Azure tag Policies Issues and fixes

Posted on October 25, 2025 by Ganadmin

Tags in Azure Resource Manager are key/value pairs you apply to subscriptions, resource groups, and resources (not management groups) for things like cost tracking, environment classification, owner identification

Special Characters are not supported in tag names for few Azure resources

Azure enforces rules around how tags can be used on resources. For example, certain services disallow spaces, colons (:) or other special characters in tag names, and some also prohibit tag names that begin with a number.

For EX

Azure DNS Zones

Azure Traffic Manager

To address this issue we can use the custom policy so that resources which do not support special characters in their tagging are excluded from policy evaluation. This exclusion explicitly covers those resource types and any of their child resources

Certain Azure services—such as virtual machines, virtual machine scale-sets, and App Services—automatically spin up additional components (for example NICs, VM extensions, load-balancers, or autoscale settings) during deployment. When a tag applied at the parent level must flow down to all children, enforcing a policy that requires tags on every resource may cause the deployment of those child resources to fail, which can in turn block the deployment of the parent resource.

The list of services excluded are listed below

              “Microsoft.Network/privateDnsZones”,
              “Microsoft.Network/trafficManagerProfiles”,
              “microsoft.Network/privatednszones/virtualnetworklinks”,
              “microsoft.Network/privatednszones/SOA”,
              “microsoft.Network/privatednszones/NS”,
              “Microsoft.Network/trafficManagerProfiles/azureEndpoints”,
              “Microsoft.Network/trafficManagerProfiles/externalEndpoints”,
              “Microsoft.Network/trafficManagerProfiles/nestedEndpoints”,
              “Microsoft.Compute/virtualMachines/extensions”,
              “Microsoft.Network/networkInterfaces”,
              “Microsoft.Insights/autoscaleSettings”,
              “Microsoft.Compute/virtualMachines/runcommands”,
              “Microsoft.Network/dnszones”,
              “Microsoft.EventGrid/systemTopics”,
              “Microsoft.Compute/disks

There is not solution for this issue and the workaround is selectively excluding certain child resources from policy evaluation

Adding tags is not supported in portal. 

Some Azure resources support tagging but don’t allow tags to be added or edited via the Azure Portal. To ensure they comply with tagging policies, tags must be applied through the Azure REST API.

Follow the steps below to add tags

           Click on Try it

  • Enter the resource ID of the resource in the scope
  •  In the body Enter the tag name and value
  • Click on Run to invoke the REST API. The success response will be 200

This entry was posted in Azure, Azure policy and tagged , , , . Bookmark the permalink.

Leave a comment