Microsoft Azure - Add Tag to Cloud Instance

Updated on 20 Mar 2025
2 Minutes to read

Print
Share
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

Microsoft Azure - Add Tag to Cloud Instance adds a tag to Microsoft Azure cloud instances for:

Assets returned by the selected query or assets selected on the relevant asset page.

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

Note:

Not all asset types are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.

Required Fields

These fields must be configured to run the Enforcement Set.

Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.

Use stored credentials from the Microsoft Azure Adapter - Select this option to use the connected Microsoft Azure adapter credentials.
- When you select this option, the Select Adapter Connection drop-down becomes available. Select the adapter connection to use for this Enforcement Action.
Note:
To use this option, you must successfully configure a Microsoft Azure adapter connection.
Tag names - The tag name to be added to the Microsoft Azure cloud instance.
- A tag name can have a maximum of 512 characters and is case-insensitive.
- Tag names cannot have the following prefixes which are reserved for Azure use: 'microsoft', 'azure', 'windows'.
Tag values - The tag value to be added to the Microsoft Azure cloud instance.
- If the tag already exists on the cloud instances, its value will be overridden with the specified value.
Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.

Additional Fields

These fields are optional.

Connection and Credentials

When Use stored credentials from the adapter is toggled off, some of the connection fields below are required to create the connection, while other fields are optional.

Azure subscription ID - The Subscription ID access control role in IAM for the Axonius application, as detailed in the Required Permissions section.
Cloud environment (default: Azure Public Cloud) - Select your Azure cloud environment type.
Azure client ID - The Application ID of the Axonius application, as detailed in the Required Permissions section.
Azure client secret - A user created key for the Axonius application, as detailed in the Required Permissions section.
Azure tenant ID - Microsoft Azure Active Directory ID, as detailed in the Required Permissions section.
Verify SSL (optional) - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

APIs

Axonius uses the Microsoft Azure - Tags - Create Or Update API.

Required Permissions

To connect to Microsoft Azure, you need to create a designated Axonius application in the Microsoft Azure Portal and grant it read-only permissions. All required credentials will be given once an application is created. For details, see Creating an application in the Microsoft Azure Portal.

Using Add Tag to Microsoft Azure Cloud Instance action requires a role similar to "Tag Contributor" (build-in role). At the very least, read access to the relevant resources is required, along with the permission to read and write tags (microsoft.resource.tags).

For more details about other Enforcement Actions available, see Action Library.

Was this article helpful?

What's Next

Microsoft Entra ID (formerly Azure AD) - Add or Remove Assets in Group

Table of contents

Required Fields
Additional Fields
APIs
Required Permissions