Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Mandatory Resource Tagging

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: MachineLearning-012

Ensure that user-defined tags are being used for labeling, collecting, and organizing Machine Learning compute instances within your Microsoft Azure account. User-defined tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple cloud resources. TrendAI Vision One™ Cloud Risk Management recommends the following tagging schema to help you identify and manage your Machine Learning compute instances:

  • Name: used to identify individual cloud resources.
  • Role: used to describe the function of a specific resource (e.g., web tier, app tier, and database tier).
  • Environment: used to distinguish between different stages (e.g., development, staging, and production).
  • Owner: used to identify the person responsible for the cloud resource.
Security
Reliability
Performance
efficiency
Cost
optimisation
Operational
excellence

As your Microsoft Azure cloud environment is becoming more and more complex, it requires better management strategies. Using a tagging schema can help you gain more visibility across your Azure cloud resources and organize them more efficiently. You can use tags for different scenarios such as tracking resource owners and their stack level, identify which resources are incurring the highest costs, and filter available resources based on a particular deployment stage. While not directly a security control, proper tagging supports security governance by enabling resource identification, ownership tracking, and policy enforcement across Azure Machine Learning deployments.

Audit

To determine if your Azure Machine Learning compute instances are using the mandatory tagging schema, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

  4. From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Machine Learning workspace for Value, then choose Apply to list the Azure Machine Learning workspaces available in the selected subscription.

  5. Click on the name (link) of the Machine Learning workspace that you want to examine.

  6. In the resource navigation panel, select Overview, and choose Launch studio to open the Azure Machine Learning Studio.

  7. In the left navigation panel, under Manage, choose Compute, and select the Compute instances tab to list the compute instances provisioned for the selected Azure Machine Learning workspace.

  8. Click on the name (link) of the compute instance that you want to examine.

  9. Select the Details tab and check the Tags section to view the tag set(s) created for the selected instance. The tag sets have the following format \<Name\> : \<Value\>.

  10. In the Tags section, search for the following combination of tag names (tag names are case insensitive): Name, Role, Environment, and Owner. If the verified resource does not have the same exact combination of tag names, the selected Azure Machine Learning compute instance is not using the mandatory tagging schema.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run ml workspace list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Machine Learning workspace available in the current subscription:

    az ml workspace list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

  5. The command output should return the requested Azure Machine Learning workspace identifiers:

    Name                           ResourceGroup
------------------------       ------------------------------
tm-ml-project5-workspace       cloud-shell-storage-westeurope
tm-ml-production-workspace     cloud-shell-storage-westeurope

  6. Run ml compute list command (Windows/macOS/Linux) with custom output filters to list the name of each compute instance provisioned for the selected Azure Machine Learning workspace:

    az ml compute list
	--resource-group cloud-shell-storage-westeurope
	--workspace-name tm-ml-project5-workspace
	--output table
	--query "[].{Name:name}"

  7. The command output should return the requested compute instance identifiers (names):

    Name
----------------------
project5-ml-instance01
project5-ml-instance02
project5-ml-instance03

  8. Run ml compute show command (Windows/macOS/Linux) with the name of the Azure Machine Learning compute instance that you want to examine as the identifier parameter, to describe the tag set(s) created for the selected compute instance:

    az ml compute show
	--name project5-ml-instance01
	--workspace-name tm-ml-project5-workspace
	--resource-group cloud-shell-storage-westeurope
	--output table
	--query "tags"

  9. The command output should return a table with the requested tagging information:

    Project     Type
----------  -----------
project5    unmanaged

    Check the first row of the table returned by the ml compute show command output for the following combination of tag names (tag names are case insensitive): Name, Role, Environment, and Owner. If the verified resource does not have the same exact combination of tag names, the selected Azure Machine Learning compute instance is not using the mandatory tagging schema.

Remediation / Resolution

To implement the mandatory tagging schema for your Azure Machine Learning compute instances, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

  4. From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Machine Learning workspace for Value, then choose Apply to list the Azure Machine Learning workspaces available in the selected subscription.

  5. Click on the name (link) of the Machine Learning workspace that you want to access.

  6. In the resource navigation panel, select Overview, and choose Launch studio to open the Azure Machine Learning Studio.

  7. In the left navigation panel, under Manage, choose Compute, and select the Compute instances tab to list the compute instances provisioned for the selected Azure Machine Learning workspace.

  8. Click on the name (link) of the compute instance that you want to configure.

  9. Select the Details tab and click on the Edit tags button (pencil icon) available in the Tags section to create the mandatory tag sets for the selected compute instance.

  10. On the Edit tags panel, use the Name and Value text fields to create the following tagging schema (tag names are case insensitive, tag values are case sensitive):

    1. For tag names use Name, Role, Environment, and Owner.
    2. For tag values use your own metadata as specified below:
      1. The Name tag value can be used to identify individual cloud resources (e.g., project5-ml-app-instance).
      2. The Role tag value can be used to describe the function of a specific resource (e.g., compute-target-instance).
      3. The Environment tag value can be used to distinguish between different stages (e.g., production).
      4. The Owner tag value can be used to identify the person responsible for the cloud resource (e.g., data-science-team).
    3. Choose Add to add the mandatory tag sets to the selected compute instance.
    4. Choose Save to apply the changes.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to access as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run ml workspace list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Machine Learning workspace available in the current subscription:

    az ml workspace list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

  5. The command output should return the requested Azure Machine Learning workspace identifiers:

    Name                           ResourceGroup
------------------------       ------------------------------
tm-ml-project5-workspace       cloud-shell-storage-westeurope
tm-ml-production-workspace     cloud-shell-storage-westeurope

  6. Run ml compute list command (Windows/macOS/Linux) with custom output filters to list the name of each compute instance provisioned for the selected Azure Machine Learning workspace:

    az ml compute list
	--resource-group cloud-shell-storage-westeurope
	--workspace-name tm-ml-project5-workspace
	--output table
	--query "[].{Name:name}"

  7. The command output should return the requested compute instance identifiers (names):

    Name
----------------------
project5-ml-instance01
project5-ml-instance02
project5-ml-instance03

  8. Run ml compute update command (Windows/macOS/Linux) with the name of the Azure Machine Learning compute instance that you want to configure as the identifier parameter, to tag the selected compute instance using the mandatory tagging schema. Replace the tag values within the --tags parameter with your own metadata:

    az ml compute update
	--name project5-ml-instance01
	--workspace-name tm-ml-project5-workspace
	--resource-group cloud-shell-storage-westeurope
	--tags name=project5-ml-app-instance role=compute-target-instance environment=production owner=data-science-team
	--output table
	--query "tags"

  9. The command output should return all the tag sets assigned to the selected Machine Learning compute instance:

    Name                      Role                     Environment  Owner              Project   Type
------------------------  -----------------------  -----------  -----------------  --------  ---------
project5-ml-app-instance  compute-target-instance  production   data-science-team  Project5  Unmanaged

References

Publication date Oct 13, 2025

Related MachineLearning rules