How to enforce a policy on Azure Batch Pools Resource Tags

Question

How to enforce a policy on Azure Batch Pools Resource Tags

Francesco Cipolla 20

Hi!
I've been trying to define a policy that denies creation of a Pool in my Azure Batch account, unless it comes with specific Resource Tags during its creation.
I tried with the following terraform code snippet, which generally works well for other resources (such as storage account, resource groups etc.):

resource "azurerm_policy_definition" "tags_enforcement_policy" {
  name         = "Enforce-Required-Tags-On-Azure-Batch-Pools"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Enforce Required Tags on Azure Batch Pools"
  policy_rule = jsonencode({
    if = {
      allOf = [
        {
          field: "type",
          equals: "Microsoft.Batch/batchAccounts/pools"
        },
        {
          anyOf = [
            {
              field = "tags['required_tag']",
              exists = "false"
            }
          ]
        }
      ]
    },
    then = {
      effect = "deny"
    }
  })
}


resource "azurerm_resource_policy_assignment" "azure_batch_tag_enforcement_assignment" {
  name                 = "azure-batch-tag-enforcement-assignment"
  resource_id          = azurerm_batch_account.mybatchaccount.id
  policy_definition_id = azurerm_policy_definition.tags_enforcement_policy.id
}

While the policy itself is applied correctly, this prevents creating of all Batch Pools, even if the expected required_tag is added.
Upon further investigation I realised that Batch Pools have Resource Tags, but these are not to be confused with the actual resource-level tag that understood by Azure Policy or Azure

I tried the following test, along many others:

policy_rule = jsonencode({
  if = {
    allOf = [
      {
        field: "type",
        equals: "Microsoft.Batch/batchAccounts/pools"
      },
      {
        anyOf = [
          {
            field = "Microsoft.Batch/batchAccounts/pools/resourceTags.required_tag",
            exists = "false"
          }
        ]
      }
    ]
  },
  then = {
    effect = "deny"
  }
})

But this is not recognised as a correct policy definition.

I am wondering: is there a way to check existence of Batch Pool resource tag with Azure Policy?
If no, are automated scripts the only solution?

Thank you!

Francesco Cipolla 20 Reputation points

2025-05-27T08:14:28.6466667+00:00

Hi @Pramidha Yathipathi
Thanks for your reply and for confirming this is indeed not supported by Azure Policies at the moment.
I think a work-around I can use for the time being is to apply the policy to the AzureBatch-* resource groups that are created by the batch account.
I'll evaluate the option of automated scripts as well.

Thank you!
Pramidha Yathipathi 1,135 Reputation points Microsoft External Staff Moderator

2025-05-27T18:07:19.3633333+00:00

Hi Francesco Cipolla,

Thanks for updating us as the information is helpful could you please "Accept Answer".Accepted answer will help other community members navigate to the appropriate solutions.

Accepted answer

0 additional answers

Your answer

Francesco Cipolla 20 Reputation points

2025-05-27T08:14:28.6466667+00:00

Hi @Pramidha Yathipathi
Thanks for your reply and for confirming this is indeed not supported by Azure Policies at the moment.
I think a work-around I can use for the time being is to apply the policy to the AzureBatch-* resource groups that are created by the batch account.
I'll evaluate the option of automated scripts as well.

Thank you!
Pramidha Yathipathi 1,135 Reputation points Microsoft External Staff Moderator

2025-05-27T18:07:19.3633333+00:00

Hi Francesco Cipolla,

Thanks for updating us as the information is helpful could you please "Accept Answer".Accepted answer will help other community members navigate to the appropriate solutions.

Answer 1

Hi Francesco Cipolla,

It appears that you're correctly applying a policy definition, but it's not working as intended with the Azure Batch Pools, as it's denying creation even when the required tag is present. This could stem from the way Azure Batch handles resource tags compared to traditional resource-level tags recognized by Azure Policy.

Azure Batch Pools indeed have resource tags, which operate differently and may not be compatible with the standard Azure Policy checks you’re attempting. In Azure Policy, typically, you check against resource-level tags rather than these specific Batch resource tags.

The error you're encountering with your JSON policy rules for checking Microsoft.Batch/batchAccounts/pools/resourceTags.required_tag likely arises because Azure Policy doesn’t allow for such granular checks on resource tags. Instead, it’s usually aimed at resource-level tags.

There's currently no direct way to enforce a policy on Azure Batch Pools for their specific resource tags using Azure Policy. Instead, you might consider using automated scripts (like Azure Functions or Azure Logic Apps) to periodically validate resources and ensure that they have the required tags, applying them if necessary.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-support

https://learn.microsoft.com/en-us/azure/templates/microsoft.batch/batchaccounts/pools?pivots=deployment-language-terraform

If you found information helpful, please click "Upvote" on the post to let us know.
If you have any further queries feel free to reach out us we are happy to assist you.

Thank You.

Share via

How to enforce a policy on Azure Batch Pools Resource Tags

0 additional answers

Your answer