In our current environment, this is starting to show up more and more.
We have a number of policies in Azure, among them are ‘resources-tag-enforcement’, the one that adds a number of required Tags on resources on our production Resource Groups. Because we have them and they are required on all resources on the groups, things fail.
It is changes that start to fail, unrelated to the Tag policy really…
Example 1: We tried to change pricing tier on an App Service plan – Fail
Example 2: We deleted a rule in Azure Firewall – Fail
Example 3: We resized a VM – Fail
All due to one thing, the Resource Manager seems to think in the backend, that these changes are really not just changes, but we are adding new resources to the resource groups, triggering the policy, and that fails to append the Tags since the Tags are already there…
Same scenario with a ‘Allowed location’ policy, if a resource was once created outside of the allowed scope, changes are not allowed since the RM seems to think that you are really adding new resources, not just making adjustments.
The error you will see from the Tag policy is this:
Temporarily Disable the assignment of the policy. Look up the Resource Group, go to policys, assignments, then the correct policy and open it.
A bit down, you have to switch to disable it.