Next to subscription level-templates, there is also another offering available: Azure Blueprints. Blueprints can be used to describe the desired state of an Azure subscription and apply that to an existing subscription.

All of the things that can be done using a blueprint can nowadays also be done using an ARM template. However, the other way around is not true. Azure Blueprints only support the following constructs, which are called artifacts:

• Policy assignments
• Role (RBAC) assignments
• Resource group creation
• Nested ARM templates at the subscription or resource group level

These are all of the elements that are needed to build the default layout, or a blueprint, for Azure subscriptions.

There are a number of key differences between blueprints and ARM templates:

• Blueprints are stored within Azure itself. A blueprint is a resource you can create and navigate to in the portal. The authoring experience is also in the portal, not in text files on a local computer.
• The relation between a subscription and the blueprint that was used to create it remains, also after the deployment completes.
• With the assignment of a blueprint to a subscription, it is possible to mark the assignment as locked. If this is done, all of the resources deployed through the blueprint cannot be deleted or edited as long as the blueprint is assigned—not even owners of the subscription that it is applied to.
• There are many built-in blueprints available that can be used to implement controls from well-known standards such as ISO, NIST, or HIPAA.

The general recommendation is to use blueprints whenever creating many new subscriptions, which should follow the same layout, and use ARM templates in all other cases. Blueprints are still in preview at the time of writing