Deny the creation of a resource group without applicationName Tag
Every resource group should have an application name because Resource Groups should be Application Related. However you cant get the applicationName from the Above Subscription.
As a Example, the Resource Group is for HR Performance.
applicationName Tag Configuration
- Deny the resource group if its missing the applicationName tag
Steps to apply this policy in Azure
Search for policy and Assign


Go to Assignments. This shows you all the policies or Initiatives that are in place. The Scope for this shows that the all subscriptions are being shown in this list.
Click Assign Policy
Set Scope of Policy
First thing you need to do is set the Scope. We have Management groups in place and as a test, a Personal Subscription is being used

The Resource Group isn’t set because this is just being set at Subscription level
Exclude Resource

You can also exclude resource, and in this case resources from the above Policy. However for this policy we don’t need to do this.
Set the Policy Definition.

There are two types of definitions. Custom and built in
If you look for ‘Tag’ you get a list of the Built in Definitions for tags.
We know that we want to ‘Require a tag on resource groups’ so this built in policy can be selected

Choose the Built in policy and Select

The Assignment Name has been slightly changed to include the tag this will be set for


We are in the Basics tab at the moment
Parameters
Go to the Parameters Tab.

Remediation
Click the Remediation Tab

In order to understand the Remediation tab there are a few specific concepts to Understand
Managed Identity
Managed identities is a more secure authentication method for Azure cloud services that allows only authorized managed–identity-enabled virtual machines to access your Azure subscription.
This means that any service that ‘does something’ to another service can do so automatically using a Managed Identity
DeployIfNotExists and Modify effects
Every single Policy in Azure Policy has a single effect. Effects behave differently if they are for a new, updated or existing resource. The Effects supported are:
- Append
- Audit
- AuditIfNotExists
- Deny
- DeployIfNotExists
- Disabled
- EnforceOPAConstraint (preview)
- EnforceRegoPolicy (preview)
- Modify
The question is. What is the effect of Require a tag on resource groups
Definitions

Go to Definitions in Policy and Search for the Built in Policy.

The effect of your chosen built in Policy the effect is to deny .
You can also see the JSON Definition of the chosen Policy
Because the Policy is deny we don’t need to set up a Managed Identity
Click Review + Create

And Click Create
Definitions
Going back to the policy Definition

You can see that this Policy has been assigned to a Subscription
Checking your Policy has worked
To test the policy create a new resource Group within the selected Subscription without adding any tags


Because the Name of the required tag was added into the Policy name, the warning lets you know which tag you need to set.
You can Implement this on any resource group that needs a tag setting when it cant inherit from anything above (Like Subscriptions)
One Reply to “Azure Built in Tagging Policy. Deny the Creation of a Resource group”