Azure Policy - Find Ressources without Tags

%3CLINGO-SUB%20id%3D%22lingo-sub-3289179%22%20slang%3D%22de-DE%22%3EAzure%20Policy%20-%20Find%20resources%20without%20tags%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3289179%22%20slang%3D%22de-DE%22%3E%3CP%3EHello%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit%20is%20possible%20to%20define%20a%20Policy%20to%20find%20Ressources%20without%20Tags%3F%3C%2FP%3E%3CP%3EI%20would%20like%20to%20define%20this%20Policy%20to%20list%20all%20of%20Items%20at%20the%20%22Compliance%22%20Point%20at%20the%20Policy%20Tab.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20looked%20at%20the%20Definitions%20but%20i%20cant%20find%20this%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EDid%20someone%20build%20an%20Policy%20about%20this%20scenario%3F%3CBR%20%2F%3EOr%20can%20someone%20help%20me%20to%20build%20this%20Policy%3F%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3ERegards%2CPhil%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3289179%22%20slang%3D%22de-DE%22%3E%3CLINGO-LABEL%3EAzure%20Policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3291663%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Policy%20-%20Find%20Ressources%20without%20Tags%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3291663%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F766780%22%20target%3D%22_blank%22%3E%40Phil123%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20assume%20you%20are%20not%20looking%20for%20a%20particular%20tag%20key%20and%2For%20values%20but%20%3CSTRONG%3Eyou%20want%20the%20policy%20to%20audit%20all%20resources%20that%20have%20no%20tags%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20that%20is%20true%2C%20then%20you%20are%20right%2C%20there%20isn't%20any%20built-in%20policy%20for%20that!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20created%20a%20custom%20policy%20with%20indexed%20mode%20and%20used%20the%20following%20policy%20rule%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%20%20%20%20%22policyRule%22%3A%20%7B%0A%20%20%20%20%20%20%22if%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22field%22%3A%20%22tags%22%2C%0A%20%20%20%20%20%20%20%20%22exists%22%3A%20%22false%22%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%22then%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22effect%22%3A%20%22audit%22%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%20%7D%2C%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EBased%20on%20my%20tests%2C%20it%20did%20show%20correctly%20all%20resources%20in%20my%20subscription%2C%20where%20I%20haven't%20applied%20any%20tags.%20Please%20try%20it%20out%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3337677%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Policy%20-%20Find%20Ressources%20without%20Tags%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3337677%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F766780%22%20target%3D%22_blank%22%3E%40Phil123%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20use%20a%20ARG%20(Azure%20Resource%20Graph)%20Queries.%20Here%20are%20three%20different%20queries%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%2F%2F%20To%20Find%20Subscription%20Missing%20Tags%0Aresourcecontainers%0A%7C%20where%20type%20%3D%3D%20%22microsoft.resources%2Fsubscriptions%22%0A%20%20%20%20and%20isnull(tags)%20or%20tostring(tags)%20%3D%3D%20'%5B%5D'%0A%0A%2F%2F%20To%20Find%20Resource%20Groups%20Missing%20Tags%0Aresourcecontainers%0A%7C%20where%20type%20%3D%3D%20%22microsoft.resources%2Fsubscriptions%2Fresourcegroups%22%0A%20%20%20%20and%20isnull(tags)%20or%20tostring(tags)%20%3D%3D%20'%5B%5D'%0A%0A%2F%2F%20To%20Find%20Resources%20Missing%20Tags%0Aresources%0A%7C%20where%20isnull(tags)%20or%20tostring(tags)%20%3D%3D%20'%5B%5D'%0A%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E
Contributor

Hello Community,

 

it is possible to define a Policy to find Ressources without Tags?

I would like to define this Policy to list all of Items at the "Compliance" Point at the Policy Tab.

 

I have looked at the Definitions but i cant find this scenario.

 

Did someone build an Policy about this scenario?
Or can someone help me to build this Policy?

 

Thanks a lot.

 

Regards,
Phil

 

 

2 Replies

Hi @Phil123 

 

I assume you are not looking for a particular tag key and/or values but you want the policy to audit all resources that have no tags.

 

If that is true, then you are right, there isn't any built-in policy for that!

 

I created a custom policy with indexed mode and used the following policy rule:

    "policyRule": {
      "if": {
        "field": "tags",
        "exists": "false"
      },
      "then": {
        "effect": "audit"
      }
    }
  },

Based on my tests, it did show correctly all resources in my subscription, where I haven't applied any tags. Please try it out :)

@Phil123 

You can use a ARG (Azure Resource Graph) Queries. Here are three different queries:

// To Find Subscription Missing Tags
resourcecontainers
| where type == "microsoft.resources/subscriptions"
    and isnull(tags) or tostring(tags) == '[]'

// To Find Resource Groups Missing Tags
resourcecontainers
| where type == "microsoft.resources/subscriptions/resourcegroups"
    and isnull(tags) or tostring(tags) == '[]'

// To Find Resources Missing Tags
resources
| where isnull(tags) or tostring(tags) == '[]'