Overview of the Microsoft Cloud Adoption Framework for Azure Foundation blueprint sample
Important
On July 11, 2026, Blueprints (Preview) will be deprecated. Migrate your existing blueprint definitions and assignments to Template Specs and Deployment Stacks. Blueprint artifacts are to be converted to ARM JSON templates or Bicep files used to define deployment stacks. To learn how to author an artifact as an ARM resource, see:
The CAF Foundation blueprint (provided by the Microsoft Cloud Adoption Framework for Azure) deploys a set of core infrastructure resources and policy controls required for your first production grade Azure application. This foundation blueprint is based on the recommended pattern found in the Cloud Adoption Framework.
Architecture
The CAF Foundation blueprint sample deploys recommended infrastructure resources in Azure that can be used by organizations to put in place the foundation controls necessary to manage their cloud estate. This sample will deploy and enforce resources, policies, and templates that will allow an organization to confidently get started with Azure.
Describes an Azure architecture which is achieved by deploying the C A F Foundation blueprint. It's applicable to a subscription with resource groups which consists of a storage account for storing logs, Log Analytics configured to store in the storage account. It also depicts Azure Key Vault configured with Microsoft Defender for Cloud standard setup. All these core infrastructures are accessed using Azure Active Directory and enforced using Azure Policy.
This implementation incorporates several Azure services used to provide a secure, fully monitored, enterprise-ready foundation. This environment is composed of:
- An Azure Key Vault instance used to host secrets used for the VMs deployed in the shared services environment
- Deploy Log Analytics is deployed to ensure all actions and services log to a central location from the moment you start your secure deployment in to Storage Accounts for diagnostic logging
- Deploy Microsoft Defender for Cloud (standard version) provides threat protection for your migrated workloads
- The blueprint also defines and deploys Azure Policy definitions:
- Policy definitions:
- Tagging (CostCenter) applied to resource groups
- Append resources in resource group with the CostCenter Tag
- Allowed Azure Region for Resources and Resource Groups
- Allowed Storage Account SKUs (choose while deploying)
- Allowed Azure VM SKUs (choose while deploying)
- Require Network Watcher to be deployed
- Require Azure Storage Account Secure transfer Encryption
- Deny resource types (choose while deploying)
- Policy initiatives:
- Enable Monitoring in Microsoft Defender for Cloud (100+ policy definitions)
- Policy definitions:
All these elements abide to the proven practices published in the Azure Architecture Center - Reference Architectures.
Note
The CAF Foundation lays out a foundational architecture for workloads. You still need to deploy workloads behind this foundational architecture.
For more information, see the Microsoft Cloud Adoption Framework for Azure - Ready.
Next steps
You've reviewed the overview and architecture of the CAF Foundation blueprint sample.
Additional articles about blueprints and how to use them:
- Learn about the blueprint lifecycle.
- Understand how to use static and dynamic parameters.
- Learn to customize the blueprint sequencing order.
- Find out how to make use of blueprint resource locking.
- Learn how to update existing assignments.