Skip to main content

Automatically apply resource tags during Azure onboarding

When you onboard an Azure subscription, the data protection platform automatically creates backend resources to manage your data protection. These resources include:

  • A Resource Group

  • Two Key Vaults (primary and secondary)

  • A user-assigned Managed Identity

Many organizations use Azure Policy to enforce strict resource-tagging strategies. If your target subscription requires specific tags during resource creation, Azure will block the deployment of these backend components, causing onboarding to fail.

To ensure a seamless deployment without changing your security or governance posture, you can supply your required organizational tags before onboarding. The platform automatically detects these tags and applies them to all created resources.

Prerequisites

Before starting onboarding, ensure you have the following access:

  • You must have the Owner or User Access Administrator role on the target Azure subscription.

Tag formatting

The system looks for a specific tag on your Azure subscription to identify the tags you want to apply.

  • Tag Name: DRUVA_CUSTOM_TAGS

  • Tag Value: Enter your tags as comma-separated key-value pairs using the format Key:Value.

โš ๏ธ Important! Do not include spaces before or after the colons or commas.

  • Correct: Environment:Production,CostCenter:1024

  • Incorrect: Environment : Production , CostCenter : 1024

Step 1: Add the tag to your Azure subscription

  1. Sign in to the Azure portal.

  2. Search for and select Subscriptions.

  3. Select the subscription you want to onboard.

  4. On the left menu, select Tags.

  5. In the Name field, type DRUVA_CUSTOM_TAGS.

  6. In the Value field, type your comma-separated tags (for example: Environment:Production,CostCenter:1024).
    โ€‹

  7. Select Apply.

Step 2: Complete onboarding in the console

Once the subscription tag is applied in Azure, proceed to the management console and complete your subscription onboarding workflow. The platform will automatically read the DRUVA_CUSTOM_TAGS value and apply your individual keys and values to the newly deployed infrastructure.

Tagged resources

The platform applies tags to the following resources created during onboarding:

  • Resource Group

  • Key Vaults

  • Managed Identity

Limitations

Be mindful of the following limitations when configuring tag propagation:

  • Character limits: The total string length within the DRUVA_CUSTOM_TAGS value cannot exceed 256 characters.

  • Special characters: Tag keys and values can only contain alphanumeric characters, spaces, and the following symbols: +, -, =, ., _, :.

  • Onboarding updates: If you modify your subscription tags in the Azure portal after initial onboarding, the system does not automatically sync those changes to existing resources. The new tags only apply to resources deployed after the modification.

Related Articles
Roles and permissions to protect Azure Resources
Troubleshooting Azure onboarding issues
Pre-requisites for protecting Azure SQL resources
Prerequisites to protecting Azure resources
Customizing Quantum Bridge Placement for Azure Files and Azure Blob Storage
Did this answer your question?