This chapter covers resource tagging strategy and enforcement in Microsoft Azure, a critical skill for the AZ-104 exam. Tagging is a lightweight but powerful mechanism for organizing resources, managing costs, and enforcing governance through Azure Policy. Expect approximately 10-15% of exam questions to touch on tagging, either directly or as part of broader management and governance scenarios. Mastering tagging strategy will help you design scalable, cost-efficient Azure environments.
Jump to a section
Imagine a large library with thousands of books. The library uses a color-coded tagging system on each book's spine: a red tag for fiction, blue for non-fiction, green for reference, and yellow for children's books. Each tag also has a barcode that encodes the book's genre, publication year, and shelf location. When a librarian checks in a book, they scan the barcode and the system automatically updates the inventory, tracks which section the book belongs to, and enforces rules—like reference books cannot be checked out. If a book has a green tag but no barcode, the system rejects it because the tag is incomplete. The library manager can run reports on how many fiction books are checked out, enforce that all new books must have both a tag and a barcode before being shelved, and automatically apply late fees based on the tag's section. This system mirrors Azure resource tagging: tags are metadata key-value pairs applied to resources, used for organization, cost allocation, and policy enforcement. Just as the library's system scans tags to automate actions, Azure Policy can enforce tagging rules and trigger remediation. Without tags, resources become unmanageable at scale, like books without tags lost in the library.
What is Resource Tagging and Why Does It Exist?
Resource tagging is the practice of attaching metadata to Azure resources in the form of key-value pairs. For example, Environment: Production or CostCenter: Marketing. Tags are not a security feature—they do not control access—but they are essential for organization, cost management, automation, and policy enforcement. On the AZ-104 exam, tagging appears in the context of Azure Policy, cost management, resource organization, and lifecycle management.
How Tagging Works Internally
Tags are stored as part of the resource's metadata in Azure Resource Manager (ARM). When you apply a tag, ARM updates the resource's properties. Tags are propagated to usage data for billing, but note that tags on resource groups are not automatically inherited by resources within them—you must apply tags explicitly or use Azure Policy to enforce inheritance. Tags can be applied at creation or after deployment via the portal, CLI, PowerShell, or ARM templates.
Key Components and Values
Tag names and values: Case-insensitive but case-preserving. Max 512 characters per tag name, 256 characters per tag value. A resource can have up to 50 tag name-value pairs. Tags cannot be applied to all resource types—check documentation for unsupported types (e.g., some classic resources).
Tag inheritance: Not automatic. Resources do not inherit tags from their resource group. Use Azure Policy to enforce inheritance (e.g., append resource group tags to resources).
Tag propagation to billing: Tags appear on your Azure bill under 'Tags' in the Cost Management + Billing blade. This enables cost allocation by department, project, or environment. However, tags must be applied to resources before they generate usage data—retroactive tagging does not update past bills.
Azure Policy for tagging: Use built-in policies like 'Require a tag and its value on resources' or create custom policies. Policies can be assigned at management group, subscription, or resource group scope. Policy effects include 'Deny' (block creation), 'Audit' (log non-compliance), 'Append' (add missing tags), and 'Modify' (fix tags via remediation task).
Tag governance with policy: Common patterns include: requiring a tag on new resources, inheriting tags from the resource group, and enforcing tag cardinality (e.g., exactly one 'CostCenter' tag). Remediation tasks require a managed identity with contributor permissions.
Tag limits: 50 tags per resource. Tag names can contain letters, numbers, spaces, and some special characters (but not <>%&\\?/). Tag values can contain any characters.
Configuration and Verification Commands
Azure CLI:
# Apply a tag to a resource group
az tag create --resource-id /subscriptions/{sub-id}/resourcegroups/{rg} --tags Environment=Production
# Update tags (add/replace)
az tag update --resource-id /subscriptions/{sub-id}/resourcegroups/{rg} --tags Environment=Production CostCenter=IT
# Remove a tag
az tag delete --resource-id /subscriptions/{sub-id}/resourcegroups/{rg} --tags Environment
# List tags on a resource group
az tag list --resource-id /subscriptions/{sub-id}/resourcegroups/{rg}PowerShell:
# Apply tags to a resource group
Set-AzResourceGroup -Name MyRG -Tag @{Environment='Production'; CostCenter='IT'}
# Get tags from a resource group
(Get-AzResourceGroup -Name MyRG).Tags
# Remove all tags
Set-AzResourceGroup -Name MyRG -Tag @{}Azure Policy assignment (CLI):
# Assign built-in policy 'Require a tag on resources'
az policy assignment create --name "require-tag" --policy "2a0e14a6-b0a6-4fab-991a-187a4f81c498" --params "{\"tagName\":{\"value\":\"Environment\"}}" --scope /subscriptions/{sub-id}Interaction with Related Technologies
Azure Policy: The primary enforcement mechanism. Policies can deny creation of untagged resources, audit existing resources, append missing tags, or modify tags via remediation. Remediation tasks run periodically (default every 5 minutes) but can be triggered manually.
Azure Cost Management: Tags are used to group costs in reports. Without tags, cost allocation by department or project is manual and error-prone.
Azure Resource Graph: Query resources by tags using KQL. Example: resources | where tags.Environment =~ 'Production'.
Azure Automation: Use runbooks to apply or update tags based on schedules or events.
Azure Blueprints: Can include policy assignments that enforce tagging as part of a blueprint definition.
Azure Resource Manager (ARM) templates: Tags can be specified in the template parameters and applied during deployment.
Common Exam Scenarios
Enforcing a required tag: Use Azure Policy with effect 'Deny' to block creation of VMs without an 'Environment' tag.
Inheriting tags from resource group: Use 'Append' effect to copy resource group tags to resources when they are created. Note: Append only works on creation, not on existing resources—use 'Modify' for existing resources.
Tagging for cost reporting: Ensure tags are applied before the start of the billing period to see them in cost reports.
Tag naming conventions: Use consistent naming like Project, CostCenter, Environment, Owner. Avoid sensitive data in tags (they are visible to anyone with reader access).
Performance and Scale Considerations
Tagging operations are lightweight and do not impact resource performance. However, applying tags to thousands of resources via CLI or PowerShell can be slow due to API rate limits. Use Azure Policy for bulk enforcement. Tags are stored in ARM, so querying tags via Resource Graph is fast even at large scale.
Define Tagging Strategy
Before applying any tags, design a consistent taxonomy. Identify mandatory tags (e.g., Environment, CostCenter, Project) and optional tags (e.g., Owner, CreatedBy). Decide on naming conventions: use PascalCase or lowercase, avoid special characters. Map tags to business requirements: cost allocation, automation, security compliance. Document the strategy and share with the team. On the exam, you may be asked to choose an appropriate set of tags for a given scenario—common answers include Environment, CostCenter, and Department.
Apply Tags to Resources
Tags can be applied via the Azure portal, CLI, PowerShell, ARM templates, or during resource creation. In the portal, navigate to the resource's 'Tags' blade, enter key-value pairs, and save. For bulk operations, use CLI or PowerShell. When using ARM templates, define tags in the 'tags' property of the resource. Be aware that some resource types (e.g., Azure DNS zones) do not support tags. Also, tags on a resource group do not propagate to resources—you must apply them explicitly or use policy.
Enforce Tagging with Azure Policy
Create or assign built-in policies to enforce tagging. Common built-in policies: 'Require a tag on resources', 'Require a tag and its value on resources', 'Inherit a tag from the resource group if missing'. Assign policies at the management group, subscription, or resource group scope. Use the 'Deny' effect to block creation of non-compliant resources. Use 'Audit' to identify existing non-compliant resources. Use 'Append' to automatically add tags during creation. Use 'Modify' with a remediation task to fix existing resources.
Configure Remediation Tasks
For policies with 'Modify' effect, create a remediation task to correct existing non-compliant resources. The remediation task uses a managed identity (system-assigned or user-assigned) with contributor permissions on the target resources. You can trigger remediation manually or set a schedule. Remediation tasks process resources in batches and can take time for large environments. On the exam, know that 'Append' cannot fix existing resources—only 'Modify' can, and it requires a remediation task.
Monitor and Report Tag Compliance
Use Azure Policy's compliance dashboard to view tag compliance. Filter by policy assignment and scope. Export compliance data to Log Analytics for custom reporting. Use Azure Resource Graph to query resources with specific tags. For cost management, go to Cost Management + Billing, select 'Cost analysis', and group by tag. Note that tags appear on bills only if applied before the usage period. Regularly audit tags to ensure consistency—use Azure Advisor recommendations for untagged resources.
Enterprise Scenario 1: Cost Allocation for a Multi-Department Organization
A large enterprise with multiple departments (IT, Marketing, HR) needs to track cloud spending by department. They implement a mandatory 'CostCenter' tag on all resources. Using Azure Policy with 'Deny' effect, they block creation of any resource without a valid CostCenter value. They also use the 'Append' effect to automatically add the resource group's CostCenter tag to new resources. For existing resources, they run a PowerShell script to apply tags based on resource group membership. The billing team then uses Cost Management reports grouped by CostCenter to allocate costs. Common pitfall: forgetting to apply tags to resource groups themselves—tags on resource groups do not flow to resources, so policy enforcement is critical.
Enterprise Scenario 2: Environment Isolation and Automation
A DevOps team manages multiple environments (Dev, Test, Prod). They use an 'Environment' tag to identify resources. Azure Policy denies creation of resources without an Environment tag. They also use Azure Automation runbooks to shut down Dev/Test resources during off-hours based on the Environment tag. This reduces costs by 40%. The team also uses Azure Resource Graph to audit that no Production resources have 'AutoShutdown' set to true. Misconfiguration example: a developer creates a VM without an Environment tag—the policy denies it, but the developer doesn't understand why. Solution: clear error messages and a well-documented tagging strategy.
Enterprise Scenario 3: Compliance and Audit Requirements
A financial services company must comply with internal audit requirements that all resources must have an 'Owner' and 'DataClassification' tag. They use Azure Policy with 'Audit' effect to identify non-compliant resources and generate weekly reports. They also use 'Modify' with remediation to automatically apply 'Unknown' to missing tags. The audit team uses Azure Resource Graph to export a list of all resources with their tags. Common issue: tags are case-sensitive in policy conditions—if the policy expects 'Owner' but a resource has 'owner', it will be non-compliant. Solution: use case-insensitive comparison in policy rules.
What AZ-104 Tests on Resource Tagging
AZ-104 exam objective: 'Manage Azure identities and governance' (15-20% of exam). Within that, tagging is part of 'Configure and manage Azure Policy' and 'Manage resource groups'. Expect questions on:
Tag inheritance (resources do NOT inherit from resource group)
Policy effects for tagging (Deny, Audit, Append, Modify)
Tag limits (50 per resource, max 512/256 characters)
Using tags for cost management (tags must be applied before billing period)
Remediation tasks for Modify effect (requires managed identity)
Common Wrong Answers and Why Candidates Choose Them
'Tags are inherited from the resource group' – This is the #1 trap. Candidates assume that because resource group tags are visible in the portal, resources automatically get them. Reality: Tags are NOT inherited. You must use Azure Policy to copy them.
'Append effect can fix existing resources' – Candidates confuse Append with Modify. Append only works on creation of new resources. To fix existing resources, you need Modify with a remediation task.
'Tags can be used for RBAC' – Tags are not security principals. RBAC uses Azure AD roles, not tags. However, you can use conditions in Azure RBAC based on tags (e.g., allow access only if resource has tag 'Environment=Production'), but this is an advanced scenario.
'Tagging a resource group tags all resources inside' – No. Each resource must be tagged individually or via policy.
Specific Numbers and Terms on the Exam
50 tags per resource
Tag name max 512 characters, value max 256 characters
Policy effects: Deny, Audit, Append, Modify
Remediation task requires a managed identity
Built-in policies: 'Require a tag on resources', 'Inherit a tag from the resource group if missing'
Edge Cases and Exceptions
Some resource types do not support tags (e.g., Azure NetApp Files volumes, classic resources). Check documentation.
Tags cannot contain personal identifiable information (PII) as they are visible to readers.
Tags are case-preserving but case-insensitive for comparison. Policy conditions should use equals with case-insensitive mode or stringEqualsIgnoreCase.
Deleting a resource group deletes all tags on that resource group, but tags on resources remain until the resources are deleted.
How to Eliminate Wrong Answers
If a question asks about enforcing tags on new resources, look for 'Deny' or 'Append' effect. If it asks about existing resources, look for 'Modify' with remediation.
If a question mentions cost allocation, remember that tags must be applied before usage data is generated.
If a question mentions automatic inheritance, it is likely a trick—resources do not inherit tags from resource group by default.
Tags are key-value pairs applied to Azure resources for organization, cost management, and policy enforcement.
Resources do NOT inherit tags from their resource group; use Azure Policy to enforce inheritance.
Maximum of 50 tags per resource; tag names up to 512 characters, values up to 256 characters.
Azure Policy effects for tagging: Deny, Audit, Append, Modify.
Append effect works only on new or updated resources; Modify effect with remediation task fixes existing resources.
Tags must be applied before the billing period to appear on cost reports.
Tags are not security features and cannot be used directly for RBAC, but RBAC conditions can reference tags.
Use Azure Resource Graph to query resources by tags with KQL.
These come up on the exam all the time. Here's how to tell them apart.
Append Effect
Applies only during resource creation or update.
Cannot fix existing non-compliant resources.
No need for managed identity.
Simple to set up for new resources.
Limited to adding tags (cannot remove or change values).
Modify Effect
Can fix existing non-compliant resources via remediation task.
Requires a managed identity with contributor permissions.
Supports adding, removing, or changing tag values.
Remediation tasks can be scheduled or triggered manually.
More complex to configure but more flexible.
Mistake
Tags applied to a resource group automatically apply to all resources within it.
Correct
Tags are not inherited. Each resource must be tagged individually. Use Azure Policy with 'Append' or 'Modify' effect to copy resource group tags to resources.
Mistake
The 'Append' policy effect can fix existing non-compliant resources.
Correct
Append only works during resource creation or update. To fix existing resources, use the 'Modify' effect with a remediation task.
Mistake
Tags can be used to control access to resources via RBAC.
Correct
Tags are metadata, not security attributes. RBAC uses Azure AD identities and roles. However, Azure RBAC can use conditions based on tags, but this is not the same as using tags for access control.
Mistake
There is no limit to the number of tags per resource.
Correct
Azure enforces a maximum of 50 tags per resource. Exceeding this limit will cause an error when applying tags.
Mistake
Tags are automatically propagated to billing data even if applied after the resource is created.
Correct
Tags appear on billing reports only if they were applied before the usage period. Retroactive tagging does not update past bills.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Create an Azure Policy assignment using the built-in policy 'Require a tag and its value on resources' with parameter tagName='Environment'. Set effect to 'Deny' to block creation of VMs without the tag. Assign the policy at the subscription or resource group level.
Yes, use Azure Policy with the 'Append' effect to add missing tags from the resource group to resources during creation. For existing resources, use the 'Modify' effect with a remediation task. There is no automatic inheritance by default.
Append adds tags only when a resource is created or updated—it cannot fix existing resources. Modify can add, change, or remove tags on existing resources via a remediation task. Modify requires a managed identity with contributor permissions.
In the Azure portal, go to Cost Management + Billing, select 'Cost analysis', and group by tag. Tags appear on bills only if they were applied to resources before the usage period. Ensure tags are applied at the start of the billing cycle.
You will receive an error when trying to add more tags. You must remove some tags before adding new ones. Plan your tagging strategy to stay within limits by using meaningful key-value pairs rather than multiple tags.
No, tags are not used for access control. However, Azure RBAC supports conditions that can allow or deny access based on tags (e.g., allow read access only to resources with tag 'Environment=Production'). This is an advanced feature.
Use Azure Resource Graph with a KQL query like: `resources | where tags !has 'Environment'`. Alternatively, use Azure Policy with 'Audit' effect to list non-compliant resources in the compliance dashboard.
You've just covered Resource Tagging Strategy and Enforcement — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?