Skip to main content

Standard deployment path

Structured quick-reference sections for prerequisites, installation, usage, and troubleshooting.

Prerequisites

  • PowerShell 5.1+ with the Az module installed
  • Authenticated Azure session via Connect-AzAccount
  • Policy Contributor at the target management group or subscription scope

Recommended deployment path

  1. 1Run the script in WhatIf mode first to preview policy definition and assignment changes.
  2. 2Deploy in Audit mode to measure current tag compliance without blocking new resource groups.
  3. 3Switch to Deny mode after teams validate required tags and naming conventions.
powershell
# Preview changes first
./Deploy-EssentialTagsPolicy.ps1 -Scope Subscription -ScopeId "<subscription-id>" -WhatIf

# Start in audit mode
./Deploy-EssentialTagsPolicy.ps1 -Scope Subscription -ScopeId "<subscription-id>" -EnforcementMode Audit

What this policy enforces

TagPurposeTypical values
EnvironmentLifecycle and workload separationProduction, Development, Test, Staging
OwnerAccountability and incident routingTeam name or responsible owner
CostCenterChargeback/showback allocationBusiness unit or finance code
ApplicationWorkload identificationApp/service name

Compliance checks and troubleshooting

  • Use Azure Policy compliance scans after deployment if results do not appear immediately.
  • Policy evaluation can take time; allow up to ~30 minutes before concluding the assignment failed.
  • Resource-level tagging is separate from resource-group enforcement unless you add inheritance or additional policies.
powershell
Get-AzPolicyAssignment -Name "essential-tags-policy"
Start-AzPolicyComplianceScan

Test in Audit mode before enforcing Deny in production subscriptions to avoid blocking deployment pipelines unexpectedly.

Mise-en-Tag Enforcer for Azure

No enterprise bloat. No complex setup. Just tag enforcement that works. Deploy an Azure Policy that enforces essential tags on all resource groups in minutes.

On This Page

Overview

The Mise-en-Tag Enforcer for Azure is a simple yet powerful tool that deploys an Azure Policy to enforce essential tags on all resource groups. This ensures proper governance, cost allocation, and resource management across your Azure environment without the complexity of enterprise-grade solutions.

Blaze
Blaze says:Start with Audit mode before switching to Deny -- it lets you see exactly which resource groups would get blocked without disrupting your team's workflow. Trust me, your devs will thank you.

This tool enforces four essential tags on all resource groups:

  • Environment (Production, Development, Test, Staging)
  • Owner (Team or individual responsible)
  • CostCenter (For billing allocation)
  • Application (Workload identification)

Features

Simple Deployment

Deploy in minutes with a single PowerShell command

Flexible Scope

Apply at management group or subscription level

Customizable Tags

Define your own set of required tags

Multiple Enforcement Modes

Choose between Deny, Audit, or Disabled

What-If Support

Preview changes before applying

Clear Reporting

Easy compliance checking via Azure Policy

Benefits

  • Improved Cost Allocation: Accurately track and allocate costs by department, team, or project
  • Enhanced Governance: Ensure all resource groups follow organizational standards
  • Clear Ownership: Identify responsible teams or individuals for each resource group
  • Simplified Management: Easily filter and organize resources by environment or application

Prerequisites

System Requirements

  • PowerShell: Version 5.1 or later
  • Azure PowerShell Module: Latest version installed
  • Azure Authentication: User must be logged in with Connect-AzAccount

Required Permissions

  • Policy Contributor: Role at the target scope (management group or subscription)

Azure PowerShell Setup

# Install Azure PowerShell module (if not already installed)
Install-Module -Name Az -AllowClobber -Scope CurrentUser

# Login to Azure
Connect-AzAccount

# Verify access
Get-AzContext

Quick Start (PowerShell - Recommended)

1. Download the Script

Download the script directly from GitHub or save it as Deploy-EssentialTagsPolicy.ps1

2. Deploy to Management Group

# Replace 'your-mg-id' with your management group ID
./Deploy-EssentialTagsPolicy.ps1 -Scope ManagementGroup -ScopeId"your-mg-id"

3. Deploy to Subscription

# Replace 'your-subscription-id' with your subscription ID
./Deploy-EssentialTagsPolicy.ps1 -Scope Subscription -ScopeId"your-subscription-id"

4. Test First (Recommended)

# Dry run to see what would happen
./Deploy-EssentialTagsPolicy.ps1 -Scope Subscription -ScopeId"your-subscription-id" -WhatIf

Manual Deployment (Azure Portal)

Step 1: Create Policy Definition

  1. Navigate to Azure Policy

    Go to Azure Portal → Search"Policy" → Select"Policy"

  2. Create Definition

    Click"Definitions" →"Policy definition" →"+ Policy definition"

  3. Fill in Details
    • Definition location: Select your Management Group or Subscription
    • Name: require-essential-tags-resource-groups
    • Display name: Require Essential Tags on Resource Groups
    • Category: Create new → Governance
  4. Copy Policy Rule

    Copy the entire content from essential-tags-policy.json and paste into the"Policy rule" text box

    Click"Save"

Step 2: Assign the Policy

  1. Create Assignment

    Go to"Assignments" →"+ Assign policy"

  2. Assignment Details
    • Scope: Select your Management Group or Subscription
    • Policy definition: Search for"Require Essential Tags on Resource Groups"
    • Assignment name: essential-tags-policy
  3. Configure Parameters
    • Effect: Choose"Deny" (or"Audit" for testing)
    • Required Tags: Leave default or customize
  4. Review and Create

    Click"Review + create" →"Create"

Usage Examples

Compliant Resource Groups

ALLOWS (Compliant Resource Group)

# Resource group with all required tags
az group create \
 --name"myapp-prod-rg" \
 --location"eastus" \
 --tags Environment=Production Owner=platform-team CostCenter=engineering Application=web-app

Non-Compliant Resource Groups

BLOCKS (Non-Compliant Resource Group)

# Missing tags - will be denied
az group create \
 --name"random-rg" \
 --location"eastus"
# ERROR: Resource group must have all required tags

Customization Options

Custom Tags

You can customize which tags are required by modifying the RequiredTags parameter:

./Deploy-EssentialTagsPolicy.ps1 `
 -Scope Subscription `
 -ScopeId"your-subscription-id" `
 -RequiredTags @("Environment","Owner","CostCenter","Application","SecurityContact")

Enforcement Levels

EffectDescriptionWhen to Use
DenyBlock non-compliant resourcesProduction enforcement (recommended)
AuditReport violations but allow creationInitial testing and assessment
DisabledTurn off the policyTemporary disabling during migrations

Setting Audit Mode

Start with audit mode to see compliance without blocking:

./Deploy-EssentialTagsPolicy.ps1 `
 -Scope Subscription `
 -ScopeId"your-subscription-id" `
 -Effect"Audit"

Custom Assignment Name

You can customize the policy assignment name:

./Deploy-EssentialTagsPolicy.ps1 `
 -Scope Subscription `
 -ScopeId"your-subscription-id" `
 -AssignmentName"my-custom-policy"

Checking Compliance

PowerShell Method

# Check policy compliance
Get-AzPolicyState | Where-Object {$_.PolicyDefinitionName -eq"require-essential-tags-resource-groups"}

Azure Portal Method

  1. Go to Azure PolicyCompliance
  2. Find your"Essential Tags Policy" assignment
  3. View compliant vs non-compliant resources

Troubleshooting

Common Issues

IssuePossible CauseResolution
"Access Denied"Insufficient permissionsEnsure you have Policy Contributor role at the target scope
"Policy not taking effect"Policy evaluation delayWait up to 30 minutes for evaluation cycle
"Tags not being enforced on resources"Policy only targets resource groupsEnable tag inheritance or create separate policies for resources

Debugging Commands

# Check your permissions
Get-AzRoleAssignment | Where-Object {$_.SignInName -eq (Get-AzContext).Account.Id}

# Validate policy assignment
Get-AzPolicyAssignment -Name"essential-tags-policy"

# Force policy evaluation (if needed)
Start-AzPolicyComplianceScan

Next Steps

Recommended Follow-up Actions

  1. Enable Tag Inheritance

    Apply resource group tags to child resources

  2. Set up Cost Allocation

    Use tags in Azure Cost Management

  3. Automate Tag Application

    Use Infrastructure as Code (Terraform/ARM)

  4. Create Tag Policies for Resources

    Extend beyond resource groups

Expected Outcomes

After deployment, you should see:

  • 100% of new resource groups have required tags
  • Clear cost allocation in Azure Cost Management
  • Easy resource identification and ownership
  • Improved governance and compliance scores

CloudCostChefs Philosophy

We believe cloud cost optimization should be:

  • Fast: Deploy in minutes, not months
  • Practical: Real solutions for real problems
  • Engineer-friendly: Code over clicks
  • Immediately valuable: See results on day one

Ready to Enforce Essential Tags?

Download the Mise-en-Tag Enforcer for Azure and start implementing proper tagging governance today.

View on GitHub

What to do next

Pick the path that fits where you are right now.

Browse Tools35+ free scripts & utilities
Browse Guides25+ step-by-step guides

Trust & run-safety metadata

Key execution details for Mise-en-Tag Enforcer for Azure - Essential Tags Policy so users know what they are downloading or running before they act.

Need verification guidance? See Security & Trust and Responsible Disclosure.

May change resourcesGitHub sourceExplicit + inferred metadata

Maintainer

CloudCostChefs

Last Updated

June 16, 2025

Last Tested

February 23, 2026

Minimum Access

Policy Contributor (or equivalent Azure Policy assignment rights) at the target management group/subscription scope

Execution Type

GitHub-hosted PowerShell policy deployment script (Azure Policy definition/assignment)

Version

2025-06-16

SHA256 Checksum

Not published yet (recommend adding checksum for downloadable files)

Verification Notes

GitHub-hosted governance automation that deploys or updates Azure Policy artifacts. Review policy rules, effects, scope, and exclusions before rollout.

Safe Usage Checklist

  • Pilot in audit mode or a non-production scope first to validate impact before enabling deny/enforcement behavior.
  • Document exemptions and rollback/removal steps for policy assignments before organization-wide deployment.
  • Run in a non-production subscription/account/tenancy first and capture sample output before broader rollout.
  • Use least-privilege access. Current best hint from docs: Policy Contributor (or equivalent Azure Policy assignment rights) at the target management group/subscription scope.

Quick start (fast path)

Minimal steps to safely get value from this tool without reading the entire page first.

Estimated time: 10 minutes to deployDifficulty: BeginnerAccess: Write-capable

  1. 1. Confirm scope and permissions

    Use least privilege and test in a non-production scope first. Minimum access hint: Policy Contributor (or equivalent Azure Policy assignment rights) at the target management group/subscription scope.

  2. 2. Get the tool package / source

    View on GitHub and review the files before running.

    GitHub

  3. 3. Check prerequisites

    • ✅ PowerShell 5.1+ with Azure PowerShell module installed
    • ✅ Azure login via Connect-AzAccount
    • ✅ Policy Contributor role at target scope (management group or subscription)

  4. 4. Run safely and review output

    GitHub-hosted governance automation that deploys or updates Azure Policy artifacts. Review policy rules, effects, scope, and exclusions before rollout. Start with a small sample scope, then expand once results look correct.

Browse all toolsStart free assessment

Ready to use this tool?

Grab the files or open the source from the end of the page. No need to scroll back to the top.

View on GitHubBrowse All ToolsBack to Top
GitHubRelated