Azure Azure Arc Azure Governance

Azure Arc: Using tags with Azure Arc-enabled servers

Azure Arc allows you to onboard a wide variety of servers to Azure with Azure Arc-enabled servers which makes it easier to increase securitygovernance, automation and regulatory compliance on all your Windows and Linux servers that are deployed outside of Azure.

One of the governance controls you can use when a hybrid machine is connected (connected machine) to Azure with Azure Arc, is tags.

Tags provide you with a way to apply additional metadata (name-value pair) on your cloud resources to include information and context that could (or should) not be included in the resource name. You can then use that information to run more sophisticated filtering and reporting on those resources.

You can apply tags to individual resources or tag the resource group that they are part of. Once a tag is created and applied to a resource, it is automatically added to the subscription-wide taxonomy, which will allow you to associate it with resources from multiple resource groups.

What tags you apply to your resources (required or optional) differs between organizations. But you should always use a standard and meaningful tagging convention for all your resources in order to maintain consistency in your Azure environment. Best is to define these standards in advance and to enforce them using Azure policies (at the subscription or resource group scope). You should also use tags early on, ideally when you create or onboard the resources. This will not only help you manage resources more efficiently, but it will also reduce the administrative overhead when you need to add them at a later stage.

So, like you can read, implementing a proper tagging strategy can really help you to gain better visibility and control over all the resources that are running in your Azure environment.

If you want to read more about tags and how you can use them, you can always read my previous blog post “Azure Spring Clean: How to use resource tags to organize your Azure resources

Of course you can also use tags for your are Azure Arc-enabled servers just like for any other Azure resource. By applying tags to your hybrid servers and machines, you can logically organize them, better manage your server inventory (inventory management), apply your business policies with Azure Policy or even track costs with Cost Management (track cloud spending).

In this blog post I will show you how you can use tags for your Azure Arc-enabled servers.

Azure Arc tagging examples

A tag always consists of a name-value pair. Those name-value pairs can be anything that helps identify the category that a specific resource belongs to.

For example, you can add environment-related tags to your Arc-enabled servers in order to determine whether the machine belongs to the production, development or pre-production environment. The possible tags in this case could then be Env – Prd, Env – Dev, or Env – Pre.

At the moment, you can apply two types of tags to your Azure Arc-enabled servers: physical location tags and custom tags. Physical location tags are default tags specifying physical location types, like Datacenter, City and CountryOrRegion.

Custom tags are tags you specified following your tagging naming convention and which you already use in your environment for any of your other Azure resources (during the onboarding of Azure Arc-enabled servers you can also create new ones).

To help you on your way and to give you an some more practical examples, you can find a list of minimum suggested tags, I mostly use in combination with Azure Arc-enabled servers:

  • Datacenter: Datacenter 1 Antwerp, Datacenter: Datacenter 2 Brussels, Datacenter: Datacenter 3 Amsterdam
  • CountryOrRegion: Belgium, CountryOrRegion: Netherlands
  • City: Antwerp, City: Brussels, City: Amsterdam
  • ServerType: Hyper-V VM, ServerType: VMware VM, ServerType: Physical HP, SeverType: Physical Dell
  • Env: Hub, Env: Prd, Env: Acc, Env: Dev, Env: Tst, Env: poc
  • Criticality: Mission-critical, Criticality: High, Criticality: Medium, Criticality: Low
  • CostCenter: 23, CostCenter: 24, CostCenter: 25
  • WorkloadName: DomainController, WorkloadName: SAP, WorkloadName: Winfact
  • ManagedBy: Central IT, ManagedBy: Cloud Operations, ManagedBy: MSP
  • UpdateSchedule: wus-3th-sun-0800-pm-rir, UpdateSchedule: lus-2nd-sat-0800-pm-nr

Adding a tag to an Arc-enabled server with Azure PowerShell

Tags can be managed and created from the Azure portal, during the onboarding process of your Azure Arc-enabled servers. You can specify them when you generate the installation script.

But sometimes you may need to add an extra tag or change an existing one, and that is where Azure PowerShell comes in handy. Of course you can also manage your tags using Azure CLI or by using the Resource Manager REST API, but I will keep it to Azure PowerShell in this post.

In the example, I used Windows Terminal  to run all the Azure PowerShell cmdlets. But you can also use Visual Studio Code, Windows PowerShell or Azure Cloud Shell. Just change all variables to your use before running them in your environment.

Open Windows Terminal (with Administrator privileges) and sign in with the Connect-AzAccount cmdlet to connect your Azure account. Then select the proper tenant with the Set-AzContext -tenantID “xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx” cmdlet, if you have multiple tenants. You can list all tenants for the current user with the Get-AzTenant cmdlet.

List all Arc-enabled servers in the resource group you used to onboard and manage your Arc-enabled servers.

## List all Arc-enabled servers in a resource group

Get-AzResource -ResourceGroupName <your resource group name> -ResourceType Microsoft.HybridCompute/machines | ft

## example resource group: rg-prd-myh-arc-01

Add a tag name-value pair to a specific Arc-enabled server in the resource group.

## Add a tag name-value pair to a specific Arc-enabled server in the resource group

$tag = @{"<your tag name>"="<your tag value>"}
$vm = Get-AzResource -ResourceGroupName <your resource group name> -Name <your hybrid VM name>
Set-AzResource -ResourceId $vm.Id -Tag $tag -Force


To validate you can check all tags applied to the resource.

## Check all applied tags to an Arc-enabled server

$vm = Get-AzResource -ResourceGroupName <your resource group name> -Name <your hybrid VM name>
Get-AzTag -ResourceId $vm.Id


Change an existing tag value of an Arc-enabled server with Azure PowerShell

To change an existing tag, you can run the following Azure PowerShell cmdlets:

## Check all applied tags to an Arc-enabled server

$vm = Get-AzResource -ResourceGroupName <your resource group name> -Name <your hybrid VM name>
Get-AzTag -ResourceId $vm.Id

## Replace (merge) existing tag value

$mergedTags = @{"<your tag name>"="<your tag value you want to replace to>"}
$vm = Get-AzResource -ResourceGroupName <your resource group name> -Name <your hybrid VM name>
Update-AzTag -ResourceId $ -Tag $mergedTags -Operation Merge


Notes from the field

  • Keep in mind that there is no inheritance hierarchy for tags (e.g., tags applied at the resource group level are not inherited by any member resources).
  • Create an Azure Governance plan, an specify your Azure tagging naming convention and taxonomy, before you start deploying any resources or landing zones.
  • Enforce your tagging compliance with Azure Policy.
  • The tag name prefixes “Azure“, “Windows“, and “Microsoft” are reserved and cannot be used.
  • Keep an eye on the value of the Datacenter physical location tag when you onboard your Azure Arc-enabled servers. You can read more about it in this blog post.
  • You should also monitor your tagging practices and usage, and make amendments to the naming convention and processes if required. Best is also to periodically plan a sanity check to validate your Azure environment. In the case of tags you should do this in order to remove obsolete tags and also to avoid a “tag sprawl”.
  • Tags are stored as plain text.  So, you should never specify any sensitive data or information in your name-value pairs.


Azure resource tags provide a way to quickly organize all your Azure and non-Azure resources. That is why, together with a strong naming convention, they should be a core element in your Azure Governance strategy. So, whenever you apply tags to your Azure Arc-enabled servers you should follow your company’s tagging structure and principals.

%d bloggers like this: