Requiring Tags

Tony Price 1 Reputation point
2021-02-25T19:59:43.33+00:00

I need to force tags on all Azure resources, namely cost center and department codes. And as you might expect both those are dynamic and can change for each resource so its impossible to programmatically assign them through policies. So, here's my questions...

  1. Currently our policy only monitors and reports non-compliance with Tags. Will creating a deny policy of resource creation impact existing resources, that is stop them from functioning?
  2. I need to enforce tags on all Azure resources not just resource groups. We need to be able to track expenses on any resource that incurs a cost. This json below will only work on resource groups. How should I edit this to include other Azure resources?
  3. Our student email is in the same domain/tenant as our Azure tenant. Is it possible to automate filtering those free/trial subscriptions from this policy?
        "if": {
    
    "allOf": [{
    "field": "type",
    "equals": "Microsoft.Resources/subscriptions/resourceGroups"
    },
    {
    "field": "tags['CostCenter']",
    "exists": false
    }
    ]
    },
    "then": {
    "effect": "deny"
    }

Thanks for any suggestions and advice. It is greatly appreciated.

Tony

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
817 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. olufemia-MSFT 2,861 Reputation points
    2021-03-23T16:49:29.43+00:00

    Hello @Tony Price , sorry there's been no response to your questions. Here are some answers based on my understanding of your scenario.

    Currently our policy only monitors and reports non-compliance with Tags. Will creating a deny policy of resource creation impact existing resources, that is stop them from functioning?

    No, the Deny Policy will not stop exsiting/running resources from functioning. During evaluation, the existing resource is marked as non-compliant if conditions on the resource matches the policy definition. You have the option to create a remediation task to fix the non-compliant resource(s). Source: how deny effect works on new and existing resources.

    80758-denyeffect.png

    I need to enforce tags on all Azure resources not just resource groups. We need to be able to track expenses on any resource that incurs a cost. This json below will only work on resource groups. How should I edit this to include other Azure resources?

    To enforce tags on resources, you will need to reference the resource attribute in your policy definition. Here's a sample definition that uses the Modify effect to evaluate resources and adds specified tag/values if missing from a newly created or existing resource - snippet below. Check out this content on how to use tags to group billing/cost data.

    {  
      "properties": {  
        "displayName": "Add a tag to resources",  
        "policyType": "BuiltIn",  
        "mode": "Indexed",  
        "description": "Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups.",  
        "metadata": {  
          "version": "1.0.0",  
          "category": "Tags"  
        },  
    

    80720-tagsbilling.png

    Our student email is in the same domain/tenant as our Azure tenant. Is it possible to automate filtering those free/trial subscriptions from this policy?
    Not sure I completely understand this question but AFAIK you should be able to define a scope for your policy to include or exclude subscriptions based on your preference. Here's some useful content on defining Scope in Azure policy.

    80801-scopestory.png

    0 comments No comments