Managed Applications and tags

When they are deployed, Azure Managed Applications create a so called “Managed Resource Group”. This resource group contains all the Azure Services that the managed application needs to function. Since this resource group is not created manually, it is not straight forward to tag this resource group. Also, when tags are added manually to the managed resource group afterwards, they get removed again on the next deployment of the managed application.

What's the solution?

The solution is an undocumented feature (at least I did not find any documentation): When the managed application is tagged, the tags are inherited by the managed resource group. If you, e.g., create a ux4iot instance using Bicep, you can do this:

     resource managedApp 'Microsoft.Solutions/applications@2021-07-01' = {
  name: 'ux4iot'
  kind: kind
  location: resourceGroup().location
  tags: {
    customer: 'di'
    project: '@sth'
  plan: serviceCatalog ? null : {
    name: 'standard'
    product: 'ux4iot'
    publisher: 'deviceinsightgmbh-4961725'
    version: '2.0.0'
  properties: {
    managedResourceGroupId: managedGroupId
    applicationDefinitionId: serviceCatalog ? '/subscriptions/ab92703c-7fdb-4a1e-8ea8-b402f4e2ea25/resourceGroups/ux4iot-shared/providers/Microsoft.Solutions/applicationDefinitions/ux4iot' : null
    parameters: {
      iotHubEventHubConnectionString: {
        value: iotHubEventHubConnectionString
      iotHubServiceConnectionString: {
        value: iotHubServiceConnectionString

The managed resource group will get the tags customer and project.

This is also the behavior of AKS which has a similar situation with auto-created resource groups, see here.

Recommended posts

Stefan Hudelmaier

Vetting Azure Managed Applications through CI/CD

How to speed up reviews for Azure Managed Applications with the right validity checks.
Robert Lohr

Use Azure AD Workload Identity for Pod-Assigned Managed Identity in AKS

How to make your life easier using Azure AD Workload Identity for authentication within AKS.