Custom policy that denies/audit the modification of tags on subscription after the creation.

Question

we have a source of truth of the tags on the subscription. We want to deny the modification of the tags of the subscription after the creation. What ways can we achieve this?
Or can we audit the changes of the tags on subscription and later do a remediation once any tag changes detected with the source of truth.
Any help is highly appreciated.

Answer 1

Hi SrVish

Thanks for using the Q&A platform.
You can choose to use Azure policy to deny tag modification. Azure policy can be scoped at the subscription level and designed to deny any change to specific tags once set.
Find a sample script:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions"
        },
        {
          "not": {
            "field": "tags",
            "equals": "[parameters('allowedTags')]"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "allowedTags": {
      "type": "object",
      "metadata": {
        "description": "The tags that must match for the subscription.",
        "displayName": "Allowed Tags"
      }
    }
  }
}

Also find: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-basics

In addition, you can audit tag changes via Azure activity logs and Azure Monitor. You will need to enable diagnostic settings on the subscription to export activity logs and use the below command to query tag changes using KQL in Log Analytics.

AzureActivity
| where ResourceType == "microsoft.resources/subscriptions"
| where OperationNameValue contains "Write"
| where Properties contains "tags"

https://learn.microsoft.com/en-us/azure/role-based-access-control/change-history-report

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Obinna