# Resource 'myresource' was disallowed by policy. Policy: 'Require a tag on resources'. Reason: 'The resource has no tags.' but the resource group has tags that should have been inherited.

- **ID:** `policy/azure-policy-tag-inheritance-missing`
- **Domain:** policy
- **Category:** config_error
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

Azure Policy's 'Require a tag on resources' policy does not automatically inherit tags from the resource group; inheritance must be explicitly configured using a separate 'Inherit a tag from the resource group' policy or by manual tagging.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Azure Policy | active | — | — |
| Azure Resource Manager | active | — | — |
| Azure CLI 2.50.0+ | active | — | — |

## Workarounds

1. **Create and assign an Azure Policy initiative that includes both 'Require a tag on resources' and 'Inherit a tag from the resource group if missing' (built-in policy ID: /providers/Microsoft.Authorization/policyDefinitions/...). Use the Azure Portal or CLI: `az policy assignment create --policy-set-definition <initiative-id> --assign-identity`.** (90% success)
   ```
   Create and assign an Azure Policy initiative that includes both 'Require a tag on resources' and 'Inherit a tag from the resource group if missing' (built-in policy ID: /providers/Microsoft.Authorization/policyDefinitions/...). Use the Azure Portal or CLI: `az policy assignment create --policy-set-definition <initiative-id> --assign-identity`.
   ```
2. **Manually tag each resource in the resource group using `az resource tag --tags <key>=<value> --ids <resource-id>` or through the Azure Portal. Ensure all resources have at least the required tag.** (80% success)
   ```
   Manually tag each resource in the resource group using `az resource tag --tags <key>=<value> --ids <resource-id>` or through the Azure Portal. Ensure all resources have at least the required tag.
   ```
3. **If the resource is a template deployment, add the tags in the ARM template or Bicep file at the resource level. For example, in ARM: `"tags": { "Environment": "[parameters('environmentTag')]" }`.** (85% success)
   ```
   If the resource is a template deployment, add the tags in the ARM template or Bicep file at the resource level. For example, in ARM: `"tags": { "Environment": "[parameters('environmentTag')]" }`.
   ```

## Dead Ends

- **** — Azure does not automatically propagate resource group tags to resources. Without an explicit inheritance policy, resources remain untagged. (90% fail)
- **** — The policy is designed to enforce tagging; modifying it to allow empty tags defeats its purpose and may violate compliance requirements. (70% fail)
- **** — This only works if you explicitly tag each resource. If you miss any resource, the policy will still fail for that resource. (50% fail)