Šī pārlūkprogramma vairs netiek atbalstīta.
Jauniniet uz Microsoft Edge, lai izmantotu jaunāko līdzekļu, drošības atjauninājumu un tehniskā atbalsta sniegtās priekšrocības.
Svarīgi
On July 11, 2026, Blueprints (Preview) will be deprecated. Migrate your existing blueprint definitions and assignments to Template Specs and Deployment Stacks. Blueprint artifacts are to be converted to ARM JSON templates or Bicep files used to define deployment stacks. To learn how to author an artifact as an ARM resource, see:
A blueprint assignment can be managed using the Az.Blueprint Azure PowerShell module. The module supports fetching, creating, updating, and removing assignments. The module can also fetch details on existing blueprint definitions. This article covers how to install the module and start using it.
To enable Azure PowerShell to manage blueprint assignments, the module must be added. This module can be used with locally installed PowerShell, with Azure Cloud Shell, or with the Azure PowerShell Docker image.
The Azure Blueprints module requires the following software:
The Azure Blueprints module for PowerShell is Az.Blueprint.
From an administrative PowerShell prompt, run the following command:
# Install the Azure Blueprints module from PowerShell Gallery
Install-Module -Name Az.Blueprint
Piezīme
If Az.Accounts is already installed, it may be necessary to use -AllowClobber to force
the installation.
Validate that the module has been imported and is the correct version (0.2.6):
# Get a list of commands for the imported Az.Blueprint module
Get-Command -Module 'Az.Blueprint' -CommandType 'Cmdlet'
The first step to working with an assignment is often getting a reference to a blueprint definition.
The Get-AzBlueprint cmdlet gets one or more blueprint definitions. The cmdlet can get blueprint
definitions from a management group with -ManagementGroupId {mgId} or a subscription with
-SubscriptionId {subId}. The Name parameter gets a blueprint definition, but must be used with
ManagementGroupId or SubscriptionId. Version can be used with Name to be more
explicit about which blueprint definition is returned. Instead of Version, the switch
-LatestPublished grabs the most recently published version.
The following example uses Get-AzBlueprint to get all versions of a blueprint definition named
'101-blueprints-definition-subscription' from a specific subscription represented as {subId}:
# Login first with Connect-AzAccount if not using Cloud Shell
# Get all versions of the blueprint definition in the specified subscription
$blueprints = Get-AzBlueprint -SubscriptionId '{subId}' -Name '101-blueprints-definition-subscription'
# Display the blueprint definition object
$blueprints
The example output for a blueprint definition with multiple versions looks like this:
Name : 101-blueprints-definition-subscription
Id : /subscriptions/{subId}/providers/Microsoft.Blueprint/blueprints/101
-blueprints-definition-subscription
DefinitionLocationId : {subId}
Versions : {1.0, 1.1}
TimeCreated : 2019-02-25
TargetScope : Subscription
Parameters : {storageAccount_storageAccountType, storageAccount_location,
allowedlocations_listOfAllowedLocations, [Usergrouporapplicationname]:Reader_RoleAssignmentName}
ResourceGroups : ResourceGroup
The blueprint parameters on the blueprint definition can be expanded to provide more information.
$blueprints.Parameters
Key Value
--- -----
storageAccount_storageAccountType Microsoft.Azure.Commands.Blueprint.Models.PSParameterDefinition
storageAccount_location Microsoft.Azure.Commands.Blueprint.Models.PSParameterDefinition
allowedlocations_listOfAllowedLocations Microsoft.Azure.Commands.Blueprint.Models.PSParameterDefinition
[Usergrouporapplicationname]:Reader_RoleAssignmentName Microsoft.Azure.Commands.Blueprint.Models.PSParameterDefinition
If the blueprint assignment already exists, you can get a reference to it with the
Get-AzBlueprintAssignment cmdlet. The cmdlet takes SubscriptionId and Name as optional
parameters. If SubscriptionId isn't specified, the current subscription context is used.
The following example uses Get-AzBlueprintAssignment to get a single blueprint assignment named
'Assignment-lock-resource-groups' from a specific subscription represented as {subId}:
# Login first with Connect-AzAccount if not using Cloud Shell
# Get the blueprint assignment in the specified subscription
$blueprintAssignment = Get-AzBlueprintAssignment -SubscriptionId '{subId}' -Name 'Assignment-lock-resource-groups'
# Display the blueprint assignment object
$blueprintAssignment
The example output for a blueprint assignment looks like this:
Name : Assignment-lock-resource-groups
Id : /subscriptions/{subId}/providers/Microsoft.Blueprint/blueprintAssignme
nts/Assignment-lock-resource-groups
Scope : /subscriptions/{subId}
LastModified : 2019-02-19
LockMode : AllResourcesReadOnly
ProvisioningState : Succeeded
Parameters :
ResourceGroups : ResourceGroup
If the blueprint assignment doesn't exist yet, you can create it with the
New-AzBlueprintAssignment cmdlet. This cmdlet uses the following parameters:
Name [required]
Blueprint [required]
Get-AzBlueprint to get the reference objectLocation [required]
Subscription (optional)
Lock (optional)
SystemAssignedIdentity (optional)
UserAssignedIdentity (optional)
Parameter (optional)
A hash table of key/value pairs for setting dynamic parameters on the blueprint assignment
Default for a dynamic parameter is the defaultValue in the definition
If a parameter isn't provided and has no defaultValue, the parameter isn't optional
Piezīme
Parameter doesn't support secureStrings.
ResourceGroupParameter (optional)
AssignmentFile (optional)
The following example creates a new assignment of version '1.1' of the 'my-blueprint' blueprint
definition fetched with Get-AzBlueprint, sets the managed identity and assignment object location
to 'westus2', locks the resources with AllResourcesReadOnly, and sets the hash tables for both
Parameter and ResourceGroupParameter on specific subscription represented as {subId}:
# Login first with Connect-AzAccount if not using Cloud Shell
# Get version '1.1' of the blueprint definition in the specified subscription
$bpDefinition = Get-AzBlueprint -SubscriptionId '{subId}' -Name 'my-blueprint' -Version '1.1'
# Create the hash table for Parameters
$bpParameters = @{storageAccount_storageAccountType='Standard_GRS'}
# Create the hash table for ResourceGroupParameters
# ResourceGroup is the resource group artifact placeholder name
$bpRGParameters = @{ResourceGroup=@{name='storage_rg';location='westus2'}}
# Create the new blueprint assignment
$bpAssignment = New-AzBlueprintAssignment -Name 'my-blueprint-assignment' -Blueprint $bpDefinition `
-SubscriptionId '{subId}' -Location 'westus2' -Lock AllResourcesReadOnly `
-Parameter $bpParameters -ResourceGroupParameter $bpRGParameters
The example output for creating a blueprint assignment looks like this:
Name : my-blueprint-assignment
Id : /subscriptions/{subId}/providers/Microsoft.Blueprint/blueprintAssi
gnments/my-blueprint-assignment
Scope : /subscriptions/{subId}
LastModified : 2019-03-13
LockMode : AllResourcesReadOnly
ProvisioningState : Creating
Parameters : {storageAccount_storageAccountType}
ResourceGroups : ResourceGroup
The following example creates nearly the same assignment as Example 1. Instead of passing parameters to the cmdlet, the example shows use of a JSON assignment definition file and the AssignmentFile parameter. Additionally, the excludedPrincipals property is configured as part of locks. There isn't a PowerShell parameter for excludedPrincipals and the property can only be configured by setting it through the JSON assignment definition file.
{
"identity": {
"type": "SystemAssigned"
},
"location": "westus2",
"properties": {
"description": "Assignment of the 101-blueprint-definition-subscription",
"blueprintId": "/subscriptions/{subId}/providers/Microsoft.Blueprint/blueprints/101-blueprints-definition-subscription",
"locks": {
"mode": "AllResourcesReadOnly",
"excludedPrincipals": [
"7be2f100-3af5-4c15-bcb7-27ee43784a1f",
"38833b56-194d-420b-90ce-cff578296714"
]
},
"parameters": {
"storageAccount_storageAccountType": {
"value": "Standard_GRS"
}
},
"resourceGroups": {
"ResourceGroup": {
"name": "storage_rg",
"location": "westus2"
}
}
}
}
# Login first with Connect-AzAccount if not using Cloud Shell
# Create the new blueprint assignment
$bpAssignment = New-AzBlueprintAssignment -Name 'my-blueprint-assignment' -SubscriptionId '{subId}' `
-AssignmentFile '.\assignment.json'
For an example of the JSON assignment definition file for a user-assigned managed identity, see the request body in Example: Assignment with user-assigned managed identity for REST API.
Sometimes it's necessary to update a blueprint assignment that has already been created. The
Set-AzBlueprintAssignment cmdlet handles this action. The cmdlet takes most of the same parameters
that the New-AzBlueprintAssignment cmdlet does, allowing anything that was set on the assignment
to be updated. The exceptions are the Name, Blueprint, and SubscriptionId. Only the values
provided are updated.
To understand what happens when updating a blueprint assignment, see rules for updating assignments.
Name [required]
Blueprint [required]
Get-AzBlueprint to get the reference objectLocation (optional)
Subscription (optional)
Lock (optional)
SystemAssignedIdentity (optional)
UserAssignedIdentity (optional)
Parameter (optional)
A hash table of key/value pairs for setting dynamic parameters on the blueprint assignment
Default for a dynamic parameter is the defaultValue in the definition
If a parameter isn't provided and has no defaultValue, the parameter isn't optional
Piezīme
Parameter doesn't support secureStrings.
ResourceGroupParameter (optional)
The following example updates the assignment of version '1.1' of the 'my-blueprint' blueprint
definition fetched with Get-AzBlueprint by changing the lock mode:
# Login first with Connect-AzAccount if not using Cloud Shell
# Get version '1.1' of the blueprint definition in the specified subscription
$bpDefinition = Get-AzBlueprint -SubscriptionId '{subId}' -Name 'my-blueprint' -Version '1.1'
# Update the existing blueprint assignment
$bpAssignment = Set-AzBlueprintAssignment -Name 'my-blueprint-assignment' -Blueprint $bpDefinition `
-SubscriptionId '{subId}' -Lock AllResourcesDoNotDelete
The example output for creating a blueprint assignment looks like this:
Name : my-blueprint-assignment
Id : /subscriptions/{subId}/providers/Microsoft.Blueprint/blueprintAssi
gnments/my-blueprint-assignment
Scope : /subscriptions/{subId}
LastModified : 2019-03-13
LockMode : AllResourcesDoNotDelete
ProvisioningState : Updating
Parameters : {storageAccount_storageAccountType}
ResourceGroups : ResourceGroup
When it's time for a blueprint assignment to be removed, the Remove-AzBlueprintAssignment cmdlet
handles this action. The cmdlet takes either Name or InputObject to specify which blueprint
assignment to remove. SubscriptionId is required and must be provided in all cases.
The following example fetches an existing blueprint assignment with Get-AzBlueprintAssignment and
then removes it from the specific subscription represented as {subId}:
# Login first with Connect-AzAccount if not using Cloud Shell
# Get the blueprint assignment in the specified subscription
$blueprintAssignment = Get-AzBlueprintAssignment -Name 'Assignment-lock-resource-groups'
# Remove the existing blueprint assignment
Remove-AzBlueprintAssignment -InputObject $blueprintAssignment -SubscriptionId '{subId}'
Bringing all the steps together, the following example gets the blueprint definition, then creates,
updates, and removes a blueprint assignment in the specific subscription represented as {subId}:
# Login first with Connect-AzAccount if not using Cloud Shell
#region GetBlueprint
# Get version '1.1' of the blueprint definition in the specified subscription
$bpDefinition = Get-AzBlueprint -SubscriptionId '{subId}' -Name 'my-blueprint' -Version '1.1'
#endregion
#region CreateAssignment
# Create the hash table for Parameters
$bpParameters = @{storageAccount_storageAccountType='Standard_GRS'}
# Create the hash table for ResourceGroupParameters
# ResourceGroup is the resource group artifact placeholder name
$bpRGParameters = @{ResourceGroup=@{name='storage_rg';location='westus2'}}
# Create the new blueprint assignment
$bpAssignment = New-AzBlueprintAssignment -Name 'my-blueprint-assignment' -Blueprint $bpDefinition `
-SubscriptionId '{subId}' -Location 'westus2' -Lock AllResourcesReadOnly `
-Parameter $bpParameters -ResourceGroupParameter $bpRGParameters
#endregion CreateAssignment
# Wait for the blueprint assignment to finish deployment prior to the next steps
#region UpdateAssignment
# Update the existing blueprint assignment
$bpAssignment = Set-AzBlueprintAssignment -Name 'my-blueprint-assignment' -Blueprint $bpDefinition `
-SubscriptionId '{subId}' -Lock AllResourcesDoNotDelete
#endregion UpdateAssignment
# Wait for the blueprint assignment to finish deployment prior to the next steps
#region RemoveAssignment
# Remove the existing blueprint assignment
Remove-AzBlueprintAssignment -InputObject $bpAssignment -SubscriptionId '{subId}'
#endregion
Apmācība
Modulis
Introduction to Azure Blueprints - Training
Introduction to Azure Blueprints and how to use to implement governance.
Sertifikācija
Microsoft Certified: Azure Administrator Associate - Certifications
Demonstrate key skills to configure, manage, secure, and administer key professional functions in Microsoft Azure.
Dokumentācija
Update an existing assignment from the portal - Azure Blueprints
Learn about the mechanism for updating an existing blueprint assignment from the portal in Azure Blueprints.
Microsoft.Authorization/policyAssignments - Bicep, ARM template & Terraform AzAPI reference
Azure Microsoft.Authorization/policyAssignments syntax and properties to use in Azure Resource Manager templates for deploying the resource. API version latest