Azure DNS Zone tags issue

Question

I am trying to setup following tags in Azure DNS zone by portal and by Azure PowerShell, the results got success, but the value not set. Have any one came across this issue?

• Name : ms:resource:usage
• Value : Azure-cloudshell

Tried with following Az PowerShell command

$tags=@{"ms:resource:usage"="CloudShell"}
New-AzTag -ResourceId /subscriptions/***/resourceGroups/RGNAME/providers/Microsoft.Network/dnszones/dnszone.com -Tag $tags

Json Request

"submissionTimestamp": "*******",
"subscriptionId": "******",
"tenantId": "****",
"properties": {
    "requestbody": "{\"tags\":{\"ms:resource:usage\":\"CloudShell\"}}",
    "eventCategory": "Administrative",
    "entity": "/subscriptions/******/resourceGroups/*****/providers/Microsoft.Network/dnszones/dnszone.com.com",
    "message": "Microsoft.Network/dnszones/write",

Json Response

 "submissionTimestamp": "*******",
"subscriptionId": "*******",
"tenantId": "*******",
"properties": {
    "statusCode": "OK",
    "serviceRequestId": "*******",
    "responseBody": "{\"id\":\"/subscriptions/***/resourceGroups/***/providers/Microsoft.Network/dnszones/dnsZone.com\",\"name\":\"dnsZone.com\",\"type\":\"Microsoft.Network/dnszones\",\"etag\":\"00000019-0000-0000-d1ab-7b0bbcfbd601\",\"location\":\"global\",\"tags\":{},\"properties\":{\"maxNumberOfRecordSets\":10000,\"maxNumberOfRecordsPerRecordSet\":null,\"nameServers\":[\"ns1-07.azure-dns.com.\",\"ns2-07.azure-dns.net.\",\"ns3-07.azure-dns.org.\",\"ns4-07.azure-dns.info.\"],\"numberOfRecordSets\":2,\"serveRecordsBelowDelegation\":null,\"zoneType\":\"Public\"}}",
    "eventCategory": "Administrative"

Answer 1

As per Microsoft, the fix will not be released in the first half of this year. Suggestion not to use ":" in the tag names. Sharing reply from the Microsoft

Troubleshooting we’ve done:

1. Our engineer tried to reproduce the issue in their environment and got the same problem. It does appears to NOT working either with the values “ms:resource:usage”.
2. The issue looks to be with the “:” for the Azure DNS zones configuration. For the logs that we have access to, it simply just ignores the tag with “:”. It did not throw any errors or warnings at all. We understand that the documentation does not include that at this time, and “:” seems to be working for other resources such as resource groups, and Azure SQL, but the page also includes other exceptions such as the space in the naming specific to Azure DNS zones and traffic managers.
3. We followed up with the product team to discuss this problem.

Root Cause: It is not supported to add Tag value within ":" for DNS zone.

Suggestions: Due to the fix process on product side involves some issues and will not be released in the first half of this year. Current suggestion is to not use ":" in the tag names. Our product team will also put this limitation in the official document. Sincerely apologies for any inconvenience cause at this moment.

Answer 2

I have raised Microsoft support request regarding this issue, They can repro. Microsoft will be updating this in the tag limitation document link. The fix will be released in the second half of 2021

Answer 3

Interestingly, I was able to reproduce this issue while applying tags to a DNS Zone resource, but not on other resource types like a Public IP resource.

Also, applying the tag without a : in the tag name passes through:

$tags=@{"usage"="CloudShell"}
New-AzTag -ResourceId /subscriptions/***/resourceGroups/***/providers/Microsoft.Network/dnszones/*** -Tag $tags

This certainly seems like a bug so I've opened an issue with the Azure PowerShell Engineering Team here: https://github.com/Azure/azure-powershell/issues/14159

Meanwhile, you can use the following workaround:

New-AzTag -Tag @{Name="ms:resource:usage";Value="Azure-cloudshell"} -ResourceId <resource-id>

Reference: New-AzTag