Using Resource Groups and Tagging in Azure Government

Azure Government is moving closer and closer to having the next generation portal and full Azure Resource Manager support.  Recent updates now make it possible to better organize and classify resources for lifecycle management, security and identification.  Below I would like to highlight some of these features and some best practices you can start using today.

Azure Resource Groups

Azure Resource Groups provide a mechanism to group together a collection of Azure Resources.  This enables administrators to manage the lifecycle as a single entity, assign tags (more on that in a moment), and apply role based access control.   Since Azure Resource Groups are not part of the original Azure classic environment, you will not see these exposed in the classic portal environment, however you will see them in the new portal.  The interesting thing is that when you create any resource in Azure, no matter if it is a classic resource or an upcoming Azure Resource Manager resource, they will always be placed in an Azure Resource Group. 

If you are creating classic resources using the classic portal or classic Azure PowerShell commands you will not have an option to choose what Azure Resource Group the resources are assigned to.  They will instead be assigned to default resource groups based upon the region and type of resource being created.   If you utilize the new portal or Azure Resource Manager PowerShell commands to create classic resources you have the ability to specify either an exiting resource group or to create a new resource group for your new resource.  

Best practice:  Always group resources together in a resource group if they share the same lifecycle or are resources related to a single solution.  This will enable easier management of the resources and provide role based access control and  group tagging for the resources.

If you already have a bunch of existing Azure classic resources you may wish to start moving them into Azure Resource Groups based upon the best practice noted above.   This will require you to utilize the new Azure Resource Manager PowerShell commands or the new portal.  

Best practice: Ensure you have a solid enterprise naming convention in place for naming resource groups and resources.  This will make navigating, locating, and managing resources much easier.

To create a new Azure Resource Group, you will need to utilize the new Azure Resource Manager (ARM) PowerShell commands.  Make sure you have installed the latest Azure PowerShell components from before starting.  You will log into Azure Government with the following command to access the ARM commands:

Login-AzureRMAccount –EnvironmentName AzureUSGovernment

Once you are logged in you can get a list of your existing / default resource groups by running the command:


You can also easily view a list of existing resource groups through the new Azure portal.   The portal also enables you to quickly drill down into a group to see what resources are already assigned. 

Unfortunately as of today (8/4/2016) the new preview portal does not allow you to create new resource groups.  To create a new resource group you will need to utilize PowerShell.  Below is an example of creating a new resource group in the US Government Virginia region with a name of MyDemoResourceGroup.

New-AzureRmResourceGroup -Location “USGov Virginia” -Name MyDemoResourceGroup

Now that we have a resource group we can begin creating new resources or move existing resources into it.   The simplest way to do this is by using the new portal.   Below are a few quick steps to move a resource from one group to another:

  1. Open up the new portal and drill down into a resource group that contains a resource you wish to move.
  2. Select the resource and from the settings panel choose properties.
  3. Under the resource group heading in the properties panel you will find a ling to Change resource group.  Clicking on this will provide you with a move resource panel.
  4. Choose the resources you wish to move, select the destination resource group, check the acknowledgement check box, and then click OK.   Within a few moments your resources will be moved into the destination resource group.

There are some limitations to moving resources between groups which are outlined in a documentation article titled “Move resources to new resource group or subscription”.   I highly recommend reading over this article.  You will also find examples of using PowerShell to move resources between groups in this article.


Once the resources are well organized in a structure of resource groups it is now possible to utilize tagging for identification purposes.  Although classic resources do not support tagging, you can apply tags to resource groups.   This means that you can still utilize tags to help categorize and organize your classic Azure resources.

Tags are a simple collection of key – value pairs that are associated with a resource group or an Azure Resource Manager resource.   As mentioned above, it is not possible to apply tags directly to classic Azure resources.

Best practice: Identify a tagging standard for your organization.  Ensure that all new resource groups and resources (when applicable) have the same basic tag structure. 

Resource groups and Azure Resource Manager resources can be assigned multiple key – value tags.   This provides a maximum amount of flexibility to build out a standard that works best for an organization.   Below is a small sample of keys that you may wish to assign to a resource group:

  • Agency / Department
  • Project
  • Type (Dev/QA/Test)
  • Cost Center

The easiest way to apply tags to a resource group is through the new Azure portal.   With just a few steps you can add tags with values to your resource groups.

  1. Open up the new Azure portal and choose a resource group.
  2. In the resource group details panel, click on the tag graphic in the upper right section.
  3. Enter in your key-value tag pairs for the resource group.

Once you have tagged resources you can utilize PowerShell to quickly locate resource groups or resources with a specific tag key and value.   The PowerShell command below outputs all resource group names that have the tag name of Agency with a value of Finance.

Find-AzureRmResourceGroup -Tag @{ Name=”Agency”; Value=”Finance” } -WarningAction SilentlyContinue | %{ $_.Name }

Even though Azure classic resources cannot have tags on them directly, we can utilize Azure Resource Groups to group to tag a collection of Azure classic resources.  

Role Based Access Control

By combining Azure Resource Groups with Role Base Access Control (RBAC) your organization can quickly assign proper access permissions.  RBAC enables you to provide fine grain permissions to individuals that need access to view or manage Azure Resources.  This allows us to get away from the classic model where the only management roles were subscription administrator or subscription co-administrator.   Now we can enable a more delegated approach to resource management.

Unlike tagging, RBAC can be applied to classic resources along with resource groups and ARM resources.

Note: Users who are not subscription administrators or co-administrators but have been assigned RBAC permissions on a classic object cannot manage that object using Azure Classic Powershell or the classic portal.   They must use the Azure Resource Manager PowerShell login and commands or perform management actions using the new portal.

Going Forward

The future is looking great for Azure Government!  As more ARM resource providers are deployed we will have more and more great capabilities to utilize, including ARM templates.   My recommendation is that if you are an Azure Government customer , you should begin poking around in the new preview portal.  This will prepare you well for upcoming updates to Azure Government.

Leave a Reply