In this task, you will create and assign a tag to an Azure resource group via the Azure portal.
1. In the Azure portal, start a **PowerShell** session within the **Cloud Shell**.
>**Note**: If this is the first time you are starting **Cloud Shell** and you are presented with the **You have no storage mounted** message, select the subscription you are using in this lab, and click **Create storage**.
1. From the Cloud Shell pane, run the following to identify the name of the storage account used by Cloud Shell:
1. In the output of the command, note the first part of the fully qualified path designating the Cloud Shell home drive mount (marked here as `xxxxxxxxxxxxxx`:
1. In the Azure portal, search and select **Storage accounts** and, in the list of the storage accounts, click the entry representing the storage account you identified in the previous step.
1. On the storage account blade, click the link representing the name of the resource group containing the storage account.
1. Navigate back to the storage account blade. Review the **Overview** information and note that the new tag was not automatically assigned to the storage account.
1. In the Azure portal, search for and select **Policy**.
1. In the **Authoring** section, click **Definitions**. Take a moment to browse through the list of built-in policy definitions that are available for you to use. List all built-in policies that involve the use of tags by selecting the **Tags** entry (and de-selecting all other entries) in the **Category** drop-down list.
1. Specify the **Scope** by clicking the ellipsis button and selecting the following values:
| Setting | Value |
| --- | --- |
| Subscription | the name of the Azure subscription you are using in this lab |
| Resource Group | the name of the resource group containing the Cloud Shell account you identified in the previous task |
>**Note**: A scope determines the resources or resource groups where the policy assignment takes effect. You could assign policies on the management group, subscription, or resource group level. You also have the option of specifying exclusions, such as individual subscriptions, resource groups, or resources (depending on the assignment scope).
1. Configure the **Basics** properties of the assignment by specifying the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
| Assignment name | **Require Role tag with Infra value**|
| Description | **Require Role tag with Infra value for all resources in the Cloud Shell resource group**|
| Policy enforcement | Enabled |
>**Note**: The **Assignment name** is automatically populated with the policy name you selected, but you can change it. You can also add an optional **Description**. **Assigned by** is automatically populated based on the user name creating the assignment.
1. Click **Next** and set **Parameters** to the following values:
| Setting | Value |
| --- | --- |
| Tag Name | **Role** |
| Tag Value | **Infra** |
1. Click **Next** and review the **Remediation** tab. Leave the **Create a Managed Identity** checkbox unchecked.
>**Note**: This setting can be used when the policy or initiative includes the **deployIfNotExists** or **Modify** effect.
1. Click **Review + Create** and then click **Create**.
>**Note**: Now you will verify that the new policy assignment is in effect by attempting to create another Azure Storage account in the resource group without explicitly adding the required tag.
1. Navigate back to the blade of the resource group hosting the storage account used for the Cloud Shell home drive, which you identified in the previous task.
1. On the **Basics** tab of the **Create storage account** blade, verify that you are using the Resource Group that the Policy was applied to and specify the following settings (leave others with their defaults), click **Review + create** and then click **Create**:
1. Once you create the deployment, you should see the **Deployment failed** message in the **Notifications** list of the portal. From the **Notifications** list, navigate to the deployment overview and click the **Deployment failed. Click here for details** message to identify the reason for the failure.
>**Note**: By clicking the **Raw Error** tab, you can find more details about the error, including the name of the role definition **Require Role tag with Infra value**. The deployment failed because the storage account you attempted to create did not have a tag named **Role** with its value set to **Infra**.
1. In the list of assignments, click the ellipsis icon in the row representing the **Require Role tag with Infra value** policy assignment and use the **Delete assignment** menu item to delete the assignment.
| Subscription | the name of the Azure subscription you are using in this lab |
| Resource Group | the name of the resource group containing the Cloud Shell account you identified in the first task |
1. To specify the **Policy definition**, click the ellipsis button and then search for and select **Inherit a tag from the resource group if missing**.
1. Configure the remaining **Basics** properties of the assignment by specifying the following settings (leave others with their defaults):
| Setting | Value |
| --- | --- |
| Assignment name | **Inherit the Role tag and its Infra value from the Cloud Shell resource group if missing**|
| Description | **Inherit the Role tag and its Infra value from the Cloud Shell resource group if missing**|
| Policy enforcement | Enabled |
1. Click **Next** and set **Parameters** to the following values:
| Setting | Value |
| --- | --- |
| Tag Name | **Role** |
1. Click **Next** and, on the **Remediation** tab, configure the following settings (leave others with their defaults):
>**Note**: This policy definition includes the **Modify** effect.
1. Click **Review + Create** and then click **Create**.
>**Note**: To verify that the new policy assignment is in effect, you will create another Azure Storage account in the same resource group without explicitly adding the required tag.
1. Navigate back to the blade of the resource group hosting the storage account used for the Cloud Shell home drive, which you identified in the first task.
1. On the **Basics** tab of the **Create storage account** blade, verify that you are using the Resource Group that the Policy was applied to and specify the following settings (leave others with their defaults) and click **Review + create**:
1. Verify that this time the validation passed and click **Create**.
1. Once the new storage account is provisioned, click **Go to resource** button and, on the **Overview** blade of the newly created storage account, note that the tag **Role** with the value **Infra** has been automatically assigned to the resource.
>**Note**: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges, although keep in mind that Azure policies do not incur extra cost.
>**Note**: Don't worry if the lab resources cannot be immediately removed. Sometimes resources have dependencies and take a longer time to delete. It is a common Administrator task to monitor resource usage, so just periodically review your resources in the Portal to see how the cleanup is going.
1. In the portal, search for and select **Policy**.
1. In the **Authoring** section, click **Assignments**, click the ellipsis icon to the right of the assignment you created in the previous task and click **Delete assignment**.
1. In the portal, search for and select **Storage accounts**.
1. In the list of storage accounts, select the resource group corresponding to the storage account you created in the last task of this lab. Select **Tags** and click **Delete** (Trash can to the right) to the **Role:Infra** tag and press **Apply**.
1. Click **Overview** and click **Delete** on the top of the storage account blade. When prompted for the confirmation, in the **Delete storage account** blade, type the name of the storage account to confirm and click **Delete**.
