GALVNYZ Az-Stamper icon

Az-Stamper

Automated Azure resource tagging for audit and compliance

Overview

Azure activity logs expire after 90 days. Once they are gone, you cannot determine who created a resource, when it was created, or who last modified it. If an auditor asks for proof of resource ownership six months later, you have no answer.

Az-Stamper is a free, open-source Azure Functions solution that automatically tags resources with creator identity at creation time and tracks modifications. Built with C#/.NET 8, it uses Event Grid to catch resource write events and stamps each resource with configurable metadata tags — permanently preserving the information that activity logs eventually discard.

It runs on the Azure Functions Consumption plan with near-zero cost. The architecture uses Managed Identity exclusively — no secrets, no connection strings, no API keys stored anywhere.

Key Features

Configurable tag map

Define which tags to apply with per-tag overwrite control. Creator tags are write-once so the original value is never lost. Modification tags update on every change.

Caller identity resolution

Resolves the human-readable identity behind every resource operation. UPN for users, Graph API lookup for service principal display names, fallback to raw principal ID.

Multi-subscription support

Hub-and-spoke model lets a single Function App monitor multiple Azure subscriptions through Event Grid forwarding. Per-subscription configuration overrides included.

Self-event filtering

Automatically detects and ignores its own tag writes to prevent infinite event loops. Configurable ignore patterns for additional resource type exclusions.

Near-zero cost

The Azure Functions Consumption plan plus Event Grid means you pay only for actual resource creation events. The Azure free tier covers most small-to-medium deployments.

MIT licensed

Free forever. Fork it, modify it, use it commercially. No licensing fees, no usage limits, no vendor lock-in.

Configuration UI

Included Static Web App provides a browser-based interface for managing tag rules, subscription settings, and ignore patterns — no CLI required.

Quick Start

Deploy to Azure

One click deploys everything — resource group, function app, storage, monitoring, Event Grid, RBAC, and function code.

Deploy to Azure

Prerequisites

  • Azure subscription with Owner or Contributor + User Access Administrator
  • Microsoft.EventGrid resource provider registered

Optional: Self-event filtering

After deployment, set the SelfPrincipalId so Az-Stamper can identify its own tag writes and skip them:

PRINCIPAL_ID=$(az functionapp identity show --name <func-app> --resource-group <rg> --query principalId -o tsv)
az functionapp config appsettings set --name <func-app> --resource-group <rg> --settings "StamperConfig__SelfPrincipalId=$PRINCIPAL_ID"

Developer Setup

Prefer full control? Clone the repo and deploy via CLI or CI/CD. See the Az-Stamper README for manual deployment, configuration options, multi-subscription setup, and CI/CD integration.

What It Tags

Creator Identity

  • Creator (UPN or service principal display name)
  • CreatedOn (ISO 8601 UTC timestamp)
  • StampedBy (value: "Az-Stamper", write-once)

Modification Tracking

  • LastModifiedBy (UPN or display name)
  • LastModifiedOn (ISO 8601 UTC timestamp)

Tag Behavior

  • Write-once tags preserve the original creator
  • Overwrite tags track the latest modifier
  • Per-tag control via configuration

Template Variables

  • {caller} — resolved identity of the actor
  • {timestamp} — ISO 8601 event time
  • {principalType} — User or ServicePrincipal
Azure C# governance tagging compliance
Deploy to Azure View on GitHub Read the blog post