# Mandatory Tags on All Azure Resources
## Rule
Every Azure resource MUST have the mandatory tag set applied at creation. Use Azure Policy with 'deny' effect to prevent untagged resource creation.
## Required Tags
```json
{
"Project": "myapp",
"Environment": "production",
"Team": "platform",
"ManagedBy": "terraform"
}
```
## Azure Policy (Deny Untagged)
```json
{
"mode": "All",
"policyRule": {
"if": {
"anyOf": [
{ "field": "tags['Project']", "exists": "false" },
{ "field": "tags['Environment']", "exists": "false" },
{ "field": "tags['Team']", "exists": "false" }
]
},
"then": {
"effect": "deny"
}
}
}
```
## Tag Inheritance Policy
```json
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{ "field": "tags['Environment']", "exists": "false" },
{ "value": "[resourceGroup().tags['Environment']]", "notEquals": "" }
]
},
"then": {
"effect": "modify",
"details": {
"operations": [
{
"operation": "addOrReplace",
"field": "tags['Environment']",
"value": "[resourceGroup().tags['Environment']]"
}
],
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]
}
}
}
}
```
## Good Examples
```bash
# CLI with tags
az storage account create -n myappsa -g myapp-prod-rg \
--tags Project=myapp Environment=production Team=platform ManagedBy=terraform
# Bicep with tags
resource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {
tags: {
Project: appName
Environment: environment
Team: team
ManagedBy: 'bicep'
}
}
```
## Bad Examples
```bash
# BAD: No tags (will be denied by policy)
az storage account create -n myappsa -g myapp-prod-rg
# BAD: Incomplete tags
az vm create -n myvm -g myapp-rg --tags Name=myvm
```
## Enforcement
- Assign deny policy at management group level
- Tag inheritance policy for automatic propagation from resource groups
- Azure Cost Management reports filtered by tags
- Regular compliance audit via Azure Policy dashboard