How can we prevent users from modifying subscription-level tags once they are created in Azure?

Question

How can we prevent users from modifying subscription-level tags once they are created in Azure?

SrVish 20

We want to enforce governance so that once tags (like Environment, CostCenter, etc.) are added to a subscription, no user—including subscription owners—can modify or delete them, unless explicitly allowed (e.g., by a central admin role). Is there a way to achieve this using?

Ideally, we want to:

Lock subscription tags from being edited after initial creation.

Allow only a specific role or identity to update them.

Audit any unauthorized modification attempts.

Vinod Pittala 3,615 Reputation points Microsoft External Staff Moderator

2025-05-09T20:02:23.0633333+00:00

Hello SrVish,

We haven't heard back from you regarding the advice Michael Taylor provided earlier. Could you please let us know if it was helpful? If you have any questions or encounter any issues, please don't hesitate to reach out. We are committed to resolving your concerns as a priority.

Thanks
Vinod Pittala 3,615 Reputation points Microsoft External Staff Moderator

2025-05-12T21:16:18.86+00:00

Hello SrVish,

I would like to check if the issue has been resolved or if you need any assistance. Please feel free to let us know, as we are always here to help.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Thanks

1 answer

Your answer

Vinod Pittala 3,615 Reputation points Microsoft External Staff Moderator

2025-05-09T20:02:23.0633333+00:00

Hello SrVish,

We haven't heard back from you regarding the advice Michael Taylor provided earlier. Could you please let us know if it was helpful? If you have any questions or encounter any issues, please don't hesitate to reach out. We are committed to resolving your concerns as a priority.

Thanks
Vinod Pittala 3,615 Reputation points Microsoft External Staff Moderator

2025-05-12T21:16:18.86+00:00

Hello SrVish,

I would like to check if the issue has been resolved or if you need any assistance. Please feel free to let us know, as we are always here to help.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Thanks

Answer 1

That is not currently doable in Azure AFAIK. If you have write access to a resource then you can add/edit/delete tags on that resource. Azure doesn't have fine-grained permissions to allow you to add, but not edit, tags. Not sure how this would even work correctly since someone may add a tag but not use the correct tag. They could then not edit the tag to fix it.

There is a Tag Contributor role that you can grant that allows someone to apply tags, but not edit the resource they are associated with. But, again, this is an all or nothing thing. You cannot allow adding tags but not edit them.

Subscription owners, AFAIK, can do just about anything so even if there were such a RBAC available, a subscription owner could simply grant themselves any permissions needed to do it anyway.

You can look into Azure policies for tagging as well. I've not gone this route but in theory you can define the policy that you want and then when someone tries to do something outside your policy it will fail. It doesn't "lock them out" but it would help prevent tags from getting set that you don't want. Of course the policy itself may be hard to set up, depending on your requirements.

Share via

How can we prevent users from modifying subscription-level tags once they are created in Azure?

1 answer

Your answer