Query Details
Azure Logic App Disabled Or Deleted
Query
AzureActivity | where OperationNameValue == "MICROSOFT.LOGIC/WORKFLOWS/DISABLE/ACTION" or OperationName == "MICROSOFT.LOGIC/WORKFLOWS/DELETE" | where ActivityStatusValue startswith "Succe" or ActivityStatusValue startswith "accept" // Comment out if you want to look for attempts //Azure Activity must be enabled https://learn.microsoft.com/en-us/azure/azure-monitor/platform/activity-log?tabs=log-analytics
Explanation
This query is designed to filter and display specific activities from the Azure Activity logs. Here's a simple breakdown of what it does:
-
Data Source: It starts by looking at the
AzureActivitylog, which records various actions and events within Azure. -
Filter by Operation: It filters the logs to only include activities where the operation name is either:
- "MICROSOFT.LOGIC/WORKFLOWS/DISABLE/ACTION" (indicating a workflow was disabled)
- "MICROSOFT.LOGIC/WORKFLOWS/DELETE" (indicating a workflow was deleted)
-
Filter by Status: It further narrows down the results to activities where the status of the operation starts with:
- "Succe" (likely referring to "Success")
- "accept" (possibly referring to "Accepted")
This means it only shows activities that were successfully completed or accepted.
-
Comment: There's a comment suggesting that if you want to see all attempts (not just successful ones), you can remove the status filter.
-
Note: It includes a reminder that Azure Activity logging must be enabled to capture these events, with a link to the relevant documentation for setting it up.
In summary, this query is used to find successful or accepted disable or delete actions on Azure Logic Apps workflows from the activity logs.
Details
Jay Kerai
Released: September 5, 2025
Tables
Keywords
Operators