Allow Only Certain Tag Values in Azure Resources Group Tags

Create a Azure Policy definition to "Allow Only Certain Tag Values in Azure Resources Group Tags". Follow the steps below to create one in your azure environment.

Step 1: Login to Azure Portal and access Policy from Azure Global Search

Step 2: From left section under Authoring, select Definitions

Step 3: From Definitions page section, click on + policy definition to create a policy definition for "Allow only Certain Tag Values in Azure Resources Group Tags"

Step 4: Now fill the policy definitions details

  • Definition Location: Select target scope
  • Name: "Allow only Defined Tag Values in Azure Resources Group Tags"
  • Description: "Allow only Certain Tag Values in Azure Resources Group Tags - Scope/TagName"
  • Category: leave default
  • Policy Rule: Copy paste the below "Allow only Defined Tag Values in Azure Resources Group Tags" Policy JSON code and click on 'save' the changes.

Note: Each resource or resource group can have a maximum of 15 tags. The tag name is limited to 512 characters, and the tag value is limited to 256 characters.

JSON Policy Rule:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "not": {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "in": "[parameters('listofallowedtagValues')]"
          }
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the audit policy"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Deny"
    },
    "tagName": {
      "type": "String",
      "metadata": {
        "displayName": "Tag Name",
        "description": "Name of the tag, such as 'DataType'"
      },
      "defaultValue": "DataType"
    },
    "listofallowedtagValues": {
      "type": "Array",
      "metadata": {
        "displayName": "Tag Values",
        "description": "Value of the tag, such as 'Internal', 'Restricted', 'Confidential', 'N/A'"
      },
      "allowedValues": [
        "N/A",
        "Internal",
        "Restricted",
        "Confidential",
        "Critical"
      ]
    }
  }
}

Step 5: Once the definition is created. To Assign Policy Definition to select target scope, click on 'Assign' >> Selection your target scope either tenant/subscription/resource and Policy enforcement to Enabled.

Step 6: Next, for Parameters >> select your Tag Values and then click on 'Review and Create'.

That it! Now the created policy will be applied at select scope and it will restrict un-allowed values.