An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.
For blueprint resource locks, the carve-outs go in the assignment's locks object via
excludedPrincipals (and, where supported, excludedActions). A read-only lock blocks write
actions for everyone except the excluded principals, so to let contributors add a VM/item to a
Recovery Services Vault you generally need to exclude those principals on the lock - excludedActions
alone often won't grant the management-plane calls. See the resource-locking concept docs for the
exact lock schema. Forward-looking: Deployment Stacks "deny settings" provide the same capability
via denySettingsExcludedPrincipals / denySettingsExcludedActions.
Heads-up: Azure Blueprints (Preview) is being retired on January 31, 2027, with a phased
retirement beginning July 31, 2026 (no new definitions/versions after Jul 31, 2026; no
definition edits or new assignments after Oct 31, 2026; no assignment edits after Dec 31, 2026).
Resources already deployed remain, but blueprint definitions, assignments, and locks (deny
assignments) are removed at retirement - export anything you want to keep first.
Recommended path: migrate to Azure Deployment Stacks (resource grouping, lifecycle management,
and deny-assignment locking) plus Template Specs for versioned storage.
• Retirement & timeline: https://aka.ms/AzureBlueprintsRetirement
• Migration guide: https://aka.ms/AzureBlueprintsMigration