Use Tags to Organize Azure Resources and Management Hierarchy
By: Date: 20/08/2025 Categories: azure Tags:

Tags are metadata elements that you can apply to Azure resources to help categorize and organize them according to business, operational, or governance needs. A tag is a key–value pair. For example, to track deployment environments, you might add a tag with the key Environment and the value Production, forming Environment = Production.

This article outlines best practices, conditions, and limitations for using tags in Azure.

Tag Usage and Recommendations

  • Tags can be applied to Azure resources, resource groups, and subscriptions.
    They cannot be applied to management groups.
  • For guidance on building a tagging strategy, see the Resource naming and tagging decision guide.
  • Tags are supported by all cost‑accruing Azure services, allowing you to group and analyze costs.
    To ensure required tags are applied consistently, use Azure Policy.

Warning — Tags Are Plain Text
Tags are stored unencrypted in plain text. Do not include sensitive information (passwords, keys, secrets, personal data). Tags can appear in cost reports, templates, command outputs, deployment history, exported logs, and monitoring pipelines.

Warning — Non-English Characters
Avoid using non‑English languages in tag names and values. Some languages can cause metadata decoding failures when the VM loads metadata from IMDS (Instance Metadata Service).

 Important

  • Tag names are case‑insensitive for operations but Azure may preserve your original casing in cost reports.
  • Tag values are case‑sensitive.

 Note
This article includes steps relevant to GDPR compliance when removing personal data from devices or services.

Required Access

You can tag resources using either of these permission models:

1. Tag Contributor Role

  • Grants write access to Microsoft.Resources/tags.
  • Allows tagging any resource, even if you don’t have access to the resource itself.
  • Limitations:
    • Cannot apply tags to resources or resource groups through the Azure portal.
    • Can apply tags to subscriptions through the portal.
    • Supports all tag operations via PowerShell or REST API.

2. Resource-Level Write Access

  • Requires write permissions on the specific resource to apply tags.
  • Examples:
    • Contributor: Can tag any entity.
    • Virtual Machine Contributor: Can tag VM resources only.

Tag Inheritance

  • Tags applied to subscriptions or resource groups do not automatically propagate to child resources.
  • To enforce tag inheritance, use Azure Policy with policies like:
    • Inherit a tag from the resource group
    • Apply default tags

Cost Grouping with cm-resource-parent

You can group costs using the cm-resource-parent tag.

  • Key: cm-resource-parent
  • Value: Resource ID of the parent resource.

Example: To group Azure Virtual Desktop costs by host pool, use the host pool’s resource ID.

Tags and Billing

Tags help categorize and analyze billing data. Example scenarios:

  • Allocate costs by cost center
  • Distinguish between development, test, and production usage
  • Group VMs by department or project

You can retrieve tag information in:

  • Downloaded usage and billing reports
  • Azure Cost Management views (Tags column)
  • Azure Billing REST APIs

Unique Tags Pagination

When using the Unique Tags API, large numbers of values may cause pagination. If values span multiple pages:

  • The tag key may appear more than once in results.
  • Some interfaces, including Azure Portal, may display duplicate tag keys.

Tag Limitations

Several constraints apply when using tags in Azure:

Resource Support

Not all resource types support tags.
Check Tag support for Azure resources for compatibility.

Operational Limitations

  • Some resources require specific states to update tags.
    Example: VM extensions require the VM to be running.

Tag Count Limits

  • Each resource, resource group, and subscription supports up to 50 tag name–value pairs.
  • If you need more tags:
    • Use a JSON‑serialized string within a single tag value.

Character Limits

  • Tag name: up to 512 characters (128 for storage accounts)
  • Tag value: up to 256 characters

Unsupported Services

  • Classic resources (e.g., Cloud Services) do not support tags.
  • Some networking services (Azure Firewall policies, IP Groups) do not support PATCH updates for tags.

Character Restrictions

Tag names cannot contain:

<  >  %  &  \  ?  /

Service-Specific Restrictions

Azure DNS Zones

  • Tag names cannot contain spaces or parentheses
  • Cannot start with a number
  • Cannot include special or Unicode characters
  • Tag values have no restrictions

Azure Traffic Manager

  • Tag names cannot contain spaces, #, or :
  • Cannot start with a number

Azure Front Door

  • Tag names cannot contain # or :

Resources Limited to 15 Tags

  • Azure Automation
  • Azure CDN
  • Azure Public DNS (Zones and A records)
  • Azure Private DNS (Zones and A records)
  • Azure Log Analytics saved searches

Reference: Use tags to organize your Azure resources and management hierarchy

Post Views: 427