How to create a custom policy that shows who create the resources on Azure

@Cinthia Rodriguez Greetings!

First thing, you need to create a custom policy definition that checks for the presence of the "createdBy" tag and assigns it based on the Activity Logs.

Here’s an example of a policy definition that checks for the tag and a parameter to specify the tag name:

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "notEquals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "field": "tags['createdBy']",
          "exists": "false"
        }
      ]
    },
    "then": {
      "effect": "append",
      "details": [
        {
          "field": "tags",
          "value": {
            "createdBy": "[parameters('createdByValue')]"
          }
        }
      ]
    }
  },
  "parameters": {
    "createdByValue": {
      "type": "String",
      "metadata": {
        "displayName": "Created By Value",
        "description": "Value to assign for the createdBy tag."
      }
    }
  }
}

After creating the policy definition, assign it to the desired scope (subscription/resource group) where you want to enforce this policy.

Secondly, you need to capture the "Created By" Information. Azure Policy itself does not directly interact with Activity Logs to dynamically assign tags based on user actions. However, you can capture the "createdBy" information from the Activity Log and use Azure Functions or Logic Apps to automate the tagging process.

Follow the detailed steps below:

Create an Azure Function or Logic App: Set up a function or logic app that triggers on new resource creation events.

Monitor Activity Logs: Use the Azure Event Grid to monitor the Activity Logs for resource creation events. You can filter these events to capture the relevant ones.

Extract User Information: In your function or logic app, extract the "createdBy" information from the event data.

Assign the Tag: Use the Azure SDK or REST API to update the resource with the "createdBy" tag using the extracted information.

Example of Azure Function Logic

Here's a simple outline of what the Azure Function could look like in C#:

[FunctionName("TagResource")]
public static async Task<IActionResult> Run(
    [EventGridTrigger] EventGridEvent eventGridEvent,
    [Inject] IResourceManagementClient resourceManagementClient)
{
    var resourceId = eventGridEvent.Data["resourceId"].ToString();
    var createdBy = eventGridEvent.Data["creator"].ToString(); // Adjust based on the actual field
    var tags = new Dictionary<string, string> { { "createdBy", createdBy } };

    // Update resource tags
    await resourceManagementClient.Resources.UpdateAsync(resourceId, new ResourceUpdate { Tags = tags });

    return new OkResult();
}

Hope this helps!

Hello @Sadiqh Ahmed Thank you for your reply,that is really good.

I just have a questions about that, which is regarding this point

Assign the Tag: Use the Azure SDK or REST API to update the resource with the "createdBy" tag using the extracted information.

This will need to be done manually , I guess from time to time, to have all the resources with the tag information, am I right?

Also, I am thinking to do this at the resource group level, just to show who create every resource group on a subscription

@Cinthia Rodriguez Regarding question #1: Yes, you are correct that using the Azure SDK or REST API to update resources with a "createdBy" tag will typically need to be automated if you want to keep it current and comprehensive.

et up an Azure Function or Logic App to listen for resource creation events through Azure Event Grid. When a resource is created, the function or logic app can extract the "createdBy" information from the event data and automatically apply the tag to the newly created resource.

Question #2: If you want to apply the "createdBy" tag at the resource group level rather than individually for each resource, you can modify the logic in your Azure Function or Logic App to tag the resource group itself. This way, whenever a new resource is created within that group, it will inherit the tag, and you only need to manage the tag at the resource group level.

Hi @Sadiqh Ahmed ,I will follow the steps that you mentioned and let you know the result,but I think I can use the policy calls as :Add a tag to a resource groups" https://dotnet.territoriali.olinfo.it/en-us/azure/azure-resource-manager/management/tag-policies I just going to duplicate that and remove the Tag Value since for this case will be the person who create the resource group and keep the Tag name as "Createby" and after that create the Function App, is this looks good for you? what do you think?

I just tried to run that policy but seems that it is required to have the value added it,please see the screenshot added it, in the other hand I use the mode as All, since MS documentation suggest to use that one for Resources groups and also suggest to use the effect as "Modify", article reference https://dotnet.territoriali.olinfo.it/en-us/azure/governance/policy/concepts/effect-modify