It has been a couple of month ago, Microsoft announced that it is possible to set tags on subscriptions. This makes totally sense and was a long awaited feature. Good practice is to use Azure Policy to set tags on resources, but there are cases where it is not possible to use Azure Policy. Well, technically it would be possible but it would end up in a policy mess, because you would need a dedicated policy object and assignment for each individual subscription and tagging.
A couple of examples are:
- Setting an individual application id/name if you structure your subscriptions like “one subscription = one application”
- Owner of the application / subscription
- Individual tagging for cost management
- etc.
It is getting even more complicated knowing that the Azure SDK does not support tagging of subscriptions (yet) and there is no other way than setting the tags programmatically via ARM API. Of course you could use PowerShell, az CLI & co. but this is not my goal.
In this example I am going to create an HTTP trigger Azure Function that will show how we can set subscription tags providing subscription Id and the key / value pairs.
Sounds interesting? Yeah it is!
First I create a HTTP trigger function in Visual Studio and adding some packages…
For this demo, I will use a service principal in Azure to authenticate and assign its permission to “Contributor” on the a management group so all subscriptions can be modified below that management group. Depending on your security concept, there is also a Tag Contributor role available which might be interesting to you. Next, the solution setup looks like this…
…the AzureCredentials class is the same as shown in this post and I am not going to repeat myself. The subscription class is just a simple POCO class which we need to deserialize the request, containing the Id property and a dictionary for the tags…
The local.settings.json file contains the following information like the service principal id (SP_CLIENTID aka application ID), the key (SP_KEY) and the Azure AD tenant ID (TENANTID)…
…the settings file contains also a reference to the ARM endpoint descriped here. This endpoint “…allows adding or replacing the entire set of tags on the specified resource or subscription. The specified entity can have a maximum of 50 tags.”…meaning, each time ALL tags are replaced with your new set of tags. That’s what I want 
.
…the more interesting part is the Azure Function itself which is in the SubscriptionTag class. It is a HTTP trigger function using the PUT method…
Starting from the bottom, we have a simple method DeserializeRequest to deserialize the request coming via JSON payload. The SetSubscriptionTags method first initializes the ARM endpoint and instantiates a rest client object, next we convert the provided tags into a JSON object. Because I wanted to use the AzureCredentials class from the Fluent SDK in all my Azure Functions to authenticate and not messing around with any Bearer token and constructing any authentication header I found this slick trick here which I copied. So we authenticated using the Fluent SDK RestClient class and then send the HTTP request afterwards. Then we just return the response and send back if it was successful or not. That’s it…
For testing I use Postman or use any tool of your choice to send a PUT request to the function. I just ran it on my local machine passing in the subscription Id and the tags…
…and it looks like this…
Final thoughts:
There is no proper error handling, security like authentication etc. but this is not the point here. I just like to provide an elegant way to add tags to your subscription so you don’t have to do to much research .
I hope this helps you and for your convenience I upload the solution to my repo on GitHub.
