Azure Policy says, that resources managed by Microsoft are non-compliant

I created an Azure Policy that works great for Storage Accounts, Functions, VMs and everything that I created by my hand:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "notEquals": "Microsoft.Resources/subscriptions"
        },
        {
          "anyOf": [
            {
              "field": "[concat('tags[', parameters('tagName1'), ']')]",
              "exists": "false"
            },
            {
              "not": {
                "field": "[concat('tags[', parameters('tagName1'), ']')]",
                "equals": "[subscription().tags[parameters('tagName1')]]"
              }
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "[concat('tags[', parameters('tagName1'), ']')]",
            "value": "[subscription().tags[parameters('tagName1')]]"
          }
        ]
      }
    }
  },
  "parameters": {
    "tagName1": {
      "type": "String",
      "metadata": {
        "displayName": "First Tag Name",
        "description": "Name of the tag, such as 'environment'"
      }
    }
  }
}

The problem is that there is a lot of resource in my compliance report that are non-compliant. For instance, roles in cosmos db or databases in PostgreSQL which in my opinion should not be a thing because we do not manage it "manually":

How to Omit resources that should be not considered in policy, i mean that resources that i do not manage through the portal?

If it helps it broke when i added subscription block to exclude subscriptions from policy to be still able to edit tags there (and then, to be inherited to resources):

{
    "field": "type",
    "notEquals": "Microsoft.Resources/subscriptions"
},

So the question is, how can i fix my policy in a way that i will be able to edit tags on Subscription level and then, not see so many non compliant resources that are not managed by my or an azure portal?

My use cases for the policy:

• If a resource doesn't have any tags, inherit them from the subscription.
• If a resource has a tag and the tag matches the value of the subscription tag, do nothing.
• If a resource has a tag with a different value than the subscription tag, update the resource's tag to match the subscription tag.

Please post the whole policy and not just the policyRule.

However, I am assuming that you use "mode": "All". Try changing that to Indexed.

*"The mode determines which resource types are evaluated for a policy definition. The supported modes are:

• all: evaluate resource groups, subscriptions, and all resource types
• indexed: only evaluate resource types that support tags and location"*

"indexed should be used when creating policies that enforce tags or locations. While not required, it prevents resources that don't support tags and locations from showing up as non-compliant in the compliance results."

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#mode

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-support