The Azure invoice arrives on a Friday. $12,000 over budget. You spend the weekend clicking through the Cost Management portal, filter by resource group, filter by service, filter by tag — except half the resources have no tags at all. By Monday you have a spreadsheet, a list of suspects, and a standing meeting that nobody wanted.
“Unlimited scalability” is a great line for a sales deck. It is a liability for anyone who has to explain a bill. The problem is never the scale; it’s that nothing stopped an untagged VM from spinning up at $2/hour and running for six weeks while three teams each assumed someone else owned it.
In your landing zone, cost governance cannot be reactive. If a resource lacks a required tag, ARM should reject the deployment. If a subscription approaches its budget ceiling, your team should know before it crosses, not after. Here’s how to wire up those controls using Azure Verified Modules (AVM) — proactive enforcement and automated anomaly detection, not a spreadsheet you update quarterly.
1. Tagging Enforcement: The Foundation of Accountability
Every FinOps capability — chargeback, showback, and anomaly detection — depends on tags. A resource without a CostCenter tag cannot be mapped to a business unit. That untagged VM from Friday’s invoice? That’s what “no tag” looks like at scale.
Why Tags Drive FinOps
A practical enterprise tagging schema uses 3–5 mandatory keys:
CostCenter: Maps resource to a billing entity.Environment: Separates cost by lifecycle stage.Owner: Identifies the accountable team or individual.
Azure Cost Management and the FOCUS v1.3 export format all treat these tags as first-class dimensions.
Proactive Tagging with Deny Policies
A Deny policy evaluates the tags property of an ARM request before the resource is created. ARM will return a 403 Forbidden if the mandatory tag is missing.
Pro Tip: Use mode: 'Indexed' in your definition to ensure the policy skips resources that do not support tags (like NICs or managed identities), preventing “Mystery Block” errors during complex deployments.
2. Automating Tag Inheritance
Your application teams will create child resources — OS disks, diagnostic settings, network interfaces — and those resources will not inherit tags from their parent Resource Group. That’s not a mistake; that’s just how ARM works. A Modify policy closes the gap by automatically copying specified tags from the Resource Group down to every resource created within it.
Tag Inheritance Policy Flow (Modify Effect)
3. Automated Budgeting and Alerts
Every subscription created through the vending process (Article 5) should get a default budget at birth — before any workload lands in it. A $500/month starting budget with notifications at 50%, 80%, 100%, and 110% gives your team escalating signals before spend becomes a Friday problem.
Forecasted vs. Actual Alerts
An Actual alert fires when you have already spent the budget — that’s the financial equivalent of a check engine light after the engine seized. A Forecasted alert fires when the projected month-end cost will exceed the threshold, giving you days to act rather than hours. Make the 80% Forecasted alert your primary operational trigger.
Budget Alert Escalation Path
4. Cost Anomaly Detection
Budget alerts catch predictable overruns. Anomaly detection catches the weird ones — like a developer who accidentally picked Standard_M416ms_v2 instead of Standard_B2s and walked away for the weekend. Azure Cost Management uses deep learning models to distinguish between a legitimate month-end batch spike and an unexpected one. Combined with KQL queries against the Usage table, you can surface “Top Movers” and route them to your platform SREs before the cost compounds.
// KQL: Resource Groups with > $100/day increase
Usage
| where TimeGenerated > ago(7d)
| summarize DailyCost = sum(PreTaxCost) by bin(TimeGenerated, 1d), ResourceGroup
| serialize
| extend PrevDailyCost = prev(DailyCost)
| extend CostChange = DailyCost - PrevDailyCost
| where CostChange > 100
| project Date = TimeGenerated, ResourceGroup, DeltaUSD = round(CostChange, 2)
5. FinOps Visibility with FOCUS v1.3
Standardize your cost exports using the FOCUS v1.3 format. This normalizes Azure cost data into a cloud-agnostic schema, so your finance team can use the same reporting tools across AWS, Azure, and GCP without manually remapping fields every time someone asks for a cross-cloud cost breakdown.
Key Takeaways
- Tags are the Metadata of Cost: Without enforced tags, FinOps is just guesswork.
- Forecast over Actual: Use forecasted alerts to get days of warning instead of hours.
- Vending includes Budgets: A subscription without a budget is invisible until the bill arrives.
- Audit Mode First: Run your tagging policies in Audit mode for 7 days before switching to Deny.
Next Steps:
- Read Day-2 Operations: Maintaining and Evolving Your Azure Landing Zone to learn how to maintain these cost controls using automated drift detection.
- Return to Azure Platform Engineering: The Complete Guide to Building an Enterprise Landing Zone to see how cost governance integrates into the full Landing Zone Blueprint.