Is it possible to have a Group make changes only to certain tags?

Kjell B 20 Reputation points
2024-11-21T13:38:50.99+00:00

Question:
Is it possible to have a Group make changes only to certain tags?
They should NOT be able to change the other assigned tag values because these are related to costs.

Situation:

Multiple tags are getting assigned to VM's.
A few of those are used by a Function App that automates the Start and De-allocation of the VM's.
The others are for finances, etc,...

Tags (The value of the tag is a HH:MM value).

StartTime:
StopTime:

I tried delving in the Azure Policy documents and the possibilities of tagging but cant find anything as specific in this regard.

Thanks for your time and any help in this regard.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
938 questions
{count} votes

Accepted answer
  1. Pavan Minukuri 840 Reputation points Microsoft Vendor
    2024-11-21T19:29:07.2666667+00:00

    Hi Kjell B
    Welcome to Microsoft Q&A Forum, Thanks for asking question here.
    It is possible to restrict a group in Azure from modifying certain tags while allowing changes to others. You can do this by using Azure Role-Based Access Control (RBAC) and Azure Policy.
    1.Create a custom Azure RBAC role that allows the group to modify only the tags that you want them to modify. You can do this by creating a new role definition in the Azure portal and specifying the permissions that the group should have.
    2.Assign the custom Azure RBAC role to the group. You can do this by going to the "Access control (IAM)" blade for the resource group or subscription that contains the resources, and adding the group to the custom role.
    3.Azure Policy allows you to define rules and conditions under which resources can be created or modified. Identify which tags should be modifiable (e.g., StartTime, StopTime) and which should remain unchanged (e.g., financial tags). You will need to create custom policy definitions that specify the allowed operations on tags. Here’s a general structure for the policy.
    4.Need to allow the modifications for specific tags for that create another policy allows to change StartTime and StopTime tags. Assign these policies at subscription and resources group level based on your organizational structure. After implementing these policies test them attempting modified both restricted and allowed tags
    Here I'm pasting example of allowing specific tags,

    {"mode": "Indexed",
     "policyRule":
     { 
    
    "if": { 
    "allOf": [
     { "field": "type", 
    "equals": "Microsoft.Compute/virtualMachines"
     },
     {
     "field": "tags['CostTag']",
     "exists": true } 
    ]
     },
     "then": { "effect": "deny" }
     } 
    }
    

    For better understanding Please go through the below attached links: https://learn.microsoft.com/th-th/azure/azure-resource-manager/management/tag-policieshttps://learn.microsoft.com/en-us/azure/governance/policy/tutorials/govern-tags?WT.mc_id=modinfra-10601-socuff
    Please let me know if required anything...!


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.