6

When creating a resource group with Azure Policy, I would like to force account information such as user ID and email address as tags.

Sample-Apply tag and its default value

As a result of referring to, it was possible to tag a fixed word, but I do not know how to obtain the aforementioned account information dynamically.

If you know anyone, please teach me how.

Thank you.

user20380119or0118
  • 83
  • 11
  • Azure policy cannot do this at the moment. I suggest upvoting this uservoice entry, maybe we can get enough eyes on this feature request: https://feedback.azure.com/forums/915958-azure-governance/suggestions/14830539-support-for-functions-in-resource-manager-policies – heren Oct 01 '19 at 00:16
  • @heren Thank you for your comment. I have voted. – user20380119or0118 Oct 02 '19 at 03:21
  • 1
    check this out: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/tagging-azure-resources-with-a-creator/ba-p/1479819 – Tilo May 12 '23 at 22:05

2 Answers2

1

If the requirement is when creating / defining the policy:

You may obtain the account information dynamically by using Get-AzContext cmdlet. Note that user ID and email address might be assigned to its (Get-AzContext) properties like 'Account', 'Account.Id', 'Name', etc. So you may run below commands and check the output's to validate User ID, email address are assigned to some context properties in your environment and use them.

Get-AzContext | fl *

Get-AcContext | Select -ExpandProperty ExtendedProperties

$UserID = (Get-AzContext).Account.Id

$UserID = (Get-AzContext).Name

And then provide the dynamically fetched User ID, email address to $policyparam variable (that is mentioned in deployment step of the tutorial you are following).

If the requirement is when applying the policy:

AFAIK this feature is currently unsupported / not possible via Azure policies. However, to accomplish requirement of tagging user ID and email address for very recently created resource groups, you may leverage related create events from the activity logs and then just have an automated way something like a function app to fetch those events and add required tags (with information like user ID, email address, etc.) to respective resource groups on the fly.

halfer
  • 19,824
  • 17
  • 99
  • 186
KrishnaG
  • 3,340
  • 2
  • 6
  • 16
  • 1
    Thank you for your answer. It is your answer, but unfortunately it was not what I wanted to do. I want to call Get-AzContext when apply the policy, not define the policy. What I want to do is that the name and email of the person who created the resource is dynamically tagged when the resource is created. – user20380119or0118 May 30 '19 at 08:27
  • Ah! Got you and thanks for the clarification! I have updated the answer with some more information. – KrishnaG May 30 '19 at 10:51
1

Policy is not user aware so you won't be able to get account information.

Kemley
  • 184
  • 5