This chapter covers Azure cost allocation and the critical role of tags in managing cloud spending. For the AZ-900 exam, understanding how tags enable cost attribution, resource organization, and governance is essential—this objective appears in the 'Azure Management Governance' domain, which carries approximately 20-25% of exam questions. You'll learn how tags work, how to apply them, and common pitfalls that can derail your cost management strategy.
Jump to a section
Imagine you run a large warehouse that stores thousands of boxes. Each box represents an Azure resource—a virtual machine, a storage account, a database. Without any labeling, you can see that you have boxes, but you have no idea which department ordered them, which project they belong to, or whether they are for production or testing. To solve this, you decide to stick color-coded post-it notes on each box. A blue note might say "Department: Marketing," a green note "Environment: Production." These notes are your tags. They don't change what's inside the box—the resource still works exactly the same—but they let you instantly sort, search, and report on your inventory. When the monthly warehouse bill arrives, you can tally up costs by color: total cost for all blue notes (Marketing), total for green notes (Production), and even combined (Marketing + Production). Crucially, if you forget to stick a note on a box, that box becomes invisible in your reports—its cost goes into an untagged bucket, making it impossible to attribute accurately. Azure tags work identically: they are metadata key-value pairs attached to resources, enabling cost allocation, management grouping, and automation, without affecting resource functionality. Just as a missing post-it note can lead to misattributed warehouse costs, a missing tag in Azure can cause budget overruns and compliance gaps.
What is Cost Allocation and Why Do We Need Tags?
In an on-premises data center, costs are relatively fixed: you buy servers, pay for electricity, and allocate those expenses to departments based on headcount or square footage. In the cloud, costs are variable and granular—every virtual machine (VM), storage account, and network egress incurs a separate charge. If you run 50 VMs for different projects, how do you know which project is driving costs? Without a mechanism to attribute costs, your monthly bill is a single number with no breakdown. This is where tags come in.
Tags are metadata key-value pairs that you apply to Azure resources. For example, you might apply Environment:Production and CostCenter:Marketing to a VM. Tags do not affect how the resource functions; they are purely organizational. By tagging consistently, you can filter cost reports by tag, enabling chargeback to departments, project cost tracking, and budget monitoring.
How Tags Work: The Mechanism
Tags are simple but powerful. You define a key (a name) and a value. Multiple tags can be applied to a single resource, but each resource can have up to 50 tags. Tags are inherited from resource groups? No—tags are not inherited. This is a common misconception. If you tag a resource group, the resources inside do not automatically receive those tags. You must apply tags explicitly to each resource or use Azure Policy to enforce inheritance.
When you apply a tag, Azure stores it as part of the resource's metadata. The tag is visible in the Azure portal, Azure CLI, PowerShell, and ARM templates. Behind the scenes, Azure Resource Manager (ARM) includes the tags in the resource definition. When you retrieve cost data via Azure Cost Management, the tags are available as dimensions for filtering and grouping.
Key Components and Limits
Tag keys and values: Both are case-sensitive strings. A key can be up to 512 characters, a value up to 256 characters. Keys must be unique per resource—you cannot have two tags with the same key on one resource.
Tag naming conventions: Microsoft recommends using a consistent naming scheme, like Environment, Project, CostCenter, Owner, Department. Avoid using sensitive data in tags, as they can be visible in billing exports.
Tag inheritance: Tags are not inherited from resource groups or subscriptions. However, you can use Azure Policy to enforce tag inheritance. For example, a policy can automatically apply the resource group's CostCenter tag to all new resources created in that group.
Tag application methods: You can apply tags during resource creation (via portal, CLI, or ARM template) or after creation. There is no downtime when adding or modifying tags.
Tag visibility in billing: Tags appear in the Azure portal's Cost Management + Billing area. You can group costs by tag keys and values. Note that tags may take up to 24 hours to appear in cost reports.
On-Premises vs. Cloud Cost Allocation
In an on-premises environment, cost allocation is often done manually using spreadsheets or chargeback systems that allocate fixed overhead. In Azure, allocation is dynamic and granular. Tags allow you to allocate costs at the resource level, not just at the server or rack level. For example, a single VM can be shared by two projects if you run multiple applications on it, but you can still tag it with a primary cost center. Alternatively, you can use multiple tags to split costs conceptually, but Azure does not natively split a single resource's cost across multiple tags—you would need to use custom logic or third-party tools.
Azure Portal and CLI Touchpoints
Azure Portal:
Navigate to any resource -> Overview -> Tags blade. You can add, modify, or delete tags.
In Cost Management + Billing, go to Cost Management -> Cost analysis. Under 'Group by', select 'Tag' and choose a tag key. The chart will show costs grouped by that tag's values.
Azure Policy: Under 'Policy', create a policy definition to enforce tag rules, such as 'Require a tag on resources'.
Azure CLI:
- To list tags on a resource:
az resource show --name <resource-name> --resource-group <rg> --resource-type <type> --query tags- To apply a tag to a resource:
az resource tag --tags Environment=Production CostCenter=Marketing --ids <resource-id>- To apply tags during VM creation:
az vm create --resource-group MyRG --name MyVM --image UbuntuLTS --tags Environment=TestPowerShell:
- Get tags:
Get-AzResource -Name MyVM -ResourceGroupName MyRG | Select-Object Tags- Set tags:
$tags = @{Environment='Production'; CostCenter='Marketing'}
Set-AzResource -ResourceId <resource-id> -Tag $tagsBusiness Scenarios and Best Practices
Scenario 1: Department Chargeback
A company has three departments: Engineering, Marketing, and Sales. Each department uses VMs, storage, and databases. By applying a Department tag with values like Engineering, Marketing, Sales, the finance team can run a monthly cost report grouped by department. This enables accurate chargeback and budget accountability.
Scenario 2: Environment Cost Tracking
A development team runs multiple environments: dev, test, staging, and production. By tagging resources with Environment:Dev, Environment:Test, etc., they can monitor how much each environment costs. This helps identify over-provisioning in non-production environments and optimize spending.
Scenario 3: Automation and Governance
Using Azure Policy, an organization can enforce that all resources must have a CostCenter tag. If a resource is created without it, the policy can deny the creation or automatically apply a default tag. This ensures 100% coverage for cost allocation.
Common Mistakes and How to Avoid Them
Not tagging at creation: Many resources are created without tags, and tagging them later is an extra step. Use Azure Policy to enforce tagging at creation.
Inconsistent tag keys: Using Department, dept, Dept interchangeably breaks grouping. Enforce a standard via policy.
Relying on inheritance: Tags are not inherited. Always apply tags explicitly or use policy to propagate them.
Using too many tags: The 50-tag limit per resource is generous but can be hit if you tag excessively. Stick to essential keys.
Including sensitive data: Tags are visible in billing exports and Azure portal. Avoid putting personal data or secrets in tags.
Define Tagging Strategy
Before applying any tags, plan your taxonomy. Identify which metadata dimensions are important for cost allocation, operations, and governance. Common tag keys include Environment, Project, CostCenter, Owner, and Department. Document the allowed values for each key to ensure consistency. This step is crucial because inconsistent tagging defeats the purpose. For example, if you decide on 'Environment:Production', do not allow 'env:prod' or 'Env:Prod'. Use Azure Policy to enforce the strategy.
Apply Tags to Resources
Apply tags during resource creation or after. In the Azure portal, go to the resource's 'Tags' blade and add key-value pairs. Use Azure CLI or PowerShell for bulk operations. For example, to tag all VMs in a resource group with 'Environment:Production', you can loop through resources. Remember that tags are not inherited, so you must tag each resource individually. Azure Policy can automate this by applying tags at creation based on resource group tags.
Use Azure Policy to Enforce Tagging
Create policy definitions to require specific tags on resources. For example, the built-in policy 'Require a tag on resources' denies creation if the tag is missing. You can also use the 'Inherit a tag from the resource group' policy to automatically copy the resource group's tag to new resources. Policies can be assigned at management group, subscription, or resource group scope. This step ensures compliance and reduces manual effort.
View Cost Reports by Tag
In the Azure portal, navigate to Cost Management + Billing -> Cost Management -> Cost analysis. Under 'Group by', select 'Tag' and choose the tag key you want to group by. The chart will display costs aggregated by tag values. You can also set budgets and alerts based on tag filters. For example, create a budget for 'Marketing' department resources by filtering on 'Department:Marketing'. Note that tags may take up to 24 hours to appear in cost data.
Monitor and Maintain Tag Hygiene
Regularly audit your resources for missing or incorrect tags. Use Azure Resource Graph to query resources without required tags. For example, run a query: `resources | where tags['CostCenter'] == ''`. Correct any issues by modifying tags. Also, review tag usage in cost reports to ensure accuracy. As resources are decommissioned, remove tags if needed. Tag hygiene is an ongoing process, not a one-time task.
Scenario 1: Multi-Department Chargeback at a Retail Company
A retail company with 500 employees runs its e-commerce platform, internal ERP, and data analytics on Azure. The finance team needs to allocate cloud costs to each business unit (e.g., E-commerce, Finance, HR). They define a tagging strategy with keys like Department, Environment, and Project. They apply tags to all resources using Azure Policy to enforce that every new resource gets a Department tag. Monthly, they run cost analysis grouped by Department to generate chargeback reports. The challenge is that some resources are shared, like a database used by both E-commerce and Finance. They handle this by tagging such resources with a Department value of 'Shared' and then splitting costs manually based on usage metrics from the database. Without tags, the finance team would have to manually estimate costs, leading to inaccuracies and disputes.
Scenario 2: Environment Cost Optimization at a SaaS Startup
A SaaS startup has multiple environments: dev, test, staging, and production. They tag each resource with Environment and CostCenter. They notice that dev and test environments have many idle VMs and oversized databases. By filtering cost reports by Environment:Dev, they see that dev costs are 40% of total cloud spend. They downsize resources and implement auto-shutdown schedules, reducing dev costs by 60%. Without tags, they would not have visibility into environment-specific spending and would miss optimization opportunities.
Scenario 3: Compliance and Audit at a Financial Services Firm
A financial firm must comply with regulatory requirements that mandate cost allocation by business line. They use tags to track costs by BusinessUnit and ComplianceRequirement. An auditor asks for a breakdown of costs for the 'Trading' business unit. The firm exports cost data from Azure Cost Management filtered by BusinessUnit:Trading. The export includes all tagged resources. If any resource were missing the tag, its cost would fall into an untagged bucket, potentially causing a compliance finding. The firm uses Azure Policy to enforce tagging and runs weekly Azure Resource Graph queries to detect untagged resources. This ensures audit readiness at all times.
Objective Code: AZ-900 Domain 3 - Azure Management Governance | Objective 3.1: Describe cost management in Azure
The exam tests your understanding of tags as a tool for cost allocation, not as a security or performance tool. You must know:
Tags are key-value pairs applied to resources.
Tags are not inherited from resource groups or subscriptions.
Tags can be used to group costs in Cost Management.
Azure Policy can enforce tagging rules.
Each resource can have up to 50 tags.
Tags are visible in billing reports but may take up to 24 hours to appear.
Common Wrong Answers and Why Candidates Choose Them 1. "Tags are inherited from the resource group." Many candidates assume inheritance because resource group settings like location or policies often apply to child resources. But tags are explicit—they do not inherit. The exam loves this trick. 2. "Tags can be used to control access to resources." Tags are metadata, not security principals. RBAC controls access, not tags. Candidates confuse organizational grouping with security. 3. "Tags are required on all resources." Tags are optional unless enforced by policy. The exam may present a scenario where a resource lacks a tag and ask if it's allowed—the answer is yes, unless a policy denies it. 4. "Tags can be used to restrict resource usage." Tags do not enforce quotas or limits. Azure Policy and budgets do that. Tags only help with reporting.
Specific Terms and Values - Maximum tags per resource: 50. - Tag key length: up to 512 characters. - Tag value length: up to 256 characters. - Tag keys are case-sensitive. - Tags appear in cost reports within 24 hours.
Edge Cases - If you delete a tag from a resource, it is removed permanently. There is no versioning. - Tags on deleted resources are not retained in cost reports after the resource is deleted (though historical cost data remains). - You cannot tag a resource that is in a 'failed' provisioning state.
Memory Trick Remember the acronym T.A.G. : T - Tags are metadata (not security), A - Apply to resources (not inherited), G - Group costs in reports. If a question mentions tags, ask yourself: Is it about cost allocation? If yes, tags are relevant. If about security, performance, or resource limits, tags are not the answer.
Tags are key-value pairs applied to Azure resources for cost allocation and organization.
Tags are not inherited from resource groups or subscriptions.
Each resource can have up to 50 tags.
Tags are case-sensitive; 'Environment' and 'environment' are different.
Azure Policy can enforce tagging rules, such as requiring a specific tag on all resources.
Tags appear in Azure Cost Management reports within 24 hours.
Tags do not control access; use RBAC for security.
Common tag keys include Environment, Project, CostCenter, Owner, and Department.
Use consistent naming conventions to avoid fragmentation in reporting.
Untagged resources appear in a separate 'untagged' bucket in cost reports, making cost allocation incomplete.
These come up on the exam all the time. Here's how to tell them apart.
Tags
Metadata key-value pairs attached to resources.
Used for cost allocation, organization, and automation.
Do not enforce compliance; they only describe.
Applied manually or via scripts/CLI.
Can be read by cost management tools.
Azure Policy
Rules that enforce compliance and governance.
Used to ensure resources meet standards (e.g., require tags).
Can deny or audit non-compliant resources.
Assigned at management group, subscription, or resource group scope.
Can automatically apply tags (inherit or append).
Mistake
Tags are automatically inherited from the resource group.
Correct
Tags are not inherited. You must apply tags to each resource individually or use Azure Policy to automatically propagate tags from the resource group to its resources.
Mistake
Tags can be used to control access to resources.
Correct
Tags are metadata only. Access control is managed via Azure RBAC (Role-Based Access Control). Tags do not grant or deny permissions.
Mistake
All resources must have tags.
Correct
Tags are optional unless an Azure Policy enforces them. You can create resources without tags, but they will not be grouped in cost reports by tag.
Mistake
Tags are case-insensitive.
Correct
Tag keys and values are case-sensitive. 'Environment' and 'environment' are considered different tags.
Mistake
Tags can be applied to resource groups and subscriptions only.
Correct
Tags can be applied to individual resources, resource groups, and subscriptions. However, tags on resource groups or subscriptions do not apply to child resources.
No, tags are not inherited. If you tag a resource group, the resources inside do not automatically get those tags. You must apply tags to each resource individually, or use Azure Policy to automatically propagate tags from the resource group to its resources. The exam often tests this misconception.
You can apply up to 50 tags per resource. This limit is per resource, not per tag key. If you need more than 50, consider using a single tag with a JSON string as the value, but that makes reporting harder. The exam may ask about this limit.
No, tags are metadata only. They do not affect access control. Azure RBAC (Role-Based Access Control) is used to manage permissions. Tags can be used in Azure Policy to deny access based on tags, but the tags themselves do not grant or deny access. The exam often includes distractor answers suggesting tags control access.
Tags may take up to 24 hours to appear in Azure Cost Management reports. This is because cost data is aggregated and processed periodically. If you apply a tag and don't see it immediately, wait a day. The exam may ask about this delay.
There is no direct rename operation. To change a tag key or value, you must remove the old tag and add a new one. For example, if you have a tag 'Department:Marketing' and want to change it to 'Dept:Marketing', you would delete the old tag and add the new one. This can be done via portal, CLI, or PowerShell.
When a resource is deleted, its tags are also deleted. However, historical cost data that includes the tags remains in Azure Cost Management for reporting purposes. You cannot recover tags from a deleted resource.
Yes, you can filter and group resources by tags in the Azure portal. For example, you can view all resources with a specific tag key-value pair. This helps with management and troubleshooting. However, tags are not a substitute for resource groups or management groups for organizing resources.
You've just covered Azure Cost Allocation and Tags — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?