First of all, please forgive me if this post is in the wrong forum, this seemed like the best match for Azure policy.
Background: My company has implemented a VM tagging requirement. All new and existing virtual machines must be tagged with certain tags in the Name field, "Department" and "Technical Contact" for example.
Solution: I created an Azure policy initiative with multiple "Require specified tag" definitions (one definition per required tag name). Verified this policy works as expected, existing machines without those tags are non-compliant, likewise new VM's
can not be created without those tags.
A new problem has presented itself however. My company also has a requirement to deploy the Network Watcher extension with all new VMs. Unfortunately the extension cannot be deployed with the aforementioned policy in place as the extensions would not have the necessary tags. I'm stuck at this point as I do not see a way to apply tags to extensions nor can I find a way to automatically deploy the Network Watcher extension after VM creation (preferred method).
Another acceptable solution would be to limit the scope of the policy definition to VMs only, excluding all other resources/items created when a VM is created.