![The $100K Problem That Resource Tags Would Have Prevented [2025 Guide]](../../static/images/hero/resource-tags.png)
The $100K Problem That Resource Tags Would Have Prevented [2025 Guide]
2025-11-24 Β· ~31 min read
How the TYPE tag plus 5 critical tags saved $113,800 on Azure Arc patching costs. Complete 2025 Azure tagging strategy with KQL queries, PowerShell scripts, and Policy enforcement.
In my last post about Azure Update Manager, I showed you how our "1,791 VMs needing updates" was actually only 348 VMs that should be in Update Manager at all. We filtered out Citrix VDI, Databricks clusters, security appliances, and everything else that shouldn't be there.
But that post left a critical question unanswered: How do you actually DO that filtering at scale?
The answer: Resource tags.
More specifically: The TYPE tag plus five other critical tags that create organizational context.
Without these tags, Azure's "one pane of glass" is just "one pane of chaos":
- Can't tell servers from desktops from appliances
- Can't separate production from dev/test
- Can't allocate costs by business unit
- Can't delegate patch management responsibility
- Can't filter out systems that shouldn't be there
The absence of these tags just cost my organization $100,000. We bought Red Hat Satellite because we couldn't answer basic questions about 47 Linux servers. Questions that proper tagging would have answered in seconds.
This post is the resource tagging strategy I wish we'd implemented three years ago. It would have saved us six figures and countless hours of organizational paralysis.
The Problem - Azure Shows Everything With No Context
When you connect on-premises servers to Azure Arc, they appear in the Azure Portal immediately. Azure Resource Manager sees them. Azure Update Manager sees them. Cost Management sees them.
But Azure has no idea what they actually are.
Here's what happened in our environment:
Azure Update Manager dashboard:
Total machines: 1,791
Machines needing updates: 1,791
What Azure thought we had:
- 1,791 machines that need patching
What we actually had:
348 Windows/Linux servers (should be in Update Manager)
900 Citrix VDI hosts (managed through Intune + golden images)
170 Databricks cluster nodes (managed by Databricks service)
46 security appliances (Palo Alto, F5 - vendor tools only)
44 Windows 10/11 dev workstations (need Intune, not Update Manager)
20 network appliances (switches, routers - vendor managed)
7 storage appliances (vendor managed)
Various other specialized systems
Total: 1,791 machines
Actually need Update Manager: 348 (19%)
Azure couldn't tell the difference because we had no tags.
Every compliance report was wrong. Every cost report was meaningless. Every attempt to delegate responsibility failed because we couldn't answer: "Which systems are yours?"
The Real-World Cost - The $100K Satellite Purchase
Here's how the absence of resource tags cost us $100,000.
The scenario:
We had 47 RHEL 6 servers running on-premises in VMware. RHEL 6 went end-of-life in November 2020. We needed a patching solution during our 2-3 year migration to RHEL 8.
The organizational question:
"Who's responsible for patching these servers, and how should we do it?"
What we knew:
- The Linux admin owned the servers (clear responsibility)
- The Cloud team already managed Azure Arc
- Arc could connect on-prem servers for $5/month per server
What we DIDN'T know (because no tags):
We couldn't answer these basic questions:
- What TYPE are these systems? (All servers? Any appliances mixed in?)
- Which ones are production vs dev/test?
- What applications run on them?
- Which business units should pay?
- Which can be migrated first vs last?
- Which are critical vs expendable?
The result:
Three months of meetings trying to answer these questions. Nobody had visibility. The Linux admin didn't know. VMware just showed server names like "rhel6-prod-12" with no context. We couldn't query anything meaningful.
Management's decision:
"Just buy Red Hat Satellite for the Linux admin. Make it his tool. We don't have time for this."
The cost:
Satellite infrastructure: $12K/year
RHEL 6 Extended Life Cycle Support: $47K/year
Total: $59K/year Γ 2 years = $118,000
vs. the Arc solution the Cloud team proposed:
Arc licensing (2025 pricing): $5/server/month Γ 35 servers Γ 12 months = $2,100/year
2-year Arc cost: $2,100 Γ 2 = $4,200
Savings we didn't get: $113,800
Why Arc lost:
We couldn't answer the most basic question: What TYPE of systems are these?
Turns out, those "47 RHEL 6 servers" were actually:
- 35 actual RHEL 6 servers (Type: Server)
- 8 RHEL 6-based network monitoring appliances (Type: Appliance)
- 4 RHEL 6 developer workstations (Type: Desktop)
If we'd had TYPE tags, we would have known:
- The 35 servers: Could use Arc + archived repos during migration
- The 8 appliances: Vendor-managed only (can't patch through Satellite anyway)
- The 4 workstations: Different patching approach entirely
Instead, we bought Satellite for all 47 at $100/server/year.
We needed it for maybe 35 actual servers. We wasted $5,640 on systems that shouldn't have been in the solution at all.
Tags would have saved $113,800.
The Enterprise Tagging Taxonomy
Here's the complete tagging standard that would have prevented our $100K mistake.
The Foundation: TYPE Tag
Before anything else, you must classify what TYPE of resource you're dealing with.
This is your primary filter. Everything else depends on it.
Tag: Type
Values: Server | Desktop | Appliance | Database-Cluster | VDI-Host | Container-Host
Purpose: Fundamental classification - determines which management tools apply
Example: Type: Server
Why TYPE is critical:
Type: Server
β Can use Azure Update Manager
β Should appear in patching reports
β Normal server OS patching rules apply
Type: Desktop
β Cannot use Update Manager (shows "unsupported")
β Needs Intune or SCCM
β Different patching schedule than servers
Type: Appliance
β Cannot use Update Manager (shows "no updates data")
β Vendor-specific management tools required
β Should be filtered OUT of Update Manager entirely
Type: Database-Cluster
β Managed by the service (Databricks, etc.)
β Should be filtered OUT of Update Manager
β Different cost allocation model
Type: VDI-Host
β Patched via golden image updates
β Different process than individual servers
β Managed by desktop team, not server team
This is why we saw 1,791 VMs in Update Manager instead of 348.
Without TYPE tags, Azure treated everything the same.
The Five Additional Critical Tags
Once you know the TYPE, you need these five tags for complete organizational context:
1. Owner (Who's responsible)
Tag: Owner
Values: Finance-Team, Marketing-Team, Engineering-Team, IT-Infrastructure, Security-Team
Purpose: Who owns this resource and makes decisions about it
Example: Owner: Finance-Team
Why critical: Delegation and accountability
2. Application (What runs on it)
Tag: Application
Values: ERP-System, CRM, Databricks, Citrix-VDI, Palo-Alto-Firewall, SQL-Server, etc.
Purpose: What workload/application this resource supports
Example: Application: ERP-System
Why critical:
- Application-level reporting and dependency mapping
- Migration planning (which apps can move to Azure)
- License tracking (SQL Server, Oracle, etc.)
- Disaster recovery grouping
The Application tag unlocks migration planning:
When you're planning Azure migration, the Application tag tells you which applications CAN'T migrate:
// Find applications that must stay on-premises
Resources
| where type =~ "microsoft.hybridcompute/machines"
| extend app = tostring(tags.Application)
| where app in ("Palo-Alto-Firewall", "F5-Load-Balancer", "Legacy-Mainframe")
| summarize VMCount = count() by app
And which applications SHOULD migrate first:
// Find modern applications ready for Azure
Resources
| where type =~ "microsoft.hybridcompute/machines"
| extend
app = tostring(tags.Application),
osName = tostring(properties.osName)
| where osName contains "Windows Server 2019" or osName contains "Windows Server 2022"
| where app !in ("Palo-Alto-Firewall", "F5-Load-Balancer")
| summarize VMCount = count() by app
| order by VMCount desc
Migration planning with cost impact:
// Which migration waves have highest cost impact
Resources
| where type =~ "microsoft.hybridcompute/machines"
| where tags.Type == "Server"
| extend
app = tostring(tags.Application),
wave = tostring(tags.MigrationWave)
| join kind=leftouter (
ConsumptionUsageDetails
| where ChargeType == "Usage"
| summarize MonthlyCost = sum(CostInBillingCurrency) by ResourceId
) on $left.id == $right.ResourceId
| summarize
VMCount = count(),
TotalMonthlyCost = sum(MonthlyCost)
by app, wave
| order by wave asc, TotalMonthlyCost desc
The Application tag turns chaos into a migration roadmap.
3. Environment (Production vs Dev vs Test)
Tag: Environment
Values: Production | Development | Test | Staging | DR
Purpose: Deployment environment for change control and scheduling
Example: Environment: Production
Why critical:
- Production patches first (or last, depending on risk tolerance)
- Dev/Test can have more aggressive patching schedules
- Cost allocation (prod vs non-prod)
4. CostCenter (Who pays)
Tag: CostCenter
Values: 680-5019, 680-5056, 680-5101 (your accounting codes)
Purpose: Which budget/department pays for this resource
Example: CostCenter: 680-5019
Why critical:
- Chargeback to business units
- Budget planning
- Cost optimization by department
5. PatchingMethod (How it gets patched)
Tag: PatchingMethod
Values: Azure-Update-Manager | SCCM | Intune | Vendor-Managed | Golden-Image | Manual
Purpose: Which tool/process patches this resource
Example: PatchingMethod: Azure-Update-Manager
Why critical:
- Determines which tool to use
- Prevents conflicts (two tools trying to patch same system)
- Clear operational responsibility
Combined with Type:
- Type: Server + PatchingMethod: Azure-Update-Manager (correct)
- Type: Desktop + PatchingMethod: Intune (correct)
- Type: Appliance + PatchingMethod: Vendor-Managed (correct)
Additional Useful Tags
PatchingOwner: Cloud-Team | SCCM-Team | Linux-Admin | Security-Team
MaintenanceWindow: Sunday-2AM | Wednesday-Midnight | Saturday-3AM
Criticality: Critical | High | Medium | Low
Compliance: PCI-DSS | HIPAA | SOX | None
BackupPolicy: Daily | Weekly | None
DataClassification: Public | Internal | Confidential | Restricted
Migration-specific tags:
MigrationWave: Wave-1 | Wave-2 | Wave-3 | Stay-OnPrem
AzureReady: Yes | No | Needs-Assessment | Vendor-Validation-Required
MigrationBlocker: None | Legacy-App | Licensing | Hardware-Dependency
Future-proofing (2025+ trends):
Workload: Traditional | AI | GenAI | ML-Training | ML-Inference
SustainabilityTracking: Yes | No
DataResidency: US | EU | APAC | Multi-Region
The Hard Truth - Discovery is Manual Work
Here's what I need to tell you upfront:
Azure Arc gives you visibility into your on-premises VMs. It does NOT give you context.
When you install the Arc agent on a VM:
- β
VM appears in Azure Portal
- β
You can see it exists
- β It has NO tags
- β Azure doesn't know what TYPE it is
- β Azure doesn't know who owns it
- β Azure doesn't know what app runs on it
You must do discovery and classification manually.
This takes weeks or months, depending on your environment size. There's no magic button.
The Discovery Process
Phase 1: Technical Inventory (Week 1-2)
Once Arc agents are connected, use KQL to see what you have:
// Complete inventory of Arc-connected machines
Resources
| where type == "microsoft.hybridcompute/machines"
| extend
osType = tostring(properties.osType),
osName = tostring(properties.osName),
osVersion = tostring(properties.osVersion),
cpuCount = toint(properties.detectedProperties.coreCount),
memoryGB = toint(properties.detectedProperties.totalPhysicalMemoryInBytes) / 1024 / 1024 / 1024
| project
name,
resourceGroup,
osType,
osName,
osVersion,
cpuCount,
memoryGB,
tags
| order by name asc
This shows you every Arc-connected VM with technical details, but no business context.
Identify potential TYPE based on OS name:
Resources
| where type == "microsoft.hybridcompute/machines"
| extend osName = tostring(properties.osName)
| extend potentialType = case(
osName contains "Windows Server", "Server",
osName contains "Red Hat Enterprise Linux", "Server",
osName contains "Ubuntu", "Server",
osName contains "CentOS", "Server",
osName contains "Windows 10", "Desktop",
osName contains "Windows 11", "Desktop",
"Unknown - Investigate"
)
| summarize count() by potentialType, osName
| order by count_ desc
The "Unknown - Investigate" entries need manual review - this is where you start your manual classification.
Phase 2: Classification (Week 3-4)
Now the manual work: Classify each VM by TYPE
Create a spreadsheet and start classifying based on OS, role, and naming patterns.
Track classification progress with KQL:
Resources
| where type == "microsoft.hybridcompute/machines"
| where isnull(tags.Type) or tags.Type == ""
| extend osName = tostring(properties.osName)
| project name, resourceGroup, osName
| order by name asc
This becomes your daily "TODO list" - which VMs still need classification.
Pattern analysis to help with classification:
// Group by naming patterns
Resources
| where type == "microsoft.hybridcompute/machines"
| extend
prefix = substring(name, 0, indexof(name, "-")),
osName = tostring(properties.osName)
| summarize
count(),
OSTypes = make_set(osName)
by prefix
| order by count_ desc
This helps you classify in bulk - VMs with similar prefixes often have the same TYPE.
Phase 3: Ownership Discovery (Week 5-6)
Figure out who owns each VM through interviews, resource organization analysis, network segments, and Finance cost center mapping.
This is time-consuming but essential. You need to talk to application owners and business stakeholders.
Phase 4: Application Mapping (Week 7-8)
Map applications to VMs for migration planning and dependency tracking.
Use naming conventions, Azure Migrate dependency mapping, and application owner interviews to document which VMs belong to which applications.
Phase 5: Create the Master Spreadsheet (Week 9-10)
Combine all discovery into one classification spreadsheet:
| VM Name | Type | Owner | Application | Environment | CostCenter | PatchingMethod |
|---|---|---|---|---|---|---|
| sql-prod-01 | Server | Finance-Team | ERP-System | Production | 680-5019 | Azure-Update-Manager |
| fw-palo-01 | Appliance | Security-Team | Palo-Alto-Firewall | Production | 680-5101 | Vendor-Managed |
| win11-dev-23 | Desktop | Engineering-Team | Developer-Workstation | Development | 680-5101 | Intune |
| databricks-w01 | Database-Cluster | Data-Team | Databricks | Production | 680-5101 | Vendor-Managed |
This spreadsheet is the result of 8-10 weeks of work. This is the hard part. There's no automation for this.
Bulk Tagging Implementation
Now that you have the classification spreadsheet, apply tags with PowerShell:
# Import your classification spreadsheet
$vmClassification = Import-Csv -Path "C:\VM-Classification-Complete.csv"
# Connect to Azure
Connect-AzAccount
$successCount = 0
$failCount = 0
$errors = @()
# Bulk apply tags to Arc-connected machines
foreach ($vm in $vmClassification) {
try {
$arcMachine = Get-AzConnectedMachine -Name $vm.VMName -ErrorAction Stop
$tags = @{
Type = $vm.Type
Owner = $vm.Owner
Application = $vm.Application
Environment = $vm.Environment
CostCenter = $vm.CostCenter
PatchingMethod = $vm.PatchingMethod
}
Update-AzTag -ResourceId $arcMachine.Id -Tag $tags -Operation Merge -ErrorAction Stop
Write-Host "β Tagged: $($vm.VMName)" -ForegroundColor Green
$successCount++
}
catch {
Write-Warning "β Failed: $($vm.VMName) - $($_.Exception.Message)"
$errors += [PSCustomObject]@{
VMName = $vm.VMName
Error = $_.Exception.Message
}
$failCount++
}
}
Write-Host "`nTagging Complete:" -ForegroundColor Cyan
Write-Host " Success: $successCount VMs" -ForegroundColor Green
Write-Host " Failed: $failCount VMs" -ForegroundColor Red
if ($errors.Count -gt 0) {
$errors | Export-Csv -Path "C:\Tagging-Errors.csv" -NoTypeInformation
Write-Host "`nErrors exported to: C:\Tagging-Errors.csv" -ForegroundColor Yellow
}
Validate tagging coverage and compliance:
Resources
| where type == "microsoft.hybridcompute/machines"
| extend
hasType = isnotnull(tags.Type),
hasOwner = isnotnull(tags.Owner),
hasEnvironment = isnotnull(tags.Environment),
hasCostCenter = isnotnull(tags.CostCenter)
| extend Compliance = iff(hasType and hasOwner and hasEnvironment and hasCostCenter, "Compliant", "Non-Compliant")
| summarize
TotalVMs = count(),
CompliantVMs = countif(Compliance == "Compliant"),
NonCompliantVMs = countif(Compliance == "Non-Compliant")
| extend ComplianceRate = round(100.0 * CompliantVMs / TotalVMs, 1)
| project TotalVMs, CompliantVMs, NonCompliantVMs, ComplianceRate
Target: 95%+ compliance rate
Enforcement - Azure Policy Prevents Tag Drift
The problem with manual tagging:
You spend 8-12 weeks tagging everything perfectly. Six months later, it's chaos again because:
- New Arc VMs connect without tags
- Different admins don't follow tagging standards
- Urgent deployments skip tagging ("we'll tag it later")
The solution: Azure Policy enforces tags at connection time.
Deny Arc Connection Without Required Tags
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"anyOf": [
{
"field": "tags['Type']",
"exists": "false"
},
{
"field": "tags['Owner']",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
What this does:
- Blocks Arc agent connection if VM doesn't have Type and Owner tags
- Forces tagging at creation time
- No more "we'll tag it later"
Deploy via PowerShell:
New-AzPolicyDefinition `
-Name "require-tags-on-arc-vms" `
-DisplayName "Require Type and Owner tags on Arc machines" `
-Policy (Get-Content -Path ".\require-arc-tags-policy.json" -Raw)
New-AzPolicyAssignment `
-Name "enforce-arc-tagging" `
-Scope "/subscriptions/{subscription-id}" `
-PolicyDefinition (Get-AzPolicyDefinition -Name "require-tags-on-arc-vms")
This ensures your 8-12 weeks of tagging work STAYS clean.
Full policy implementation covered in next post: "Azure Policy for On-Premises: How to Maintain Your Tagging Investment"
Filtering Update Manager with Tags
Now that everything is tagged, you can filter properly:
Show Only Servers That Should Use Update Manager:
Resources
| where type =~ "microsoft.compute/virtualmachines"
or type =~ "microsoft.hybridcompute/machines"
| where tags.Type == "Server"
| where tags.PatchingMethod == "Azure-Update-Manager"
| project
name,
resourceGroup,
Type = tags.Type,
Owner = tags.Owner,
Environment = tags.Environment
| order by name asc
Result: 348 VMs (not 1,791)
Show all VMs by TYPE:
Resources
| where type =~ "microsoft.hybridcompute/machines"
| extend vmType = tostring(tags.Type)
| summarize count() by vmType
| order by count_ desc
Cost Allocation with Tags
Tags enable accurate cost allocation and chargeback:
Cost by Business Unit:
Resources
| where type =~ "microsoft.compute/virtualmachines"
or type =~ "microsoft.hybridcompute/machines"
| extend costCenter = tostring(tags.CostCenter)
| join kind=leftouter (
ConsumptionUsageDetails
| where ChargeType == "Usage"
| summarize MonthlyCost = sum(CostInBillingCurrency) by ResourceId
) on $left.id == $right.ResourceId
| summarize TotalCost = sum(MonthlyCost) by costCenter
| order by TotalCost desc
Now Finance can see their infrastructure costs. HR can see theirs. Accountability established.
Patching Costs by Method:
Resources
| where type =~ "microsoft.hybridcompute/machines"
| extend patchMethod = tostring(tags.PatchingMethod)
| summarize VMCount = count() by patchMethod
| extend EstimatedMonthlyCost = case(
patchMethod == "Azure-Update-Manager", VMCount * 5,
patchMethod == "Satellite", VMCount * 100,
patchMethod == "SCCM", 0,
patchMethod == "Intune", VMCount * 10,
0
)
| order by EstimatedMonthlyCost desc
This query would have shown: Satellite costs 2.7x more than Arc for fewer servers!
What We Should Have Done (The $100K Lesson Revisited)
If we'd implemented tagging before the RHEL 6 EOL crisis:
What we would have discovered:
35 actual RHEL 6 servers (Type: Server)
- Application: ERP-System (23 servers) - Finance
- Application: HR-Portal (8 servers) - HR
- Application: Development-Tools (4 servers) - IT
8 RHEL 6-based appliances (Type: Appliance)
- Application: SolarWinds-Monitor (3 appliances)
- Application: Network-Management (5 appliances)
4 RHEL 6 workstations (Type: Desktop)
- Application: Developer-Workstation (4 workstations)
Decision with Application tags - Migration planning:
Wave 1 (Month 1-3): Migrate Development-Tools (4 VMs)
- Lowest risk (development environment)
- Test Arc + Update Manager approach
- Cost: $5/server/month Γ 4 = $20/month
Wave 2 (Month 4-6): Migrate HR-Portal (8 VMs)
- Medium complexity (production, but non-critical)
- Cost: $5/server/month Γ 8 = $40/month
Wave 3 (Month 7-12): Migrate or maintain ERP-System (23 VMs)
- High complexity (critical production)
- Requires vendor validation
- Option A: Migrate to RHEL 8 in Azure ($5/server/month Γ 23 = $115/month)
- Option B: Keep on-prem with Satellite until vendor ready
Total 2-year cost with Application-based migration plan:
- Best case (all migrate to Arc): $4,200 total
- Worst case (ERP stays on Satellite): $31,200 total
- What we actually paid: $118,000
The Application tag enabled migration planning that would have saved $86,800 to $113,800.
Without Application tags, we couldn't create a migration wave strategy. We treated all 47 "servers" the same and bought the expensive solution for all of them.
Getting Started - Your Tagging Implementation Plan
Week 1-2: Inventory & Technical Discovery
Week 3-4: TYPE Classification
Week 5-6: Ownership Discovery
Week 7-8: Application Mapping
Week 9-10: Tagging Implementation
Week 11-12: Validation & Reporting
The Bottom Line
Resource tags are not optional metadata.
They're the organizational structure that makes Azure's "one pane of glass" actually work.
Without tags (especially TYPE):
- Azure shows everything with no context (1,791 VMs)
- Can't tell servers from desktops from appliances
- Can't delegate responsibility
- Can't allocate costs accurately
- Can't filter Update Manager properly
- Teams buy duplicate expensive tools ($100K+ waste)
- Every decision requires manual investigation and meetings
With proper tags:
- Clear filtering (348 servers, 44 desktops, 46 appliances - each managed correctly)
- Type-appropriate tool selection
- Accurate cost allocation
- Migration planning capability
- No $100K mistakes
- Instant answers via queries
The tagging work takes 8-12 weeks.
It's manual work. There's no magic button.
But the benefits last forever.
The first duplicate tool purchase you avoid pays for the tagging project 20x over.
Start with TYPE. Everything else follows from there.
Next in this series: "Azure Policy for On-Premises: How to Maintain Your Tagging Investment (So It Doesn't Decay Back to Chaos)"