The azure-native:blueprint:Assignment resource, part of the Pulumi Azure Native provider, assigns a published blueprint definition to a subscription or management group, deploying its resources and policies. This guide focuses on three capabilities: blueprint assignment to subscriptions, managed identity configuration, and parameter and resource group mapping.
Blueprint assignments reference published blueprint definitions and target subscriptions. User-assigned identity examples also require pre-existing managed identities with appropriate deployment permissions. The examples are intentionally small. Combine them with your own blueprint definitions and identity management.
Assign a blueprint to a subscription with system-assigned identity
Organizations enforce governance standards by assigning blueprints to subscriptions, deploying standardized infrastructure and policies.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const assignment = new azure_native.blueprint.Assignment("assignment", {
assignmentName: "assignSimpleBlueprint",
blueprintId: "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint",
description: "enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.",
identity: {
type: azure_native.blueprint.ManagedServiceIdentityType.SystemAssigned,
},
location: "eastus",
parameters: {
costCenter: {
value: "Contoso/Online/Shopping/Production",
},
owners: {
value: [
"johnDoe@contoso.com",
"johnsteam@contoso.com",
],
},
storageAccountType: {
value: "Standard_LRS",
},
},
resourceGroups: {
storageRG: {
location: "eastus",
name: "defaultRG",
},
},
resourceScope: "managementGroups/ContosoOnlineGroup",
scope: "subscriptions/00000000-0000-0000-0000-000000000000",
});
import pulumi
import pulumi_azure_native as azure_native
assignment = azure_native.blueprint.Assignment("assignment",
assignment_name="assignSimpleBlueprint",
blueprint_id="/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint",
description="enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.",
identity={
"type": azure_native.blueprint.ManagedServiceIdentityType.SYSTEM_ASSIGNED,
},
location="eastus",
parameters={
"costCenter": {
"value": "Contoso/Online/Shopping/Production",
},
"owners": {
"value": [
"johnDoe@contoso.com",
"johnsteam@contoso.com",
],
},
"storageAccountType": {
"value": "Standard_LRS",
},
},
resource_groups={
"storageRG": {
"location": "eastus",
"name": "defaultRG",
},
},
resource_scope="managementGroups/ContosoOnlineGroup",
scope="subscriptions/00000000-0000-0000-0000-000000000000")
package main
import (
blueprint "github.com/pulumi/pulumi-azure-native-sdk/blueprint/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := blueprint.NewAssignment(ctx, "assignment", &blueprint.AssignmentArgs{
AssignmentName: pulumi.String("assignSimpleBlueprint"),
BlueprintId: pulumi.String("/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint"),
Description: pulumi.String("enforce pre-defined simpleBlueprint to this XXXXXXXX subscription."),
Identity: &blueprint.ManagedServiceIdentityArgs{
Type: pulumi.String(blueprint.ManagedServiceIdentityTypeSystemAssigned),
},
Location: pulumi.String("eastus"),
Parameters: blueprint.ParameterValueMap{
"costCenter": &blueprint.ParameterValueArgs{
Value: pulumi.Any("Contoso/Online/Shopping/Production"),
},
"owners": &blueprint.ParameterValueArgs{
Value: pulumi.Any{
"johnDoe@contoso.com",
"johnsteam@contoso.com",
},
},
"storageAccountType": &blueprint.ParameterValueArgs{
Value: pulumi.Any("Standard_LRS"),
},
},
ResourceGroups: blueprint.ResourceGroupValueMap{
"storageRG": &blueprint.ResourceGroupValueArgs{
Location: pulumi.String("eastus"),
Name: pulumi.String("defaultRG"),
},
},
ResourceScope: pulumi.String("managementGroups/ContosoOnlineGroup"),
Scope: pulumi.String("subscriptions/00000000-0000-0000-0000-000000000000"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var assignment = new AzureNative.Blueprint.Assignment("assignment", new()
{
AssignmentName = "assignSimpleBlueprint",
BlueprintId = "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint",
Description = "enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.",
Identity = new AzureNative.Blueprint.Inputs.ManagedServiceIdentityArgs
{
Type = AzureNative.Blueprint.ManagedServiceIdentityType.SystemAssigned,
},
Location = "eastus",
Parameters =
{
{ "costCenter", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "Contoso/Online/Shopping/Production",
} },
{ "owners", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = new[]
{
"johnDoe@contoso.com",
"johnsteam@contoso.com",
},
} },
{ "storageAccountType", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "Standard_LRS",
} },
},
ResourceGroups =
{
{ "storageRG", new AzureNative.Blueprint.Inputs.ResourceGroupValueArgs
{
Location = "eastus",
Name = "defaultRG",
} },
},
ResourceScope = "managementGroups/ContosoOnlineGroup",
Scope = "subscriptions/00000000-0000-0000-0000-000000000000",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.blueprint.Assignment;
import com.pulumi.azurenative.blueprint.AssignmentArgs;
import com.pulumi.azurenative.blueprint.inputs.ManagedServiceIdentityArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var assignment = new Assignment("assignment", AssignmentArgs.builder()
.assignmentName("assignSimpleBlueprint")
.blueprintId("/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint")
.description("enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.")
.identity(ManagedServiceIdentityArgs.builder()
.type("SystemAssigned")
.build())
.location("eastus")
.parameters(Map.ofEntries(
Map.entry("costCenter", ParameterValueArgs.builder()
.value("Contoso/Online/Shopping/Production")
.build()),
Map.entry("owners", ParameterValueArgs.builder()
.value(
"johnDoe@contoso.com",
"johnsteam@contoso.com")
.build()),
Map.entry("storageAccountType", ParameterValueArgs.builder()
.value("Standard_LRS")
.build())
))
.resourceGroups(Map.of("storageRG", ResourceGroupValueArgs.builder()
.location("eastus")
.name("defaultRG")
.build()))
.resourceScope("managementGroups/ContosoOnlineGroup")
.scope("subscriptions/00000000-0000-0000-0000-000000000000")
.build());
}
}
resources:
assignment:
type: azure-native:blueprint:Assignment
properties:
assignmentName: assignSimpleBlueprint
blueprintId: /providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint
description: enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.
identity:
type: SystemAssigned
location: eastus
parameters:
costCenter:
value: Contoso/Online/Shopping/Production
owners:
value:
- johnDoe@contoso.com
- johnsteam@contoso.com
storageAccountType:
value: Standard_LRS
resourceGroups:
storageRG:
location: eastus
name: defaultRG
resourceScope: managementGroups/ContosoOnlineGroup
scope: subscriptions/00000000-0000-0000-0000-000000000000
The blueprintId references a published blueprint definition by its full Azure resource path. The identity property configures a system-assigned managed identity that Azure creates automatically to deploy blueprint resources. The parameters map supplies values for blueprint parameters (like costCenter and storageAccountType), while resourceGroups maps blueprint resource group placeholders to actual names and locations. The resourceScope specifies where the assignment lives (management group or subscription), and scope targets the subscription receiving the deployed resources.
Use a user-assigned identity for blueprint deployment
Some organizations require specific managed identities with pre-configured permissions rather than creating system-assigned identities per assignment.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const assignment = new azure_native.blueprint.Assignment("assignment", {
assignmentName: "assignSimpleBlueprint",
blueprintId: "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint",
description: "enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.",
identity: {
type: azure_native.blueprint.ManagedServiceIdentityType.UserAssigned,
userAssignedIdentities: {
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/contoso-identity": {},
},
},
location: "eastus",
parameters: {
costCenter: {
value: "Contoso/Online/Shopping/Production",
},
owners: {
value: [
"johnDoe@contoso.com",
"johnsteam@contoso.com",
],
},
storageAccountType: {
value: "Standard_LRS",
},
},
resourceGroups: {
storageRG: {
location: "eastus",
name: "defaultRG",
},
},
resourceScope: "managementGroups/ContosoOnlineGroup",
scope: "subscriptions/00000000-0000-0000-0000-000000000000",
});
import pulumi
import pulumi_azure_native as azure_native
assignment = azure_native.blueprint.Assignment("assignment",
assignment_name="assignSimpleBlueprint",
blueprint_id="/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint",
description="enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.",
identity={
"type": azure_native.blueprint.ManagedServiceIdentityType.USER_ASSIGNED,
"user_assigned_identities": {
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/contoso-identity": {},
},
},
location="eastus",
parameters={
"costCenter": {
"value": "Contoso/Online/Shopping/Production",
},
"owners": {
"value": [
"johnDoe@contoso.com",
"johnsteam@contoso.com",
],
},
"storageAccountType": {
"value": "Standard_LRS",
},
},
resource_groups={
"storageRG": {
"location": "eastus",
"name": "defaultRG",
},
},
resource_scope="managementGroups/ContosoOnlineGroup",
scope="subscriptions/00000000-0000-0000-0000-000000000000")
package main
import (
blueprint "github.com/pulumi/pulumi-azure-native-sdk/blueprint/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := blueprint.NewAssignment(ctx, "assignment", &blueprint.AssignmentArgs{
AssignmentName: pulumi.String("assignSimpleBlueprint"),
BlueprintId: pulumi.String("/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint"),
Description: pulumi.String("enforce pre-defined simpleBlueprint to this XXXXXXXX subscription."),
Identity: &blueprint.ManagedServiceIdentityArgs{
Type: pulumi.String(blueprint.ManagedServiceIdentityTypeUserAssigned),
UserAssignedIdentities: blueprint.UserAssignedIdentityMap{
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/contoso-identity": &blueprint.UserAssignedIdentityArgs{},
},
},
Location: pulumi.String("eastus"),
Parameters: blueprint.ParameterValueMap{
"costCenter": &blueprint.ParameterValueArgs{
Value: pulumi.Any("Contoso/Online/Shopping/Production"),
},
"owners": &blueprint.ParameterValueArgs{
Value: pulumi.Any{
"johnDoe@contoso.com",
"johnsteam@contoso.com",
},
},
"storageAccountType": &blueprint.ParameterValueArgs{
Value: pulumi.Any("Standard_LRS"),
},
},
ResourceGroups: blueprint.ResourceGroupValueMap{
"storageRG": &blueprint.ResourceGroupValueArgs{
Location: pulumi.String("eastus"),
Name: pulumi.String("defaultRG"),
},
},
ResourceScope: pulumi.String("managementGroups/ContosoOnlineGroup"),
Scope: pulumi.String("subscriptions/00000000-0000-0000-0000-000000000000"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var assignment = new AzureNative.Blueprint.Assignment("assignment", new()
{
AssignmentName = "assignSimpleBlueprint",
BlueprintId = "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint",
Description = "enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.",
Identity = new AzureNative.Blueprint.Inputs.ManagedServiceIdentityArgs
{
Type = AzureNative.Blueprint.ManagedServiceIdentityType.UserAssigned,
UserAssignedIdentities =
{
{ "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/contoso-identity", null },
},
},
Location = "eastus",
Parameters =
{
{ "costCenter", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "Contoso/Online/Shopping/Production",
} },
{ "owners", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = new[]
{
"johnDoe@contoso.com",
"johnsteam@contoso.com",
},
} },
{ "storageAccountType", new AzureNative.Blueprint.Inputs.ParameterValueArgs
{
Value = "Standard_LRS",
} },
},
ResourceGroups =
{
{ "storageRG", new AzureNative.Blueprint.Inputs.ResourceGroupValueArgs
{
Location = "eastus",
Name = "defaultRG",
} },
},
ResourceScope = "managementGroups/ContosoOnlineGroup",
Scope = "subscriptions/00000000-0000-0000-0000-000000000000",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.blueprint.Assignment;
import com.pulumi.azurenative.blueprint.AssignmentArgs;
import com.pulumi.azurenative.blueprint.inputs.ManagedServiceIdentityArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var assignment = new Assignment("assignment", AssignmentArgs.builder()
.assignmentName("assignSimpleBlueprint")
.blueprintId("/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint")
.description("enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.")
.identity(ManagedServiceIdentityArgs.builder()
.type("UserAssigned")
.userAssignedIdentities(Map.of("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/contoso-identity", UserAssignedIdentityArgs.builder()
.build()))
.build())
.location("eastus")
.parameters(Map.ofEntries(
Map.entry("costCenter", ParameterValueArgs.builder()
.value("Contoso/Online/Shopping/Production")
.build()),
Map.entry("owners", ParameterValueArgs.builder()
.value(
"johnDoe@contoso.com",
"johnsteam@contoso.com")
.build()),
Map.entry("storageAccountType", ParameterValueArgs.builder()
.value("Standard_LRS")
.build())
))
.resourceGroups(Map.of("storageRG", ResourceGroupValueArgs.builder()
.location("eastus")
.name("defaultRG")
.build()))
.resourceScope("managementGroups/ContosoOnlineGroup")
.scope("subscriptions/00000000-0000-0000-0000-000000000000")
.build());
}
}
resources:
assignment:
type: azure-native:blueprint:Assignment
properties:
assignmentName: assignSimpleBlueprint
blueprintId: /providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint
description: enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.
identity:
type: UserAssigned
userAssignedIdentities:
? /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/contoso-identity
: {}
location: eastus
parameters:
costCenter:
value: Contoso/Online/Shopping/Production
owners:
value:
- johnDoe@contoso.com
- johnsteam@contoso.com
storageAccountType:
value: Standard_LRS
resourceGroups:
storageRG:
location: eastus
name: defaultRG
resourceScope: managementGroups/ContosoOnlineGroup
scope: subscriptions/00000000-0000-0000-0000-000000000000
The identity.type switches to UserAssigned, and userAssignedIdentities references an existing managed identity by its full resource path. This approach centralizes permission management: you grant the identity deployment rights once, then reuse it across multiple blueprint assignments. The managed identity must have permissions to create the resources defined in the blueprint.
Beyond these examples
These snippets focus on specific assignment-level features: blueprint assignment to subscriptions, managed identity configuration (system-assigned and user-assigned), and parameter and resource group mapping. They’re intentionally minimal rather than full governance deployments.
The examples reference pre-existing infrastructure such as published blueprint definitions, target subscriptions, and user-assigned managed identities (for relevant examples). They focus on configuring the assignment rather than creating blueprints or managing identities.
To keep things focused, common assignment patterns are omitted, including:
- Resource locking (locks property)
- Display names and descriptions
- Assignment scope variations (management group vs subscription)
- Blueprint versioning and updates
These omissions are intentional: the goal is to illustrate how each assignment feature is wired, not provide drop-in governance modules. See the Blueprint Assignment resource reference for all available configuration options.
Let's deploy Azure Blueprint Assignments
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Scope & Targeting
What's the difference between resourceScope and scope?
resourceScope defines where the assignment resource itself is created (management group or subscription), while scope specifies the target subscription for blueprint deployment. Management group assignments require both properties; subscription assignments only need resourceScope.When is the scope property required?
The
scope property is required for management group level assignments to specify which subscription receives the blueprint deployment. Subscription-level assignments don’t need it.How do I assign a blueprint at the management group level?
Set
resourceScope to the management group path (format: managementGroups/{managementGroup}) and set scope to the target subscription (format: subscriptions/{subscriptionId}).Identity & Permissions
What's the difference between system-assigned and user-assigned managed identity?
System-assigned identity is automatically created and managed by Azure (set
identity.type to SystemAssigned). User-assigned identity requires you to create and manage the identity separately, then reference it in userAssignedIdentities (set identity.type to UserAssigned).Configuration & Limitations
What properties can't be changed after creating an assignment?
The
location, assignmentName, and resourceScope properties are immutable. Changing any of these requires recreating the assignment.