Custom Policy

Question

Hello Everyone,

I would like to get your help regarding to know what could be a json structure to create a Azure policy that will allow me to identify who create the Azure resources on a subscription.

Thank you and help will be very helpful.

Answer 1

Hi Cinthia Rodriguez,

Thanks for reaching out to Microsoft Q&A.

To create an Azure policy that identifies who created resources within a subscription, you can use the ARM policy along with Activity Log insights, as there is no direct policy that tracks the resource creator. However, you can leverage resource tagging or utilize audit logs for tracking.

One approach is to implement a tagging policy that enforces resource owners to tag resources with their names or identities. Here's an example policy that checks if a resource is missing a specific tag (like Creator), and if it is, the policy will require users to provide that tag.

Steps to Create and Assign Policy:

1. Navigate to the Azure Portal and search for Policy.
2. Select Definitions and then click + Policy definition.
3. Create the JSON policy structure
4. After creating the policy, go to Assignments and assign it to your subscription, specifying the enforcement scope.

Auditing Using Activity Logs:

You can also use Activity Logs to track who created a resource after the fact:

1. Go to Activity Log under Monitor.
2. Filter for "Create" operations to see who created resources and when.

Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.

Answer 2

Here is the sample. Make sure you modify or tweak according to your environment.

{
  "properties": {
    "displayName": "Add 'createdBy' tag with the creator's name",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy automatically adds a 'createdBy' tag with the value being the principal name of the user or service principal that created the resource.",
    "metadata": {
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag to be applied to the resource."
        },
        "defaultValue": "createdBy"
      }
    },
    "policyRule": {
      "if": {
        "field": "[concat('tags[', parameters('tagName'), ']')]",
        "equals": ""
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/62e90394-69f5-4237-9190-012177145e10"
          ],
          "operations": [
            {
              "operation": "addOrReplace",
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "value": "[concat(requestContext().principalName)]"
            }
          ]
        }
      }
    }
  }
}

1. displayName: Descriptive name for the policy.
2. policyType: It's set as Custom since you are defining your own policy.
3. mode: Set to "All", meaning it applies to all resource types.
4. parameters: Defines the name of the tag as "createdBy". You can change this parameter if needed, but "createdBy" is the default in this case.
5. policyRule:
   • if: Checks if the "createdBy" tag is missing.
   • then: Applies the "modify" effect to add or replace the "createdBy" tag with the value set to the user's principal name (requestContext().principalName).
6. roleDefinitionIds: The required role ID is for the built-in Contributor role, which has permissions to modify resources.