I don't have a complete answer. Through testing I can confirm that "mode" does need to be set to "All", even though MS documentation shows "all". Azure's Policy policy editor will require an uppercase 'A'. When setting my policy to "Indexed" the policy did not work during resource group creation. I needed to use "All". MS statements about what each mode does is confusing; since, resource groups support tags and location.

• all: evaluate resource groups, subscriptions, and all resource types
• indexed: only evaluate resource types that support tags and location

You may want to exclude resources and/or resource groups that might get created by automation, as they might not be able to handle the new tag requirement. While not answering this array question, SoMundayn on Reddit created a policy that should excluded the most common resource groups to avoid enforcing a "deny" on. I tried to include code but stackoverflow was breaking on the last curly brace.

Currently @Naveen Sharma answer is not working for me. I suspect that the "field": "tags[*]", is returning a string. This is based on combining his solution with my own. When I require "Environment" and "DepartmentResponsibility" tags and add those tags to the group with values I get the following error message:

Policy enforcement. Value does not meet requirements on resource: ForTestingDeleteMe-250217_6 : Microsoft.Resources/subscriptions/resourceGroups The field 'Tag *' with the value '(Environment, DepartmentResponsibility)' is required

I suspect I might be able to use the "field count" or "value count" as described in MS doc Azure Policy definition structure policy rule. I have thus far failed to find a working solution, but still feel these are key points to finding an answer.