Hi Kjell B
Welcome to Microsoft Q&A Forum, Thanks for asking question here.
It is possible to restrict a group in Azure from modifying certain tags while allowing changes to others. You can do this by using Azure Role-Based Access Control (RBAC) and Azure Policy.
1.Create a custom Azure RBAC role that allows the group to modify only the tags that you want them to modify. You can do this by creating a new role definition in the Azure portal and specifying the permissions that the group should have.
2.Assign the custom Azure RBAC role to the group. You can do this by going to the "Access control (IAM)" blade for the resource group or subscription that contains the resources, and adding the group to the custom role.
3.Azure Policy allows you to define rules and conditions under which resources can be created or modified. Identify which tags should be modifiable (e.g., StartTime
, StopTime
) and which should remain unchanged (e.g., financial tags). You will need to create custom policy definitions that specify the allowed operations on tags. Here’s a general structure for the policy.
4.Need to allow the modifications for specific tags for that create another policy allows to change StartTime
and StopTime
tags. Assign these policies at subscription and resources group level based on your organizational structure. After implementing these policies test them attempting modified both restricted and allowed tags
Here I'm pasting example of allowing specific tags,
{"mode": "Indexed",
"policyRule":
{
"if": {
"allOf": [
{ "field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "tags['CostTag']",
"exists": true }
]
},
"then": { "effect": "deny" }
}
}
For better understanding Please go through the below attached links: https://learn.microsoft.com/th-th/azure/azure-resource-manager/management/tag-policieshttps://learn.microsoft.com/en-us/azure/governance/policy/tutorials/govern-tags?WT.mc_id=modinfra-10601-socuff
Please let me know if required anything...!