Post

Azure Subscription Tag Supervision

Posted Updated
Preview Image
By Otto Gudszent
2 min read

Tags are a crucial topic when it comes to Azure. They help us to organize our resources in the cloud, but also to monitor and manage them. The tags are also very useful for the financial aspect, because they help us to track the costs of the resources. In this article, I would like to show you a solution where we can oversee every subscription in our tenant based on the new “Change Analysis” feature.

Statement

Tags are an essential topic when we discuss Azure. They help us to categorize our resources, as well as to monitor and manage them. The tags also have a financial benefit, as they help us to track the costs of the resources. In this article, I would like to show a solution where we can oversee every subscription in our tenant using the new “Change Analysis” feature.

Solution

Finally from the portal also available the new “Change Analysis” feature, what can help us to monitor the changes in our subscription. Announcement. Based on that solution I created a Kusto query, what can help us to monitor the changes in the tags. The query is the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

let tagname = "department";
let timeRange = 5m;
arg("").resourcechanges
| extend timestamp = todatetime(properties.changeAttributes.timestamp)
| extend resourceId = tostring(properties.targetResourceId)
| extend resourceType = tostring(properties.targetResourceType)
| extend changeType = tostring(properties.changeType)
| extend changes = todynamic(properties.changes)
| extend changeAttributes = todynamic(properties.changeAttributes)
| where timestamp > ago(timeRange) and resourceType == "microsoft.resources/subscriptions" 
| union (
    arg("").resourcecontainerchanges
    | extend timestamp = todatetime(properties.changeAttributes.timestamp)
    | extend resourceId = tostring(properties.targetResourceId)
    | extend resourceType = tostring(properties.targetResourceType)
    | extend changeType = tostring(properties.changeType)
    | extend changes = todynamic(properties.changes)
    | extend changeAttributes = todynamic(properties.changeAttributes)
    | where timestamp > ago(timeRange) and changes like strcat("tags.", tagname)
    )
| project
    timestamp,
    subscriptionId,
    resourceGroup,
    resourceId,
    resourceType,
    changeType = properties.changeType,
    changes,
    changeAttributes
| order by timestamp desc

This query without eventgrid or any other will check every subscription where the alert rule has permission to read the tags.

Implementation

To implement this solution, we need to create an alert rule in the subscription, where we would like to supervise the tags. The alert rule will be based on the Kusto query, what I presented above. The alert rule will be triggered every 5 minutes. The alert rule will send an email to the subscription owner, so he can check what happened.

Alert

This query use the new “Change Analysis” and for that the alert rule need to have permission to read these logs.

Azure
Azure Tag LAW Resource Graph
This post is licensed under CC BY 4.0 by the author.