Azure Policy Tag add tag if missing

Reygie Prieto 0 Reputation points
2024-02-07T01:45:43.2433333+00:00

I set a new policy for existing resources to add required tag if missing. scenario1: Resource1 have the following tags and value Tag name = Project Value = ProjSSO Tag name = Purpose Value = app login

however if the the policy trigger I received an error Error: Policies attempted to append some fields which already exist in the request with different values Note: If I use addOrReplace then the policy append / update the tag name and value which we don' want to happen, we want the existing value as is.

{
  "properties": {
    "displayName": "test-add-required-tag-if missing",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "test-add-required-tag-if missing",
    "metadata": {
      "version": "1.0.1",
      "category": "Tags",
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "notEquals": "Microsoft.Compute/VirtualMachines"
          },
          {
            "field": "type",
            "notEquals": "Microsoft.ClassicCompute/virtualMachines"
          },
          {
            "field": "type",
            "notEquals": "microsoft.compute/virtualmachines/extensions"
          },
          {
            "field": "type",
            "notEquals": "microsoft.network/networkinterfaces"
          },
          {
            "field": "type",
            "notEquals": "Microsoft.Compute/disks"
          },
          {
            "anyOf": [
              {
                "not": {
                  "field": "tags[Project]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Application]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[BU]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Cost Center]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Ticket]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Function]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Purpose]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Platform Owner1]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Platform Owner2]",
                  "exists": "true"
                }
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "add",
              "field": "tags['Project']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Cost Center']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Application']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['bu']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Environment']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Ticket']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Function']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Purpose']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Platform Owner1']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Platform Owner2']",
              "value": ""
            }
          ]
        }
      }
    }
  }
}
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,535 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
603 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
757 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 42,601 Reputation points Microsoft Employee
    2024-02-12T07:51:54.2966667+00:00

    @Reygie Prieto Firstly, Apologies for the delay response! Welcome to Microsoft Q&A Forum, Thank you for posting your query here! It looks like you're trying to add required tags to existing resources using an Azure Policy. However, you're receiving an error message when the policy is triggered because some of the tags already exist with different values. To avoid this error, you can modify your policy to only add the required tags if they are missing. Here's an example policy rule that you can use:

    {
      "if": {
        "allOf": [
          {
            "field": "type",
            "notEquals": "Microsoft.Compute/VirtualMachines"
          },
          {
            "field": "type",
            "notEquals": "Microsoft.ClassicCompute/virtualMachines"
          },
          {
            "field": "type",
            "notEquals": "microsoft.compute/virtualmachines/extensions"
          },
          {
            "field": "type",
            "notEquals": "microsoft.network/networkinterfaces"
          },
          {
            "field": "type",
            "notEquals": "Microsoft.Compute/disks"
          },
          {
            "anyOf": [
              {
                "not": {
                  "field": "tags[Project]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Application]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[BU]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Cost Center]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Ticket]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Function]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Purpose]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Platform Owner1]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Platform Owner2]",
                  "exists": "true"
                }
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers
    

    Use tags to organize your Azure resources and management hierarchy:https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources

    # Get all subscriptions in the Azure account
    
    try {
        "Logging in to Azure..."
        Connect-AzAccount
    }
    catch {
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
    $subscriptions = Get-AzSubscription -SubscriptionId "XXXXXXX"
    
    # Loop through each subscription
    foreach ($subscription in $subscriptions) {
        # Set the current subscription
        Set-AzContext -SubscriptionId $subscription.SubscriptionId 
    
        # Get all resource groups for the subscription
        $resourceGroups = Get-AzResourceGroup -ResourceGroupName "XXXXXXX"
        
        $tagName = "Region"
        $newTagName = "Country"
        # Loop through each resource provider
        foreach ($rg in $resourceGroups) {
            $resources = Get-AzResource -ResourceGroupName $rg.ResourceGroupName
            foreach ($r in $resources) {
                $resourceId = Get-AzResource -ResourceId $r.ResourceId
                if ($resourceId.Tags.ContainsKey("Region")) {
                    $tagValue = $resourceId.Tags[$tagName]
                    $resourceId.Tags.Remove($tagName)
                    $resourceId.Tags.Add($newTagName, $tagValue)
                    # Update the resource with the new tags
                    $resourceId | Set-AzResource -Force
                }
            }
        }
    }
    
    
    

    Please let us know if you have any further queries. I’m happy to assist you further.    

    ---Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments