Define and assign a blueprint in the portal

Create a blueprint

The first step in defining a standard pattern for compliance is to compose a blueprint from the available resources. Let’s create a blueprint named MyBlueprint to configure role and policy assignments for the subscription. Then you add a resource group, an ARM template, and a role assignment on the resource group.

1. Select All services in the left pane. Search for and select Blueprints.
2. Select Blueprint definitions, and then select + Create blueprint.
   
   Or, select Getting started > Create to go straight to creating a blueprint.
3. Select Start with blank blueprint from the card at the top of the built-in blueprints list.
4. Provide a blueprint name, such as MyBlueprint. (You can use up to 48 letters and numbers, but no spaces or special characters.) Leave Blueprint description blank for now.
5. In the Definition location box, select the ellipsis on the right. Then select the management group or subscription where you want to save the blueprint, and choose Select.
6. Verify that the information is correct. The Blueprint name and Definition location fields can’t be changed later. Then select Next : Artifacts at the bottom of the page, or the Artifacts tab at the top of the page.
7. Add a role assignment at the subscription level:
   1. Under Subscription, select + Add artifact. The Add artifact window opens on the right side of the browser.
   2. For Artifact type, select Role assignment.
   3. For Role, select Contributor. Leave the Add user, app or group box with the check box that indicates a dynamic parameter.
   4. Select Add to add this artifact to the blueprint.
      
8. Add a policy assignment at the subscription level:
   1. Under the role assignment artifact, select + Add artifact.
   2. For Artifact type, select Policy assignment.
   3. Change Type to Built-in. In Search, enter tag.
   4. Change focus out of Search for the filtering to occur. Select Append tag and its value to resource groups.
   5. Select Add to add this artifact to the blueprint.
9. Select the row of the policy assignment Append tag and its value to resource groups.
10. The window to provide parameters to the artifact as part of the blueprint definition opens. You can set the parameters for all assignments (static parameters) based on this blueprint, instead of during assignment (dynamic parameters). This example uses dynamic parameters during blueprint assignment, so leave the defaults and select Cancel.
11. Add a resource group at the subscription level:
    1. Under Subscription, select + Add artifact.
    2. For Artifact type, select Resource group.
    3. Leave the Artifact display name, Resource Group Name, and Location boxes blank. Make sure that the check box is checked for each parameter property to make them dynamic parameters.
    4. Select Add to add this artifact to the blueprint.
12. Add a template under the resource group:
    1. Under ResourceGroup, select + Add artifact.
    2. For Artifact type, select Azure Resource Manager template. Set Artifact display name to StorageAccount, and leave Description blank.
    3. On the Template tab in the editor box, paste the following ARM template. After you paste the template, select the Parameters tab, and note that the template parameters storageAccountType and location were detected. Each parameter was automatically detected and populated, but configured as a dynamic parameter.

       {
           "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
           "contentVersion": "1.0.0.0",
           "parameters": {
               "storageAccountType": {
                   "type": "string",
                   "defaultValue": "Standard_LRS",
                   "allowedValues": [
                       "Standard_LRS",
                       "Standard_GRS",
                       "Standard_ZRS",
                       "Premium_LRS"
                   ],
                   "metadata": {
                       "description": "Storage Account type"
                   }
               },
               "location": {
                   "type": "string",
                   "defaultValue": "[resourceGroup().location]",
                   "metadata": {
                       "description": "Location for all resources."
                   }
               }
           },
           "variables": {
               "storageAccountName": "[concat('store', uniquestring(resourceGroup().id))]"
           },
           "resources": [{
               "type": "Microsoft.Storage/storageAccounts",
               "name": "[variables('storageAccountName')]",
               "location": "[parameters('location')]",
               "apiVersion": "2018-07-01",
               "sku": {
                   "name": "[parameters('storageAccountType')]"
               },
               "kind": "StorageV2",
               "properties": {}
           }],
           "outputs": {
               "storageAccountName": {
                   "type": "string",
                   "value": "[variables('storageAccountName')]"
               }
           }
       }
       

    4. Clear the storageAccountType check box, and note that the dropdown list contains only values included in the ARM template under allowedValues. Select the box to set it back to a dynamic parameter.
    5. Select Add to add this artifact to the blueprint.
       
13. Your completed blueprint should look similar to the following. In the Parameters column, notice that each artifact has x out of y parameters populated. The dynamic parameters are set during each assignment of the blueprint.
    
14. Now that you’ve added all planned artifacts, select Save Draft at the bottom of the page.

Edit a blueprint

In Create a blueprint, you didn’t provide a description or add the role assignment to the new resource group. You can fix both by following these steps:

1. Select Blueprint definitions from the page on the left.
2. In the list of blueprints, select and hold (or right-click) the one that you previously created. Then select Edit blueprint.
3. In Blueprint description, provide some information about the blueprint and the artifacts that compose it. In this case, enter something like: This blueprint sets tag policy and role assignment on the subscription, creates a ResourceGroup, and deploys a resource template and role assignment to that ResourceGroup.
4. Select Next : Artifacts at the bottom of the page, or the Artifacts tab at the top of the page.
5. Add a role assignment under the resource group:
   1. Under ResourceGroup, select + Add artifact.
   2. For Artifact type, select Role assignment.
   3. Under Role, select Owner, and clear the check box under the Add user, app or group box.
   4. Search for and select a user, app, or group to add. This artifact uses a static parameter set, the same in every assignment of this blueprint.
   5. Select Add to add this artifact to the blueprint.
      
6. Your completed blueprint should look similar to the following. Notice that the newly added role assignment shows 1 out of 1 parameters populated. That means it’s a static parameter.
   
7. Select Save Draft now that it has been updated.

Publish a blueprint

Now that you’ve added all the planned artifacts to the blueprint, it’s time to publish it. Publishing makes the blueprint available to be assigned to a subscription.

1. Select Blueprint definitions from the page on the left.
2. In the list of blueprints, select and hold (or right-click) the one you previously created. Then select Publish blueprint.
3. In the pane that opens, provide a Version (letters, numbers, and hyphens with a maximum length of 20 characters), such as v1. Optionally, enter text in Change notes, such as First publish.
4. Select Publish at the bottom of the page.

Assign a blueprint

After you publish a blueprint, you can assign it to a subscription. Assign the blueprint that you created to one of the subscriptions under your management group hierarchy. If the blueprint is saved to a subscription, it can only be assigned to that subscription.

1. Select Blueprint definitions from the page on the left.
2. In the list of blueprints, select and hold (or right-click) the one that you previously created (or select the ellipsis). Then select Assign blueprint.
3. On the Assign blueprint page, in the Subscription dropdown list, select the subscriptions to which you want to deploy this blueprint. Follow these steps:
   1. Select the Create new link to create a new subscription instead of selecting existing ones.
   2. For Display name, enter a name for the new subscription.
   3. For Offer, select the available offer from the dropdown list.
   4. For Management group, select the ellipsis to choose the management group that the subscription will be a child of.
   5. Select Create at the bottom of the page.
      
4. For Assignment name, provide a unique name for this assignment.
5. In Location, select a region for the managed identity and subscription deployment object to be created in. Azure Blueprints uses this managed identity to deploy all artifacts in the assigned blueprint.
6. For the Blueprint definition version dropdown list selection of Published versions, leave the v1 entry as it is. (The default is the most recently published version.)
7. For Lock Assignment, leave the default of Don’t Lock.
   
8. Under Managed Identity, leave the default of System assigned.
9. For the subscription-level role assignment [User group or application name] : Contributor, search for and select a user, app, or group.
10. For the subscription-level policy assignment, set Tag Name to CostCenter, and set Tag Value to ContosoIT.
11. For ResourceGroup, provide a name of StorageAccount and a location of East US 2 from the dropdown list.
12. On the ARM template StorageAccount, select Standard_GRS for the storageAccountType parameter.
13. Read the information box at the bottom of the page, and then select Assign.

Track deployment of a blueprint

When you assign a blueprint to one or more subscriptions, two things happen:

• The blueprint is added to the Assigned blueprints page for each subscription.
• The process of deploying all the artifacts defined by the blueprint begins.

Now that you’ve assigned the blueprint to a subscription, verify the progress of the deployment:

1. Select Assigned blueprints from the page on the left.
2. In the list of blueprints, select and hold (or right-click) the one that you previously assigned. Then select View assignment details.
   
3. On the Blueprint assignment page, validate that all artifacts were successfully deployed, and that there were no errors during the deployment.

Unassign a blueprint

If you no longer need a blueprint assignment, remove it from a subscription. The blueprint might have been replaced by a newer blueprint with updated patterns, policies, and designs. When a blueprint is removed, the artifacts assigned as part of that blueprint are left behind. To remove a blueprint assignment, follow these steps:

1. Select Assigned blueprints from the page on the left.
2. In the list of blueprints, select the blueprint that you want to unassign. Then select Unassign blueprint at the top of the page.
3. Read the confirmation message, and then select OK.

Delete a blueprint

1. Select Blueprint definitions from the page on the left.
2. Right-click the blueprint that you want to delete, and select Delete blueprint. Then select Yes in the confirmation dialog box.