Resource 'myresource' was disallowed by policy. Policy: 'Require a tag on resources'. Reason: 'The resource has no tags.' but the resource group has tags that should have been inherited.
ID: policy/azure-policy-tag-inheritance-missing
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Azure Policy | active | — | — | — |
| Azure Resource Manager | active | — | — | — |
| Azure CLI 2.50.0+ | active | — | — | — |
Root Cause
Azure Policy's 'Require a tag on resources' policy does not automatically inherit tags from the resource group; inheritance must be explicitly configured using a separate 'Inherit a tag from the resource group' policy or by manual tagging.
generic中文
Azure 策略的‘要求资源具有标签’策略不会自动从资源组继承标签;必须使用单独的‘从资源组继承标签’策略或手动标记来显式配置继承。
Official Documentation
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#tagsWorkarounds
-
90% success Create and assign an Azure Policy initiative that includes both 'Require a tag on resources' and 'Inherit a tag from the resource group if missing' (built-in policy ID: /providers/Microsoft.Authorization/policyDefinitions/...). Use the Azure Portal or CLI: `az policy assignment create --policy-set-definition <initiative-id> --assign-identity`.
Create and assign an Azure Policy initiative that includes both 'Require a tag on resources' and 'Inherit a tag from the resource group if missing' (built-in policy ID: /providers/Microsoft.Authorization/policyDefinitions/...). Use the Azure Portal or CLI: `az policy assignment create --policy-set-definition <initiative-id> --assign-identity`.
-
80% success Manually tag each resource in the resource group using `az resource tag --tags <key>=<value> --ids <resource-id>` or through the Azure Portal. Ensure all resources have at least the required tag.
Manually tag each resource in the resource group using `az resource tag --tags <key>=<value> --ids <resource-id>` or through the Azure Portal. Ensure all resources have at least the required tag.
-
85% success If the resource is a template deployment, add the tags in the ARM template or Bicep file at the resource level. For example, in ARM: `"tags": { "Environment": "[parameters('environmentTag')]" }`.
If the resource is a template deployment, add the tags in the ARM template or Bicep file at the resource level. For example, in ARM: `"tags": { "Environment": "[parameters('environmentTag')]" }`.
中文步骤
创建并分配一个 Azure 策略计划,该计划包括‘要求资源具有标签’和‘如果缺少标签则从资源组继承标签’(内置策略 ID:/providers/Microsoft.Authorization/policyDefinitions/...)。使用 Azure 门户或 CLI:`az policy assignment create --policy-set-definition <initiative-id> --assign-identity`。
使用 `az resource tag --tags <key>=<value> --ids <resource-id>` 或通过 Azure 门户手动标记资源组中的每个资源。确保所有资源至少具有所需的标签。
如果资源是模板部署,请在 ARM 模板或 Bicep 文件的资源级别添加标签。例如,在 ARM 中:`"tags": { "Environment": "[parameters('environmentTag')]" }`。
Dead Ends
Common approaches that don't work:
-
90% fail
Azure does not automatically propagate resource group tags to resources. Without an explicit inheritance policy, resources remain untagged.
-
70% fail
The policy is designed to enforce tagging; modifying it to allow empty tags defeats its purpose and may violate compliance requirements.
-
50% fail
This only works if you explicitly tag each resource. If you miss any resource, the policy will still fail for that resource.