🍳 Mise-en-Tag Enforcer for Azure

No enterprise bloat. No complex setup. Just tag enforcement that works. Deploy an Azure Policy that enforces essential tags on all resource groups in minutes.

On This Page

Overview

The Mise-en-Tag Enforcer for Azure is a simple yet powerful tool that deploys an Azure Policy to enforce essential tags on all resource groups. This ensures proper governance, cost allocation, and resource management across your Azure environment without the complexity of enterprise-grade solutions.

This tool enforces four essential tags on all resource groups:

  • Environment (Production, Development, Test, Staging)
  • Owner (Team or individual responsible)
  • CostCenter (For billing allocation)
  • Application (Workload identification)

Features

Simple Deployment

Deploy in minutes with a single PowerShell command

Flexible Scope

Apply at management group or subscription level

Customizable Tags

Define your own set of required tags

Multiple Enforcement Modes

Choose between Deny, Audit, or Disabled

What-If Support

Preview changes before applying

Clear Reporting

Easy compliance checking via Azure Policy

Benefits

  • Improved Cost Allocation: Accurately track and allocate costs by department, team, or project
  • Enhanced Governance: Ensure all resource groups follow organizational standards
  • Clear Ownership: Identify responsible teams or individuals for each resource group
  • Simplified Management: Easily filter and organize resources by environment or application

Prerequisites

System Requirements

  • PowerShell: Version 5.1 or later
  • Azure PowerShell Module: Latest version installed
  • Azure Authentication: User must be logged in with Connect-AzAccount

Required Permissions

  • Policy Contributor: Role at the target scope (management group or subscription)

Azure PowerShell Setup

# Install Azure PowerShell module (if not already installed)
Install-Module -Name Az -AllowClobber -Scope CurrentUser

# Login to Azure
Connect-AzAccount

# Verify access
Get-AzContext

Quick Start (PowerShell - Recommended)

1. Download the Script

Download the script directly from GitHub or save it as Deploy-EssentialTagsPolicy.ps1

2. Deploy to Management Group

# Replace 'your-mg-id' with your management group ID
./Deploy-EssentialTagsPolicy.ps1 -Scope ManagementGroup -ScopeId "your-mg-id"

3. Deploy to Subscription

# Replace 'your-subscription-id' with your subscription ID
./Deploy-EssentialTagsPolicy.ps1 -Scope Subscription -ScopeId "your-subscription-id"

4. Test First (Recommended)

# Dry run to see what would happen
./Deploy-EssentialTagsPolicy.ps1 -Scope Subscription -ScopeId "your-subscription-id" -WhatIf

Manual Deployment (Azure Portal)

Step 1: Create Policy Definition

  1. Navigate to Azure Policy

    Go to Azure Portal → Search "Policy" → Select "Policy"

  2. Create Definition

    Click "Definitions" → "Policy definition" → "+ Policy definition"

  3. Fill in Details
    • Definition location: Select your Management Group or Subscription
    • Name: require-essential-tags-resource-groups
    • Display name: Require Essential Tags on Resource Groups
    • Category: Create new → Governance
  4. Copy Policy Rule

    Copy the entire content from essential-tags-policy.json and paste into the "Policy rule" text box

    Click "Save"

Step 2: Assign the Policy

  1. Create Assignment

    Go to "Assignments" → "+ Assign policy"

  2. Assignment Details
    • Scope: Select your Management Group or Subscription
    • Policy definition: Search for "Require Essential Tags on Resource Groups"
    • Assignment name: essential-tags-policy
  3. Configure Parameters
    • Effect: Choose "Deny" (or "Audit" for testing)
    • Required Tags: Leave default or customize
  4. Review and Create

    Click "Review + create" → "Create"

Usage Examples

Compliant Resource Groups

✅ ALLOWS (Compliant Resource Group)

# Resource group with all required tags
az group create \
  --name "myapp-prod-rg" \
  --location "eastus" \
  --tags Environment=Production Owner=platform-team CostCenter=engineering Application=web-app

Non-Compliant Resource Groups

❌ BLOCKS (Non-Compliant Resource Group)

# Missing tags - will be denied
az group create \
  --name "random-rg" \
  --location "eastus"
# ERROR: Resource group must have all required tags

Customization Options

Custom Tags

You can customize which tags are required by modifying the RequiredTags parameter:

./Deploy-EssentialTagsPolicy.ps1 `
  -Scope Subscription `
  -ScopeId "your-subscription-id" `
  -RequiredTags @("Environment", "Owner", "CostCenter", "Application", "SecurityContact")

Enforcement Levels

EffectDescriptionWhen to Use
DenyBlock non-compliant resourcesProduction enforcement (recommended)
AuditReport violations but allow creationInitial testing and assessment
DisabledTurn off the policyTemporary disabling during migrations

Setting Audit Mode

Start with audit mode to see compliance without blocking:

./Deploy-EssentialTagsPolicy.ps1 `
  -Scope Subscription `
  -ScopeId "your-subscription-id" `
  -Effect "Audit"

Custom Assignment Name

You can customize the policy assignment name:

./Deploy-EssentialTagsPolicy.ps1 `
  -Scope Subscription `
  -ScopeId "your-subscription-id" `
  -AssignmentName "my-custom-policy"

Checking Compliance

PowerShell Method

# Check policy compliance
Get-AzPolicyState | Where-Object {$_.PolicyDefinitionName -eq "require-essential-tags-resource-groups"}

Azure Portal Method

  1. Go to Azure PolicyCompliance
  2. Find your "Essential Tags Policy" assignment
  3. View compliant vs non-compliant resources

Troubleshooting

Common Issues

IssuePossible CauseResolution
"Access Denied"Insufficient permissionsEnsure you have Policy Contributor role at the target scope
"Policy not taking effect"Policy evaluation delayWait up to 30 minutes for evaluation cycle
"Tags not being enforced on resources"Policy only targets resource groupsEnable tag inheritance or create separate policies for resources

Debugging Commands

# Check your permissions
Get-AzRoleAssignment | Where-Object {$_.SignInName -eq (Get-AzContext).Account.Id}

# Validate policy assignment
Get-AzPolicyAssignment -Name "essential-tags-policy"

# Force policy evaluation (if needed)
Start-AzPolicyComplianceScan

Next Steps

Recommended Follow-up Actions

  1. Enable Tag Inheritance

    Apply resource group tags to child resources

  2. Set up Cost Allocation

    Use tags in Azure Cost Management

  3. Automate Tag Application

    Use Infrastructure as Code (Terraform/ARM)

  4. Create Tag Policies for Resources

    Extend beyond resource groups

Expected Outcomes

After deployment, you should see:

  • ✅ 100% of new resource groups have required tags
  • ✅ Clear cost allocation in Azure Cost Management
  • ✅ Easy resource identification and ownership
  • ✅ Improved governance and compliance scores

CloudCostChefs Philosophy

We believe cloud cost optimization should be:

  • Fast: Deploy in minutes, not months
  • 🎯Practical: Real solutions for real problems
  • 🔧Engineer-friendly: Code over clicks
  • 💰Immediately valuable: See results on day one

Ready to Enforce Essential Tags?

Download the Mise-en-Tag Enforcer for Azure and start implementing proper tagging governance today.

View on GitHub