Use tags to organize your Azure resources and management hierarchy

Tags are metadata elements that you apply to your Azure resources. They're key-value pairs that help you identify resources based on settings that are relevant to your organization. If you want to track the deployment environment for your resources, add a key named Environment. To identify the resources deployed to production, give them a value of Production. The full key-value pair is Environment = Production.

This article describes the conditions and limitations for using tags. For steps on how to work with tags, see:

Tag usage and recommendations

You can apply tags to your Azure resources, resource groups, and subscriptions, but not to management groups.

Resource tags support all cost-accruing services. To ensure that cost-accruing services are provisioned with a tag, use one of the tag policies.

Warning

Tags are stored as plain text. Never add sensitive values to tags. Sensitive values could be exposed through many methods, including cost reports, commands that return existing tag definitions, deployment histories, exported templates, and monitoring logs.

Warning

Please be careful while using non-English language in your tags. It can cause decoding progress failure while loading your VM's metadata from IMDS (Instance Metadata Service).

Important

Tag names are case-insensitive for operations. A tag with a tag name, regardless of the casing, is updated or retrieved. However, the resource provider might keep the casing you provide for the tag name. You'll see that casing in cost reports.

Tag values are case-sensitive.

Note

This article provides steps about how to delete personal data from the device or service and can be used to support your obligations under the GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center and the GDPR section of the Service Trust portal.

Required access

There are two ways to get the required access to tag resources.

  • You can have write access to the Microsoft.Resources/tags resource type. This access lets you tag any resource, even if you don't have access to the resource itself. The Tag Contributor role grants this access. The tag contributor role, for example, can't apply tags to resources or resource groups through the portal. It can, however, apply tags to subscriptions through the portal. It supports all tag operations through Azure PowerShell and REST API.

  • You can have write access to the resource itself. The Contributor role grants the required access to apply tags to any entity. To apply tags to only one resource type, use the contributor role for that resource. To apply tags to virtual machines, for example, use the Virtual Machine Contributor.

Inherit tags

Resources don't inherit the tags you apply to a resource group or a subscription. To apply tags from a subscription or resource group to the resources, see Azure Policies - tags.

You can group costs for an Azure resource by using the cm-resource-parent tag. This tag lets you review tagged costs in Microsoft Cost Management without having to use filters. The key for this tag is cm-resource-parent and its value is the resource ID of the Azure resource you want to group costs by. For example, to group costs by an Azure Virtual Desktop host pool, provide the resource ID of the host pool. For more information, see Group related resources in the cost analysis.

Tags and billing

You can use tags to group your billing data. If you're running multiple VMs for different organizations, for example, use the tags to group usage by cost center. You can also use tags to categorize costs by runtime environment, such as the billing usage for VMs running in the production environment.

You can retrieve information about tags by downloading the usage file available from the Azure portal.

For REST API operations, see Azure Billing REST API Reference.

Unique tags pagination

When calling the Unique Tags API there is a limit to the size of each API response page that is returned. A tag that has a large set of unique values will require the API to fetch the next page to retrieve the remaining set of values. When this happens the tag key is shown again to indicate that the values are still under this key.

This can result in some tools, like the Azure portal, to show the tag key twice.

Limitations

The following limitations apply to tags:

  • Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support for Azure resources.

  • Each resource, resource group, and subscription can have a maximum of 50 tag name-value pairs. If you need to apply more tags than the maximum allowed number, use a JSON string for the tag value. The JSON string can contain many of the values that you apply to a single tag name. A resource group or subscription can contain many resources that each have 50 tag name-value pairs.

  • The tag name has a limit of 512 characters and the tag value has a limit of 256 characters. For storage accounts, the tag name has a limit of 128 characters and the tag value has a limit of 256 characters.

  • Classic resources such as Cloud Services don't support tags.

  • Azure IP Groups and Azure Firewall Policies don't support PATCH operations. PATCH API method operations, therefore, can't update tags through the portal. Instead, you can use the update commands for those resources. You can update tags for an IP group, for example, with the az network ip-group update command.

  • Tag names can't contain these characters: <, >, %, &, \, ?, /

    Note

    • Azure Domain Name System (DNS) zones don't support the use of spaces or parentheses in the tag or a tag that starts with a number. Azure DNS tag names don't support special and unicode characters. The value can contain all characters.

    • Traffic Manager doesn't support the use of spaces, # or : in the tag name. The tag name can't start with a number.

    • Azure Front Door doesn't support the use of # or : in the tag name.

    • The following Azure resources only support 15 tags:

      • Azure Automation
      • Azure Content Delivery Network (CDN)
      • Azure DNS (Zone and A records)
      • Azure Log Analytics Saved Search

Next steps