Azure Resource Tags – Enforce tag creation on Resource Groups and Resources

  1. Create Azure Policies that enforce tagging
  2. Create an Initiative
  3. Assign the Initiative to a Subscription, Resource Group, Management Group,

One of the key recommendations when adopting Azure as a cloud platform is good naming standards. Microsoft has a best practice recommendations but keeping it simple is always the best bet.

For naming subscriptions, the following is a good standard to maintain:

<Company> <Department (optional)> <Product Line (optional)> <Environment>

Examples:

  1. EAX360-Research & Development-DEVELOPMENT
  2. EAX360-Finance-Accounting-PRODUCTION

The second step to ensuring that best practice is adhered to is to start enforcing tagging at the subscription level. This post describes how to setup tag enforcement when creating a Resource Group

Dashboard > Subscriptions > Microsoft P&G – PRODUCTION> Policy – Definitions

From here, you have several tagging definitions:

Append tag and its value from the resource groupBuilt-inPolicyGeneral
Apply tag and its default valueBuilt-inPolicyGeneral
Apply tag and its default value to resource groupsBuilt-inPolicyGeneral
Enforce tag and its valueBuilt-inPolicyGeneral
Enforce tag and its value on resource groupsBuilt-inPolicyGeneral
Require specified tagBuilt-inPolicyGeneral
Require specified tag on resource groupsBuilt-inPolicyGeneral

In my Azure tenant, I have several policies that trigger on RESOURCE CREATE. The implementation is straight-forward but requires an Azure Policy Initiative to be created, which looks like:

Now, when I create a new resource, I get the following error:

This isn’t the most helpful error notification but it does do the job.