Accelerate resource tagging with PowerShell — Microsoft Azure Tag Report

Once, I prepared this script to quickly tag many resources deployed on the Microsoft Azure platform. There are many ways to do it quickly and easily, but I tried to make a universal solution that is easy and safe to use. Therefore, I decided to make one script that generates all resources to a CSV file. And the second script based on the CSV file will pull resource data from it and overwrite it on the platform.

The scripts are available on GitHub:

Description of the scripts:

  • GetAllTags.ps1 — generates two CSV files. One file for Resource Group and one file for Resources. This is important because we have separate groups and we can tag groups differently from resources without looking for resource types.
  • SetTagsResourceGroups.ps1 — a script that takes data from a CSV file where there is a Resource Group inventory with tags to be deployed.
  • SetTagsResources.ps1 — a script that retrieves data from a CSV file where we have saved resources with tags for implementation.

This division gives us:

  1. Saving the current state of tags saved to a CSV file. This is a tag report, i.e. the current status of the tags implemented.
  2. The division into groups and resources.
  3. Ability to fix tags only on resources or only on resource groups.

How do scripts work?


  1. The file is saved automatically to the location where we execute the script or we can use the -path option where the files are to be saved.
  2. The file name includes the date, if the file exists it will be overwritten.
  3. The script checks if you are logged in to Azure. When executing the script, you can specify the -tenantId parameter to make sure that you are logging into the appropriate Azure Directory and -subId for selecting the correct subscription.

SetTagsResourceGroups and SetTagsResources

  1. Data from files is imported automatically based on the naming convention of the previously generated file. The script imports the latest CSV file in the specified directory. There is a path specified via the -path parameter.
  2. Tags should be separated by commas.
  3. The tags saved in the CSV file work as “Key: Value” pairs in separate columns.
  4. The script gets all the items from the CSV file. The script then removes the tags in Microsoft Azure then entered them from the CSV file.
  5. If you do not want to move a given resource, just remove it from the CSV file.
  6. The script runs in parallel mode, which allows you to make changes faster. The throttle for writing tags is 5, keep in mind this is the optimal value.
  7. The script checks if you are logged in to Azure. You can specify the -tenantId parameter when executing a script.
  8. If you want to clear tags on resources, just leave an empty cell or enter “empty”.
  9. We can test the introduction of tags by entering only the resource that we want to change in the CSV file. The rest of the resources will not be considered when implementing tags.

Below is an example of how it works on my subscription.

Running the script:

  • GetAllTags.ps1

Command: ./GetAllTags.ps1 -path /tags

On the print screen, you can see the output with the information generated by the script. It is:

  • Are you logged in, if not then it will ask you to log in.
  • The number of resource groups and resources found.
  • Information where and what files are created.
  • Resource List.

The CSV files look like this:

  • Resource Group
  • Resources

Below I will present the tag editing for a resource file.

Attention! If you want to keep a copy of the current state, protect the generated file or rename it to a completely different one.

The corrected file looks like this. Note that I have filled in the tags for all objects and added a new tag: Test: Key to show what assigning multiple tags looks like.

The script output with the changes made:

Command: ./SetTagsResources.ps1 -path /tags

The effect of changes in the Azure Portal:

You can customize the script to suit your purpose so that it runs on multiple subscriptions, for example. There are many customization options for this script that I have intentionally left out. The scripts work modularly, so they can be easily used with another script, and the rest will be prepared and implemented based on the input data from the file.

Article available in Polish:

Follow Piotr Rogala in Medium!

Get in Touch.

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.

    Passwordless ARM templates using Azure Key Vault

    We at Nordcloud implement ARM templates on the Microsoft Azure platform regularly. In parameters, we sometimes operate with confidential data and store them in private repositories such as Azure DevOps Repos, Github or others. To maintain security at a high level, we should use solutions adapted to storing passwords (secrets).

    Below I will describe how we can implement a sample Azure Key Vault to store passwords and implement a virtual machine that will use the Azure Key Vault password during deployment.

    Required for this task

    1. ARM template Azure Key Vault:
      1. Link:
    2. ARM template virtual machine:
      1. Link:


    1. Powershell Core with Az module or Azure CLI
      1. PowerShell Core:
      2. Az Module:
      3. Azure CLI:

    If you’ve never deployed a code before, you can check how to do it on this page:

    Let’s get started!

    First, we create a resource group for Azure Key Vault with the command:

    New-AzResourceGroup -Name my-test-keyvault -Location westeurope

    Then we deploy Azure Key Vault from a ready template using the command:

    New-AzResourceGroupDeployment -ResourceGroupName 'my-test-keyvault' -TemplateUri '' -keyVaultName myTestKeyVaultNC -objectId 'YOUR-OBJECT-ID' -secretName 'secret1' -secretValue $(ConvertTo-SecureString ‘PASSWORD' -AsPlainText -Force) -enabledForDeployment $true


    • objectID – that is the user ID or SPN object that is to access this password from Azure Key Vault
    • enabledForTemplateDeployment – with the setting true because it allows us to retrieve the password during deployment
    • secretsPermissions – this will allow us to get and list the password
    • secretValue – in the password field, enter the password you want to enter in the Key Vault. Here you can also use a password generator to automatically send you a generated password that nobody knows

    Screen from Azure Key Vault – secrets:

    Screen from Azure Key Vault – Access policy:

    We start deploying a virtual machine by creating a new resource group:

    New-AzResourceGroup -Name my-test-vm -Location westeurope

    Then we need to create our own parameter file on the disk to refer to Azure Key Vault. Save the parameters file locally:

    Then change the values to as below:

      "$schema": "",
      "contentVersion": "",
      "parameters": {
        "adminUsername": {
          "value": "USRE-NAME"
        "adminPasswordOrKey": {
          "reference": {
              "keyVault": {
              "id": "/subscriptions/ID-SUBSCRIPTION/resourceGroups/my-test-keyvault/providers/Microsoft.KeyVault/vaults/myTestKeyVaultNC"
              "secretName": "secret1"
        "dnsLabelPrefix": {
          "value": "UNIQ-DNS-NAME"

    If you don’t know what your Key Vault Resource ID is, use the command:

    (Get-AzKeyVault -ResourceGroupName my-test-keyvault -VaultName myTestKeyVaultNC).ResourceId

    To run deployment with reference to Azure Key Vault, execute the command:

    New-AzResourceGroupDeployment -ResourceGroupName 'my-test-vm' -TemplateUri '' -TemplateParameterFile/azuredeploy.parameters.json


    We implemented the Azure Key Vault template with a password and additional access for your user ID. You then used the reference to Azure Key Vault in the parameters file to implement the password from the Key Vault for the virtual machine deployment.

    It is a solution for password management during deployments and for designing confidential data of choice for selected users. The above solution can be implemented using Azure DevOps and fully automated to keep all confidential parameters and have up-to-date data retrieved from Azure Key Vault during the implementation.

    If you liked the post, share it!

    Read more cloud blog texts on our Community & Culture pages.

    We at Nordcloud are constantly hiring Azure experts – check the open positions here, apply and join our learning community!

    Get in Touch.

    Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.