Azure Policy blocking resources with out Tag property

Question

Azure Policy blocking resources with out Tag property

Prajith Karumathil 147

Please i need your help on this issue.
Facing challenges in Azure Policy for tagging
I have applied a customised Json script for 'Require Tag and values on resource' policy in Subscription.
I was happy that ,It's denying all resource build and insisting for Tag. But here is the problem, it's also blocking the deployment of resources which do not have Tag property such as alert, resource health etc.

Tried Following Steps

given Indexed mode still didn't help.
all: evaluate resource groups, subscriptions, and all resource types
indexed: only evaluate resource types that support tags and location
Ref : https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure
Microsoft has given following workaround, but I'm not really OK with that. MS engineer says this is the only option.

Excluding such resource type individually in json script. Which is not really practical. coz there are 100s of resource types. Inside each resource type there are resources there are tag supported and non-supported resources.

AnuragSingh-MSFT 21,566 Reputation points Moderator

2022-08-03T11:25:30.683+00:00

@Anonymous , I am sorry for the inconvenience. Based on the question, following are some of the suggestions that can be incorporated

1. As mentioned in the question - use Indexed Mode to evaluate only the resources which support tags. You can also refer to the following resource which has information about resources supporting tags - Tag support for resources.

2. Exclude OR Include the resources in Policy Definition - to ensure that the policy is evaluated for selected/targeted resource.

Please note that, for any policy to be effective, the scope will have to be clearly defined.

I see that you have mentioned that this policy is blocking deployment of alert, resource health resources - Can you please share more details of how are you creating these resources. If you meant alertrule, note that some of the alertrule do support location and tags depending on the namespace. Pleas refer to this link for details.
Prajith Karumathil 147 Reputation points

2022-08-03T12:52:27.77+00:00
Hi Anurag,
Thank you for the response.

As mentioned in the question - use Indexed Mode to evaluate only the resources which support tags. You can also refer to the following resource which has information about resources supporting tags - Tag support for resources.
------ This is already done in the script, but no effect.

Exclude OR Include the resources in Policy Definition - to ensure that the policy is evaluated for selected/targeted resource. ------- I'm really not intrested in this. Coz it's too manual.

Please note that, for any policy to be effective, the scope will have to be clearly defined.

I see that you have mentioned that this policy is blocking deployment of alert, resource health resources - Can you please share more details of how are you creating these resources. If you meant alertrule, note that some of the alertrule do support location and tags depending on the namespace. Pleas refer to this link for details.-----I'm creating resource in same scope. There are other resources without Tag property.227637-multipletag.txt
AnuragSingh-MSFT 21,566 Reputation points Moderator

2022-08-04T06:38:26.677+00:00

@Anonymous , Thank you for the reply. Please review the query/response below:

Exclude OR Include the resources in Policy Definition - to ensure that the policy is evaluated for selected/targeted resource.

------- I'm really not intrested in this. Coz it's too manual.
I understand your concern - but the targeted resource will have to be specified in some way or the other to ensure that the policy takes only required resources into account. If you are targeting all the resources, respective tag will be required on all the resource. So the question comes down to - how do you want to specify resources which should be considered for tags?

I'm creating resource in same scope. There are other resources without Tag
Can you please clarify this further? What type of resource creation is failing because of this policy for which tags are not supported?

Please let me know if you have any questions.
Prajith Karumathil 147 Reputation points

2022-08-04T12:42:32.22+00:00

Exclude OR Include the resources in Policy Definition - to ensure that the policy is evaluated for selected/targeted resource.

------- I'm really not interested in this. Coz it's too manual.
I understand your concern - but the targeted resource will have to be specified in some way or the other to ensure that the policy takes only required resources into account. If you are targeting all the resources, respective tag will be required on all the resource. So the question comes down to - how do you want to specify resources which should be considered for tags? - ****I had tried this option, If I have to exclude there are 100s resources. I have to check each of that manually**.**

I'm creating resource in same scope. There are other resources without Tag
Can you please clarify this further? What type of resource creation is failing because of this policy for which tags are not supported? - Resource Health alert

Please let me know if you have any questions.
AnuragSingh-MSFT 21,566 Reputation points Moderator

2022-08-06T05:29:04.513+00:00

@Anonymous , thank you for sharing this detail. I am reaching out to our team internally and will get back to you regarding this.
AnuragSingh-MSFT 21,566 Reputation points Moderator

2022-08-09T08:20:59.94+00:00

@Anonymous , I wanted to keep you updated that I am discussing it with our respective team and will update you soon with some findings/next action.
As a workaround, please exclude microsoft.insights/activitylogalerts type for the policy enforcing tags. Are there other resources too where you are facing similar issues?

Answer accepted by question author

0 additional answers

Your answer

AnuragSingh-MSFT 21,566 Reputation points Moderator

2022-08-03T11:25:30.683+00:00

@Anonymous , I am sorry for the inconvenience. Based on the question, following are some of the suggestions that can be incorporated

1. As mentioned in the question - use Indexed Mode to evaluate only the resources which support tags. You can also refer to the following resource which has information about resources supporting tags - Tag support for resources.

2. Exclude OR Include the resources in Policy Definition - to ensure that the policy is evaluated for selected/targeted resource.

Please note that, for any policy to be effective, the scope will have to be clearly defined.

I see that you have mentioned that this policy is blocking deployment of alert, resource health resources - Can you please share more details of how are you creating these resources. If you meant alertrule, note that some of the alertrule do support location and tags depending on the namespace. Pleas refer to this link for details.
Prajith Karumathil 147 Reputation points

2022-08-03T12:52:27.77+00:00

Hi Anurag,
Thank you for the response.

As mentioned in the question - use Indexed Mode to evaluate only the resources which support tags. You can also refer to the following resource which has information about resources supporting tags - Tag support for resources.
------ This is already done in the script, but no effect.

Exclude OR Include the resources in Policy Definition - to ensure that the policy is evaluated for selected/targeted resource. ------- I'm really not intrested in this. Coz it's too manual.

Please note that, for any policy to be effective, the scope will have to be clearly defined.

I see that you have mentioned that this policy is blocking deployment of alert, resource health resources - Can you please share more details of how are you creating these resources. If you meant alertrule, note that some of the alertrule do support location and tags depending on the namespace. Pleas refer to this link for details.-----I'm creating resource in same scope. There are other resources without Tag property.227637-multipletag.txt
AnuragSingh-MSFT 21,566 Reputation points Moderator

2022-08-04T06:38:26.677+00:00

@Anonymous , Thank you for the reply. Please review the query/response below:

Exclude OR Include the resources in Policy Definition - to ensure that the policy is evaluated for selected/targeted resource.

------- I'm really not intrested in this. Coz it's too manual.
I understand your concern - but the targeted resource will have to be specified in some way or the other to ensure that the policy takes only required resources into account. If you are targeting all the resources, respective tag will be required on all the resource. So the question comes down to - how do you want to specify resources which should be considered for tags?

I'm creating resource in same scope. There are other resources without Tag
Can you please clarify this further? What type of resource creation is failing because of this policy for which tags are not supported?

Please let me know if you have any questions.
Prajith Karumathil 147 Reputation points

2022-08-04T12:42:32.22+00:00

Exclude OR Include the resources in Policy Definition - to ensure that the policy is evaluated for selected/targeted resource.

------- I'm really not interested in this. Coz it's too manual.
I understand your concern - but the targeted resource will have to be specified in some way or the other to ensure that the policy takes only required resources into account. If you are targeting all the resources, respective tag will be required on all the resource. So the question comes down to - how do you want to specify resources which should be considered for tags? - ****I had tried this option, If I have to exclude there are 100s resources. I have to check each of that manually**.**

I'm creating resource in same scope. There are other resources without Tag
Can you please clarify this further? What type of resource creation is failing because of this policy for which tags are not supported? - Resource Health alert

Please let me know if you have any questions.
AnuragSingh-MSFT 21,566 Reputation points Moderator

2022-08-06T05:29:04.513+00:00

@Anonymous , thank you for sharing this detail. I am reaching out to our team internally and will get back to you regarding this.
AnuragSingh-MSFT 21,566 Reputation points Moderator

2022-08-09T08:20:59.94+00:00

@Anonymous , I wanted to keep you updated that I am discussing it with our respective team and will update you soon with some findings/next action.
As a workaround, please exclude microsoft.insights/activitylogalerts type for the policy enforcing tags. Are there other resources too where you are facing similar issues?

Answer 1

AnuragSingh-MSFT 21,566 Moderator

@Anonymous , Thank you again for bringing this issue related to "Resource health alert" to our attention. Here are some additional details that should help you:

1. In Azure portal, for Alert rule being created from “Service Health” --> “Resource Health” --> “+ Add resource health alert”, the tags cannot be added as of now. However, our product group is working on it, and it should be available in the next few weeks.

2. If you are planning to create "Resource Health Alert Rule" for a particular resource, you may use the Alert option available in that resource properties. For example, for a particular VM, it can be created using the Alerts options as shown below, where tags can be added:

3. If you would like to enable it for a set of resources OR all the resources, you can use the ARM template deployment method, which supports tags. Please see this link for details and this link for a sample template.

Please let me know if you have any questions. 2: https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/activitylogalerts?pivots=deployment-language-arm-template

Prajith Karumathil 147 Reputation points

2022-08-17T14:06:28.607+00:00

Thank you Anurag,
So that means, creating service health alert this way
ie, “Service Health” --> “Resource Health” --> “+ Add resource health alert”, will block with Policy regardless of any solution (indexed mode or excluding) we apply. Is my understanding correct?

If yes, any idea what are the other resources like this?

I tried creating some other resources such as blob (storageAccounts/blobServices) for which Tag is not supported is working without any problem
AnuragSingh-MSFT 21,566 Reputation points Moderator

2022-08-22T04:16:32.133+00:00

@Anonymous , Thank you for the reply. To answer your question:

1. “Service Health” --> “Resource Health” --> “+ Add resource health alert”, will block with Policy...
Yes. This step creates a resource of type microsoft.insights.activityLogAlerts which supports tags and location. Please see this link for details. Therefore, even if you chose indexed mode in policy, it would not exclude this particular resource. Our PG is aware of this issue and is working on a solution which should be deployed in the next few weeks. Note that this only affects this alert rule creation from portal. The other methods to create it are not impacted.

2. ... (storageAccounts/blobServices) for which Tag is not supported is working without any problem
This works without any issue, because storageAccounts/blobServices does not support tags/location. Please see this link. Therefore, with indexed mode, the policy won't apply to this resource creation.

While I am not aware of any other service where this might be an issue, we are constantly evaluating the Azure services to ensure that it provides the best user experience. Please feel free to let us know if you face similar issues elsewhere.

---
Please 'Accept as answer' if it helped so that it can help others in the community looking for help on similar topics.
Prajith Karumathil 147 Reputation points

2022-08-24T06:20:43.963+00:00

Thank you for your help Anurag.
Jon Stewart 0 Reputation points

2023-11-30T00:39:03+00:00

Was this resolved?

Share via

Azure Policy blocking resources with out Tag property

0 additional answers

Your answer