How to Enforce Mandatory Tags Across Your Azure Resources

If your organization is using Azure for your cloud infrastructure, as with any other cloud vendor, you’ll need to have a governance strategy to keep your resources organized.

Tags are one of the most helpful tools. When implemented correctly, tags are the way you label and categorize resources, and then track how much they are costing you each month. The earlier your organization can align on a tagging strategy, the less clean-up work you’ll need to do later.

So let’s start at the top.

What Are Azure Tags?

Azure tags are user-defined metadata consisting of a key-value pair that includes a name and a value. Adding tags to Azure resources helps you locate those resources within the console. Organizations use tags to help report costs associated with different projects using the same Azure cloud account. Admins can also use tags to support role-based permissions within specific environments or virtual machines (VMs).

It’s possible to assign up to 50 tags to an individual resource. The maximum character length is 512 for keys and 256 for values. Tags in Azure are not case-sensitive. In addition, you should avoid using the following special characters:

• >
• <
• %
• &
• /
• ?

You can customize tags to fit whatever needs your organization has and however you would prefer to label resources. These are some of the most common tag categories:

• Tags for “CostCenter” to help report on your cloud spending
• Tags for which “Team”, “Department”, or “Project” is related to the resource
• Tags for “Environment” or “Status” describing the resource

Keep in mind that there is no support for tagging on resources deployed using the classic deployment model. If you have resources using that deployment model, they will need to migrate to the new Azure Resource Manager. 

Adding Tags to Azure Resources

You can add tags to specific Azure resources through Azure Portal or execute an automation script using Azure PowerShell. Below is an example of issuing a PowerShell command to add tags to a storage account:

$tags = @{"Dept"="Finance"; "Status"="Normal"}
$resource = Get-AzResource -Name demoStorage -ResourceGroup demoGroup
New-AzTag -ResourceId $resource.id -Tag $tags

Users can use the same command to add tags to resource groups or subscriptions. Below is an example of adding a tag to a resource group:

$tags = @{"Dept"="Finance"; "Status"="Normal"}
$resourceGroup = Get-AzResourceGroup -Name demoGroup
New-AzTag -ResourceId $resourceGroup.ResourceId -tag $tags

Enforcing Mandatory Tags with Policies in Azure

There are various policy definitions available to automatically enforce tagging within Azure. Using them helps your organization avoid the problem of users deploying resources without required tags.

Below is an example of a policy definition for enforcing mandatory tags within Azure.

"properties": {
    "displayName": "Add a tag to resources",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Updates a specific tag and value for resources that are missing a required tag. It's possible to trigger a remediation task to ensure existing resources have the required tag. Resources with an existing tag containing a different value will remain unchanged. No updates are made to resource groups.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "[concat('tags[', parameters('tagName'), ']')]",
        "exists": "false"
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
	"operation": "add",
	"field": "[concat('tags[', parameters('tagName'), ']')]",
	"value": "[parameters('tagValue')]"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "4f9dc7db-30c1-420c-b61a-e1d640128d26"
}

After your organization has implemented a policy like this for the tags you want to mandate, then users wouldn’t be able to deploy resources that are missing those tags.

Blink Automation: Ensure Azure Compute Disks Have Mandatory Tags

Blink + Azure

Try This Automation

Locating Untagged Azure Resources

If you have resources that were deployed prior to those policies being established, you’ll need to locate and tag any resources that are still not compliant. You can do this by executing the following script in PowerShell:

$resources=get-AzureRmResource
foreach ($resource in $resources) {
$tagcount=(get-AzureRmResource | where-object {$_.Name -match $resource.Name}).Tags.count
if($tagcount -eq 0) {
Write-Host "Resource Name - " $resource.Name
Write-Host "Resource Type and RG Name : " $resource.resourcetype " & " $resource.resourcegroupname "`n"
}
}

You will then see a list of any untagged resources so you can update them.

Best Practices for Mandatory Tagging in Azure

Use tag names that make it easy to identify the context for their use. For example, the name can refer to an environment, project name, or data profile. Stick to standard naming conventions to help enforce consistency across your Azure environments. Set up standards for your organization and apply them using Azure policies.

Automating Mandatory Tag Checks with Blink:

Instead of having to look up the specific command for each of these actions, you could use a low-code tool like Blink to find and fix untagged resources in a couple clicks. Blink comes with pre-built automations that make enforcing CloudOps best practices simple. 

With Blink, you can run this automation to scan your Azure account for disks that are missing mandatory tags and send a report to a designated email address.

When this automation runs, it executes the following actions:

1. Checks whether Azure compute disks have specified mandatory tags.
2. Sends a report with the results via email.

You can import this automation from the Blink library and customize it however you like. For example, you could send a weekly Slack notification with a report on disks with missing mandatory tags, with the ability to add tags with approval via Slack.

In Blink, you can also create automations from scratch to meet your team’s unique needs using the hundreds of drag-and-drop actions available from a wide range of tools.

Get started with Blink today to see how easy automation can be.