az blueprint assign
D. az blueprint delete

Solution

  1. Step 1: Identify the command to publish a blueprint

    The command az blueprint publish is used to publish a blueprint version after it is created.

  2. Step 2: Differentiate from other commands

    az blueprint create creates a blueprint, az blueprint assign assigns it to a subscription, and az blueprint delete removes it.

  3. Final Answer:

    az blueprint publish -> Option B

  4. Quick Check:

    Publish blueprint = az blueprint publish [OK]
Hint: Publish blueprints with 'az blueprint publish' command [OK]
Common Mistakes:
  • Using 'create' instead of 'publish' to finalize blueprint
  • Confusing 'assign' with 'publish'
  • Trying to delete instead of publish
3. Given this Azure CLI snippet:
az blueprint create --name MyBlueprint --description "Test blueprint" --subscription 12345
az blueprint artifact resource-group add --blueprint-name MyBlueprint --resource-group-name MyRG --subscription 12345
az blueprint publish --name MyBlueprint --subscription 12345
az blueprint assign --name MyBlueprint --subscription 12345

What is the expected result after running these commands?
medium
A. A blueprint named MyBlueprint is created, published, and assigned, deploying resource group MyRG
B. Only the blueprint is created but not published or assigned
C. The resource group MyRG is created but blueprint is not assigned
D. An error occurs because resource group cannot be added as artifact

Solution

  1. Step 1: Analyze each command's effect

    The commands create a blueprint, add a resource group artifact, publish the blueprint, and assign it to the subscription.

  2. Step 2: Understand blueprint assignment behavior

    Assigning the blueprint deploys the defined artifacts, so resource group MyRG will be created in the subscription.

  3. Final Answer:

    A blueprint named MyBlueprint is created, published, and assigned, deploying resource group MyRG -> Option A

  4. Quick Check:

    Blueprint create + publish + assign deploys artifacts = D [OK]
Hint: Assigning blueprint deploys all defined artifacts automatically [OK]
Common Mistakes:
  • Assuming blueprint must be manually deployed after assignment
  • Thinking resource group cannot be an artifact
  • Missing publish step effect
4. You run this command to assign a blueprint:
az blueprint assign --name MyBlueprint --subscription 12345

But you get an error saying the blueprint is not published. What is the likely fix?
medium
A. Run az blueprint publish --name MyBlueprint --subscription 12345 before assigning
B. Delete and recreate the blueprint
C. Assign the blueprint without specifying subscription
D. Use az blueprint create again to fix

Solution

  1. Step 1: Understand blueprint lifecycle

    A blueprint must be published before it can be assigned to a subscription.

  2. Step 2: Identify the missing step

    The error indicates the blueprint was created but not published, so publishing it first resolves the issue.

  3. Final Answer:

    Run az blueprint publish --name MyBlueprint --subscription 12345 before assigning -> Option A

  4. Quick Check:

    Publish blueprint before assign = B [OK]
Hint: Always publish blueprint before assignment to avoid errors [OK]
Common Mistakes:
  • Skipping publish step
  • Recreating blueprint unnecessarily
  • Ignoring subscription parameter
5. You want to enforce a policy that all resource groups created by your blueprint must have tags for 'Environment' and 'Owner'. How should you include this in your Azure Blueprint?
hard
A. Use a script artifact to delete resource groups without tags
B. Manually add tags after resource groups are deployed
C. Create resource groups outside the blueprint with tags and assign blueprint later
D. Add a policy artifact to the blueprint that requires these tags on resource groups

Solution

  1. Step 1: Understand policy artifacts in blueprints

    Policy artifacts enforce rules like requiring tags on resources during deployment.

  2. Step 2: Apply policy to resource groups in blueprint

    Adding a policy artifact that requires 'Environment' and 'Owner' tags ensures compliance automatically when resource groups are created.

  3. Step 3: Evaluate other options

    Manual tagging or scripts are error-prone and not automated; creating resource groups outside blueprint defeats standardization.

  4. Final Answer:

    Add a policy artifact to the blueprint that requires these tags on resource groups -> Option D

  5. Quick Check:

    Use policy artifact to enforce tags = A [OK]
Hint: Use policy artifacts in blueprint to enforce tagging rules [OK]
Common Mistakes:
  • Relying on manual tagging after deployment
  • Not using policy artifacts for enforcement
  • Creating resources outside blueprint control