{ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "policyName": { "type": "string", "metadata": { "description": "Provide name for the policyDefinition." } }, "policyDescription": { "type": "string", "metadata": { "description": "Provide a description for the policy." } }, "tagName": { "type": "string" } }, "resources": [ { "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2019-09-01", "name": "[parameters('policyName')]", "properties": { "description": "[parameters('policyDescription')]", "displayName": "[parameters('policyName')]", "mode": "All", "policyRule": { "if": { "allOf": [ { "field": "[concat('tags[', parameters('tagName'), ']')]", "notEquals": "[subscription().tags[parameters('tagName')]]" }, { "value": "[subscription().tags[parameters('tagName')]]", "notEquals": "" } ] }, "then": { "effect": "modify", "details": { "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "operations": [ { "operation": "addOrReplace", "field": "[concat('tags[', parameters('tagName'), ']')]", "value": "[subscription().tags[parameters('tagName')]]" } ] } } } } } ] }