How do you policy enforce integer number of tag value in Azure

Question

I have Azure policy which refuses to evaluate expression of with error below. I assume the problem is that when you provide tag values in portal they passed as a string to ARM even though integer value is intended passed. Trying to figure out how do I enforce integer value for a tag a result

{
 "field": "tags['Longevity']",
 "less": 1
}

Error

"The policy assignment 'd9c1d0b06de841559a1cbafe' associated with the policy definition 'dee67dc2-7393-4c02-916f-92511146c970' could not be evaluated. 
A 'less' or 'lessOrEquals' or 'greater' or 'greaterOrEquals' expression expects operands of same type for comparison. The supported types are string, integer, float, ISO 8601 datetime. Please either fix the 
policy or remove the policy assignment to unblock. See https://aka.ms/policy-conditions for usage details."

Answer 1

Microsoft support provided an answer Answer is below which works as expected. Have to use concat() function looks like to escape complain about square brackets inside square brackets

{
 "value": "[int(field(concat('tags[', 'Longevity', ']')))]",
 "less": 0
},

Answer 2

I was also able to reproduce the error by providing below format (i.e., "less": 1) in the policy.

"field": "[concat('tags[', parameters('tagName'), ']')]",
"less": 1

I see that the underlying system type of tags is "System.Collections.Generic.Dictionary`2+ValueCollection[System.String,System.String]" so yes, your assumption is correct i.e., when you provide tag values in portal they are passed as string to ARM even though integer value is intended passed.

I have tried below policy to enforce an integer (as string) for a tag value and I believe that it kind of worked (for positive numbers only) because if I have provided

• "1" in line 26 of below policy and then if I try to create a resource (say Azure VM) then Validation passed if tag value provided is 0 and Validation failed in all other cases.
• "2" in line 26 of below policy and then if I try to create a resource (say Azure VM) then Validation passed if tag value provided is between -1 and 1 and Validation failed in all other cases.
• ...
• ...
• ...

So I believe that eventhough underlying system type of tags is String, numeric string comparison is being done in the backend if we provide "less" as condition

{
  "properties": {
    "displayName": "Require a tag and its value on resources Test",
    "policyType": "Custom",
    "mode": "Indexed",
    "metadata": {
      "version": "1.0.1",
      "createdBy": "xxxxxxxxxxxxxxxxxxxxxxx",
      "createdOn": "2020-10-22T07:58:29.0108355Z",
      "updatedBy": "xxxxxxxxxxxxxxxxxxxxxxx",
      "updatedOn": "2020-10-22T10:45:42.4517009Z"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      }
    },
    "policyRule": {
      "if": {
        "not": {
          "field": "[concat('tags[', parameters('tagName'), ']')]",
          "less": "1"
        }
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/xxxxxxxxxxxxxxxxxxxxxxx",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "xxxxxxxxxxxxxxxxxxxxxxx"
}

However, if interested, in this Uservoice or feedback forum, you may raise feature request to allow non-string type of tag values.