Is there a way in Azure to prevent a tag from being edited/deleted by a policy definition?

Question

I would like to put a tag on a resource group, but not have it be edited/deleted by a user, and allow them to add other tags if necessary. I have tried to create a policy definition like the below, but users are still able to edit tags:

        "policyRule": {
          "if": {
            "allOf": [
              {
                  "value": "resourcegroup().tags['my-lock']",
                  "equals": "my-lock"
              },
              {
                "field": "type",
                "in": ["Microsoft.Resources/tags", Microsoft.Resources/subscriptions/resourceGroups"]
              }
            ]
          },
          "then": {
            "effect": "deny"
            }
          }

Is there a way to prevent users from editing/delete a tag with a certain key on a resource group?

Answer 1

Why don't you just use the built-in policy Require a tag and its value on resource groups? https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8ce3da23-7156-49e4-b145-24f95f9dcb46

It enforces a required tag and its value on resource groups.