Azure Resource Tag Compliance Enforcer
A daily flow uses Azure Resource Manager to enumerate resources, checks each against a required-tag policy (owner, cost-center, environment), writes violations to Dataverse, and posts a compliance scorecard to Teams. Optionally auto-applies default tags to non-compliant resources. Keeps cloud governance and cost allocation accurate.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow enforces Azure resource-tagging governance using the Azure Resource Manager (ARM) connector. On a daily schedule it enumerates every resource in a target subscription, checks each one against a required-tag policy (e.g. owner, costcenter, environment), writes every violation to a Dataverse audit table, and posts a compliance scorecard to a Microsoft Teams channel. When an opt-in toggle is enabled it can also auto-apply default tag values to non-compliant resources.
Why it matters: untagged resources break cost allocation (chargeback) and ownership accountability. A daily automated sweep - with an audit trail and optional remediation - keeps the tag estate clean without waiting for a manual quarterly portal review.
Ships Off (demo).
Use Case
A cloud governance / FinOps team mandates tags for chargeback and ownership. They need continuous detection of untagged resources, a durable audit trail for trend reporting, a daily scorecard the team can act on, and optional automatic remediation - not a manual portal review.
Flow Architecture
Daily Tag Compliance Sweep
RecurrenceMorning compliance sweep (daily 06:00 EST).
Initialize Config & Counters
Initialize variableMints a correlation id; binds subscription, api-version, required tags (split), tag defaults, auto-remediate toggle, Teams ids; seeds total/violation counters and the scorecard HTML.
List Subscription Resources
ARM - Resources_ListEnumerates every resource in the subscription (the real data source).
For Each Resource
Apply to each (concurrency 1)Composes existing tags and the missing required keys, increments the total, and on any missing tag increments the violation count, appends a scorecard line, and logs the violation to Dataverse.
Optional Auto-Remediate
ARM Resources_GetById + Resources_CreateOrUpdateByIdWhen the toggle is true, reads the resource and PUTs it back with the missing tags merged (existing values preserved).
Compose % + Post Scorecard
Compose + TeamsComputes the compliance percentage and posts the scorecard (%, totals, violation list) to the governance channel.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_AzureSubscriptionId | String | <your-subscription-id> | Subscription scope of the sweep. |
| flowlibs_RequiredTags | String | owner,costcenter,environment | Comma-separated mandatory tag keys. |
| flowlibs_TagDefaultsJson | String | {"owner":"UNASSIGNED","costcenter":"UNASSIGNED","environment":"UNASSIGNED"} | Tag to default-value map applied during optional remediation (keys must align with Required Tags). |
| flowlibs_TagComplianceApiVersion | String | 2021-04-01 | ARM REST api-version for the GetById / PUT calls. |
| flowlibs_TagAutoRemediate | String | false | When true, applies default tags to non-compliant resources. Off by default (detect + report only). |
| flowlibs_TeamsGroupId | String | <your-team-id> | Teams team that receives the scorecard. |
| flowlibs_TeamsChannelId | String | <your-channel-id> | Teams channel that receives the scorecard. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Resource Manager | shared_arm | Resources_List Resources_GetById Resources_CreateOrUpdateById |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Required-tag policy
- Edit flowlibs_RequiredTags (keys) and flowlibs_TagDefaultsJson (defaults), keeping them aligned and mirroring your Azure Policy tag requirements.
- Enable auto-remediation
- Set flowlibs_TagAutoRemediate to true; grant the ARM connection Tag Contributor and test per resource type.
- Narrow the scope
- Add a $filter (e.g. resourceType eq Microsoft.Storage/storageAccounts) or page with $top/nextLink for very large subscriptions.
- Email the owner
- Add Office 365 Outlook SendEmailV2 in the violation branch addressed to the resource's owner tag with the missing-tag list.
- Cost overlay
- Join the Tag Violations table with Cost Management data to quantify untagged spend and trend it in Power BI.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Existing tags (null-safe)
Resource's current tags.
EXPR.02Missing-tag detection
Required keys this resource is missing.
EXPR.03Compliance %
Whole-number compliance percentage.
EXPR.04Tag merge (existing values win)
Remediation merge preserving existing values.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.