Introduction

Setting up cloud environments can be complex and error-prone. Azure Blueprints help you create a repeatable environment setup with policies, roles, and resources all defined in one place.

When you want to quickly create multiple environments with the same settings and rules.

When you need to enforce company policies across all your cloud resources automatically.

When you want to save time by automating the setup of resource groups, role assignments, and policies.

When you want to ensure compliance by applying security rules consistently.

When you want to share a standard environment setup with your team or organization.

Config File - blueprint.json

blueprint.json

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "resources": [
    {
      "type": "Microsoft.Blueprint/blueprints",
      "apiVersion": "2018-11-01-preview",
      "name": "environmentSetupBlueprint",
      "properties": {
        "description": "Blueprint to set up environment with resource group, role assignment, and policy",
        "targetScope": "subscription",
        "parameters": {},
        "resourceGroups": {
          "appResourceGroup": {
            "description": "Resource group for application resources",
            "metadata": {
              "displayName": "App Resource Group"
            }
          }
        },
        "policies": [
          {
            "name": "allowedLocations",
            "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/allowedLocations",
            "parameters": {
              "listOfAllowedLocations": {
                "value": ["eastus", "westus"]
              }
            }
          }
        ],
        "roleAssignments": [
          {
            "name": "readerRoleAssignment",
            "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
            "principalIds": ["00000000-0000-0000-0000-000000000000"]
          }
        ]
      }
    }
  ]
}

This JSON file defines an Azure Blueprint named environmentSetupBlueprint. It sets the target scope to a subscription and includes:

A resource group called appResourceGroup for application resources.
A policy to allow only specific locations (eastus and westus).
A role assignment giving Reader access to a specific user or service principal (replace the principal ID with your own).

This blueprint helps automate and standardize environment setup.

Commands

This command creates a new Azure Blueprint named environmentSetupBlueprint in the specified subscription. It starts the blueprint definition.

Terminal

az blueprint create --name environmentSetupBlueprint --description "Blueprint to set up environment with resource group, role assignment, and policy" --subscription 12345678-1234-1234-1234-123456789abc

Expected OutputExpected

{ "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprints/environmentSetupBlueprint", "name": "environmentSetupBlueprint", "type": "Microsoft.Blueprint/blueprints", "properties": { "description": "Blueprint to set up environment with resource group, role assignment, and policy", "targetScope": "subscription", "version": "1.0" } }

→

--name - Sets the blueprint name

→

--subscription - Specifies the Azure subscription ID

Adds a resource group artifact named appResourceGroup to the blueprint. This defines a resource group to be created when the blueprint is assigned.

Terminal

az blueprint artifact resource-group add --blueprint-name environmentSetupBlueprint --resource-group appResourceGroup --subscription 12345678-1234-1234-1234-123456789abc

Expected OutputExpected

{ "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprints/environmentSetupBlueprint/artifacts/appResourceGroup", "name": "appResourceGroup", "type": "Microsoft.Blueprint/blueprints/artifacts", "properties": { "artifactType": "resourceGroup", "resourceGroup": { "name": "appResourceGroup" } } }

→

--blueprint-name - Specifies which blueprint to add the artifact to

→

--resource-group - Names the resource group artifact

Adds a policy artifact to the blueprint that restricts resource locations to eastus and westus.

Terminal

az blueprint artifact policy add --blueprint-name environmentSetupBlueprint --name allowedLocations --policy-definition-id /providers/Microsoft.Authorization/policyDefinitions/allowedLocations --parameters '{"listOfAllowedLocations":{"value":["eastus","westus"]}}' --subscription 12345678-1234-1234-1234-123456789abc

Expected OutputExpected

{ "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprints/environmentSetupBlueprint/artifacts/allowedLocations", "name": "allowedLocations", "type": "Microsoft.Blueprint/blueprints/artifacts", "properties": { "artifactType": "policyAssignment", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/allowedLocations", "parameters": { "listOfAllowedLocations": { "value": ["eastus", "westus"] } } } }

→

--policy-definition-id - Specifies the policy to assign

→

--parameters - Sets parameters for the policy

Publishes the blueprint version 1.0 so it can be assigned to subscriptions.

Terminal

az blueprint publish --name environmentSetupBlueprint --version 1.0 --subscription 12345678-1234-1234-1234-123456789abc

Expected OutputExpected

{ "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprints/environmentSetupBlueprint/versions/1.0", "name": "1.0", "type": "Microsoft.Blueprint/blueprints/versions", "properties": { "version": "1.0", "published": true } }

→

--version - Sets the blueprint version

Assigns the published blueprint to the subscription, creating the defined resources and applying policies.

Terminal

az blueprint assignment create --name environmentSetupAssignment --blueprint-name environmentSetupBlueprint --version 1.0 --subscription 12345678-1234-1234-1234-123456789abc

Expected OutputExpected

{ "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprintAssignments/environmentSetupAssignment", "name": "environmentSetupAssignment", "type": "Microsoft.Blueprint/blueprintAssignments", "properties": { "blueprintId": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Blueprint/blueprints/environmentSetupBlueprint/versions/1.0", "provisioningState": "Succeeded" } }

→

--name - Names the blueprint assignment

Key Concept

If you remember nothing else from this pattern, remember: Azure Blueprints let you package and automate environment setup with policies, roles, and resources in one reusable template.

Common Mistakes

Not publishing the blueprint before assignment

Blueprints must be published to a version before they can be assigned; otherwise, assignment fails.

Always run az blueprint publish with a version number before assigning the blueprint.

Using incorrect subscription ID or principal IDs

Wrong IDs cause commands to fail or assign roles to wrong users.

Double-check subscription and principal IDs with az account show and az ad user list before running commands.

Skipping adding required artifacts like resource groups or policies

Blueprints without artifacts do not create resources or enforce policies as intended.

Add all necessary artifacts to the blueprint before publishing and assigning.

Summary

Create an Azure Blueprint to define environment setup including resource groups, policies, and role assignments.

Add artifacts like resource groups and policies to the blueprint using Azure CLI commands.

Publish the blueprint version and assign it to a subscription to deploy the environment automatically.