We've been doing it manually actually, but our environment is smell enough. As part of our migration we do also tag new VM's with a predefined set of categories to identify them. We use these as the member criteria for our NSX Security groups as well.
Assuming you've already consistently tagged VM's, using those is probably not a bad idea 