Why Aren't You Tagging Azure Resources?

🏷️ The Case for Tagging

How often has your organisation struggled to articulate cost, manage governance, or group resources in Azure?

For some organisations, tagging is the norm, with every resource tagged to provide additional information about what the resource is, who it’s for, and why it’s needed. For others, they’ve not even started, relying on documentation and in-team knowledge to identify services and manually group things like costs together.

Tagging in Azure isn’t just a cosmetic feature. If used correctly, it can be useful not only for IT admins but also for tracking costs and even affecting Azure Policy.

Tagging is hugely important for a well-oiled, well-architected platform and, at scale, is sometimes vital to operations. So if tagging is so good, why are so many failing to do it properly?

⚡ Real World Benefits

Tagging in Azure has power. You might not need it all today, but three months in, you get asked for a report with 15 minutes’ notice, and boom, easy next please… Here are some of the ways in which tagging improves cost management, governance & compliance, automation, and security and access control:

💰 Cost Management & Visibility

Understanding your cloud spend can be tricky. Even with native solutions like cost analysis, most businesses need to understand what each service or department is costing rather than just the monthly payment. Sure, you could split everything into separate subscriptions, but I use subscriptions as a demarcation of responsibility and access rather than a cost centre. I don’t want a subscription with just two VMs, a vNet, and a single function app, do you?

Tagging resources with tags like CostCenter, Project, Service, and Owner allows your FinOps or finance teams to understand costs by department, application, or team, making it easier to allocate budget and prevent overruns.

🙋 Example: Tagging all resources with Service = My Fancy Service lets you quickly realise all cloud expenses relating to a service rather than individual components in Azure Cost Management.

🔍 Governance & Compliance

Organisations need clear ownership and accountability over their cloud resources. No one knows this better than those in heavily regulated industries, but don’t let regulation be the requirement. Learn from those that put in the hard work with the auditors! A well-defined tagging structure will help you:

• Resource tracking → Know who owns what and why it exists.
• Lifecycle management → Apply tags like ExpirationDate or CreatedBy to prevent orphaned resources.
• Compliance audits → Easily filter and report on tagged resources to meet security and governance standards.

🙋 Example: Enforcing Environment = Prod/Test/Dev tags helps prevent accidental deployments of sensitive workloads in non-compliant environments.

🔄 Automation & Operations

Manually managing your infrastructure was fine when you had five VMs, some storage accounts, and a web app, but now you’ve got 5,000 people in the business to support and hundreds of resources in Azure with a team of 15, and you’re drowning doing it all by hand 🤽

Tags allow teams to automate actions based on conditions, ensuring standardisation and repeatability with hands-off management.

• Power management → Power off VMs at night using logic/function or policy by targeting resources with AutoShutdown = True.
• Apply backup policies → Automate backup policy assignment for mission-critical workloads with BackupPolicy = Daily or Criticality = Tier1.

🙋 Example: A Logic App workflow can age resources based on an ExpirationDate tag, ensuring cost control and clean-up of stale workloads.

🔐 Security & Access Control

Tags can also play a key role in bolstering security and enforcing policies:

• Enhanced Security → Highlight services that require enhanced levels of security or even deploy extensions or Azure Policy to workloads with SecurityLevel = High.
• Secure resources → Dynamically apply RBAC to resources based on tags using DataSensitivity = Confidential (Think about how you could use Deny RBAC here to be very clever).
• Classify data → Tag resources with data classification like DataClassification = PII to help people understand the importance and sensitivity of what they are working on.

🙋 Example: Azure Policy could block public IP addresses for any resource where SecurityLevel = High.

🚨 Why Do People Skip Tagging?

I’ve sold you on tags already. It’s okay, I can tell. It can be our secret. But why do people skip tags? If they are so great, everyone would be using them.

The common responses I’ve heard are:

• “We’ll do it later” → Until costs get out of control or resources are hard to find.
• “It’s too much effort” → With Azure Policy, tagging can be automated.
• “We don’t have a standard” → Then let’s create one! Define required tags for your organisation.

Want some quick ideas on creating a standard? Microsoft has provided just the thing.

🔧 How to Fix It: A Practical Guide

I’m going to keep it really simple. Get the buy-in first, explain the benefits with your tech lead, and get it in. The sooner, the better.

1. Define a tagging strategy → What tags should every resource have? (Owner, CostCenter, Environment, etc.)
2. Get it documented → Get this detailed somewhere, anywhere, and get it out to everyone.
3. Enforce tagging with Azure Policy → Block untagged resources or have them inherit tags from the resource group. This might make you unpopular at first, but they’ll get over it.
4. Use automation → If you’ve got a legacy estate, use tools like PowerShell, Terraform, or Bicep to create and apply tags at scale.
5. Make it easy → You’ve got the strategy, the docs, and the automation, so you’re already there. Just don’t make it a complicated process. If this is hard, no one will do it.

💡 Final Thoughts: Are You Doing It Right?

Now, hopefully, I’ve helped explain the importance of tags. I could go on and on, but this is enough for you to pick out what matters to your business and where you can see the value. Tags are only a value add; you just need to find the right way they work for you.

Make sure you do this ahead of time. Don’t wait until you need to roll something out or get a report done for the next meeting.

I’m interested to hear from you all. What’s the worst tagging mess you’ve seen?

Do you think mandatory tagging should be enforced?

How does your team handle Azure tagging?