Why aren't you tagging Azure resources?

🏷️ The case for tagging

How often have your organisation struggled to articulate cost, manage governance or group resources in Azure?

For some organisations tagging is the norm, with every resource tagged to provide anyone additional information about what the resource is, who its for and why its needed. For others they've not even started, these businesses will rely on documentation and in team knowledge to identify services and manual work to group things like costs together.

Tagging in Azure isn't just a cosmetic feature, if used correctly it can be useful not only for information to the IT Admins but beyond that it can be used to track costs and even effect Azure Policy......

Tagging is hugely important for a well-oiled well architected platform and at scale is sometimes vital to operations. So if tagging is so good, why are so many failing to do it properly?

⚡Real world benefits

Like I've mentioned tagging in Azure has power, you might not need it all today but 3-months in you get asked for a report with 15mins notice and boom, easy next please... Here's some of the ways in which tagging improves cost management, governance & compliance, automation and security and access control:

💰 Cost Management & Visibility

Understanding your cloud spend can be tricky, even with the advent of native solutions like cost analysis, in most businesses exec or budget holders need to understand what each service or department is costing the business rather than just the monthly payment. Sure you could split everything into separate subscriptions but for me I use subscriptions as a demarcation of responsibility and access rather than a cost center, I don't want a subscription with just 2 VM's a vNet and a single function app, do you?

Tagging resources with tags like CostCenter, Project, Service and Owner allow your FinOps or finance teams to understand costs by department, application, or team making it easier to allocation budget and prevent overruns.

🙋 Example: Tagging all resources for with 'Service' = 'My Fancy Service' lets you quickly realise all cloud expenses relating to a service rather than individual components in Azure Cost Management.

🔍 Governance & Compliance

Organisations need clear ownership and accountability over their cloud resources, no one knows this better than those in heavily regulated industries but don't let regulation be the requirement, learn from those that put in the hard work with the auditors! A well defined tagging structure will help you:

Resource tracking → Know who owns what and why it exists.

Lifecycle management → Apply tags like 'ExpirationDate' or 'CreatedBy' to prevent orphaned resources.

Compliance audits → Easily filter and report on tagged resources to meet security and governance standards.

🙋 Example: Enforcing Environment = Prod/Test/Dev tags helps prevent accidental deployments of sensitive workloads in non-compliant environments.

🔄 Automation & Operations

Manually managing your infrastructure was fine when you had 5 VM's, some storage accounts and a webapp but now you've got 5,000 people in the business to support and hundreds of resources in Azure with a team of 15 and drowning doing it all by hand 🤽

Tags allow teams to automate actions based on conditions ensuring standardisation and repeatability with hands off management.

Power management → Power off VM's at night using logic/function or policy by targeting resources with 'AutoShutdown' = 'True'

Apply backup policies → Automate backup policy assignment for mission critical workloads with 'BackupPolicy' = 'Daily' or 'Criticality' = 'Tier1'

🙋 Example: Logic App workflow can aged resources based on an ExpirationDate tag, ensuring cost control and clean-up of stale workloads.

🔐 Security & Access Control

Tags can also play a key role in bolstering security and enforcing policies:

Enhanced Security → Highlight services that require enhanced levels of security or even deploy extensions or azure policy to workloads with 'SecurityLevel' = 'High'

Secure resources → Dynamically apply RBAC to resources based on tags using 'DataSensitivity' = 'Confidential' (Think about how you could use Deny RBAC here to be very clever)

Classify data → Tag resource with data classification like 'DataClassification' = 'PII' to help people understand the importance and sensitivity of what they are working on.

🙋 Example: Azure Policy could block public IP addresses for any resource where 'SecurityLevel' = 'High'.

🚨 Why do people skip tagging?

I've sold you on tags already, its ok I can tell it can be our secret. But why do people skip tags? If they are so great everyone would be using them.

The common responses I've heard are:

“We’ll do it later” → Until costs get out of control or resources are hard to find.

“It’s too much effort” → With Azure Policy, tagging can be automated.

“We don’t have a standard” → Then let’s create one! Define required tags for your org.

Want some quick ideas on creating a standard? Microsoft have provided just the thing.

🔧 How to Fix It: A Practical Guide

I'm going to keep it really simple, get the buy-in first explain the benefits with your tech lead and get it in. The sooner the better.

Define a tagging strategy → What tags should every resource have? (Owner, CostCenter, Environment, etc.)

Get it documented → Get this detailed somewhere, anywhere and get it out to everyone

Enforce tagging with Azure Policy → Block untagged resources or have it inherit tags from the resource group, this might make you unpopular at first but they'll get over it.

Use automation → If you've got a legacy estate, use tools like PowerShell, Terraform, or Bicep to create and apply tags at scale.

Make it easy → You've got the strategy, the docs and the automation so you're already there just don't make it a complicated process. If this is hard no one will do it.

💡 Final Thoughts: Are You Doing It Right?

Now hopefully I've helped explain the importance of tags, I could go on and on but this is enough for you to pick out what matters to your business and where you can see the value. Tags are only an value add, just need to find the right way they work for you.

Make sure you do this ahead of time, don't wait until you need to roll something out or get a report done for the next meeting.

I'm interested to hear from you all, what’s the worst tagging mess you’ve seen?

Do you think mandatory tagging should be enforced?

How does your team handle Azure tagging?

🔥 Drop your thoughts in the comments! Let’s discuss. 🚀