![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 39%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,406 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 99%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
While deny assignments have existed for a long time, Azure's enforcement of these restrictions has become stricter over time. In the past, there might have been cases where users could still modify certain properties (like resource tags), but Microsoft has now fully enforced these assignments, explicitly blocking modifications. As a result, any attempts to update tags on resources within the Databricks managed resource group will fail due to these enforced deny assignments.
Azure Databricks applies a system-managed deny assignment to its managed resource group. This restriction prevents direct modifications, like updating resource tags, to ensure resource stability and security. You cannot remove or alter this deny assignment, as it’s a core part of the service’s design.
To understand what changed, check role-based access control (RBAC) updates and Azure policies at the subscription or resource group level. Reviewing Azure Activity Logs can also reveal past successful tag changes and highlight differences with current restrictions.
Since modifying tags in the managed resource group isn’t allowed, tag the Databricks workspace resource instead. The workspace, located in your own resource group, supports tag updates, and these tags can propagate to managed resources. This is the recommended approach for managing tags effectively.
Please refer the below Microsoft Documentation
https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments?tabs=azure-portal
https://learn.microsoft.com/en-us/azure/databricks/release-notes/product/2020/january
https://learn.microsoft.com/en-us/answers/questions/1923228/azure-policy-does-not-work-for-resources-created-b
I hope this information helps. Please do let us know if you have any further queries.
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Thank you.