Overview of the Microsoft Cloud Adoption Framework for Azure Foundation blueprint sample


On July 11, 2026, Blueprints (Preview) will be deprecated. Migrate your existing blueprint definitions and assignments to Template Specs and Deployment Stacks. Blueprint artifacts are to be converted to ARM JSON templates or Bicep files used to define deployment stacks. To learn how to author an artifact as an ARM resource, see:

The Microsoft Cloud Adoption Framework for Azure (CAF) Foundation blueprint deploys a set of core infrastructure resources and policy controls required for your first production grade Azure application. This foundation blueprint is based on the recommended pattern found in CAF.


The CAF Foundation blueprint sample deploys recommended infrastructure resources in Azure that can be used by organizations to put in place the foundation controls necessary to manage their cloud estate. This sample will deploy and enforce resources, policies, and templates that will allow an organization to confidently get started with Azure.

C A F Foundation, image describes what gets installed as part of C A F guidance for creating a foundation to get started with Azure.

Describes an Azure architecture which is achieved by deploying the C A F Foundation blueprint. It's applicable to a subscription with resource groups which consists of a storage account for storing logs, Log Analytics configured to store in the storage account. It also depicts Azure Key Vault configured with Microsoft Defender for Cloud standard setup. All these core infrastructures are accessed using Azure Active Directory and enforced using Azure Policy.

This implementation incorporates several Azure services used to provide a secure, fully monitored, enterprise-ready foundation. This environment is composed of:

  • An Azure Key Vault instance used to host secrets used for the VMs deployed in the shared services environment
  • Deploy Log Analytics is deployed to ensure all actions and services log to a central location from the moment you start your secure deployment in to Storage Accounts for diagnostic logging
  • Deploy Microsoft Defender for Cloud (standard version) provides threat protection for your migrated workloads
  • The blueprint also defines and deploys Azure Policy definitions:
    • Policy definitions:
      • Tagging (CostCenter) applied to resource groups
      • Append resources in resource group with the CostCenter Tag
      • Allowed Azure Region for Resources and Resource Groups
      • Allowed Storage Account SKUs (choose while deploying)
      • Allowed Azure VM SKUs (choose while deploying)
      • Require Network Watcher to be deployed
      • Require Azure Storage Account Secure transfer Encryption
      • Deny resource types (choose while deploying)
    • Policy initiatives:
      • Enable Monitoring in Microsoft Defender for Cloud (100+ policy definitions)

All these elements abide to the proven practices published in the Azure Architecture Center - Reference Architectures.


The CAF Foundation lays out a foundational architecture for workloads. You still need to deploy workloads behind this foundational architecture.

For more information, see the Microsoft Cloud Adoption Framework for Azure - Ready.

Next steps

You've reviewed the overview and architecture of the CAF Foundation blueprint sample.

Additional articles about blueprints and how to use them: