Home Services Solution Catalog Articles About Contact
KQL Reference Azure Arc October 2025

Azure Arc KQL Query Reference

Essential Log Analytics & Resource Graph queries for monitoring, troubleshooting, and agent status tracking

📖 15 min read
🎯 Intermediate
🔧 Technical Reference
💡 Real-World Queries

Introduction

KQL query reference for Azure Arc-enabled servers. These queries help you monitor agent status, track deployments, troubleshoot issues, and maintain your Arc infrastructure.

Failed Extension Installations

Track Azure Arc extension installation failures across your environment.

Detailed Failed Extension Report

This query identifies all servers with failed Azure Arc extension installations, showing server name, user, resource group, extension name, and IP address.

KQL - Failed Extension Details
AzureActivity
| where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/WRITE" and ActivityStatusValue == "Failure"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend ["Extension Name"] = split(Properties.resource,"/")[1]
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated, Server, User, ['Resource Group'], ["Extension Name"], ['Susbcription ID'], ['IP Address'], ["Activity Status"]
| sort by TimeGenerated

Failed Extensions Summary by Server

This query summarizes failed extension installations by extension name and server name, showing the count and list of failed extensions per server.

KQL - Failed Extensions Summary
AzureActivity
| where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/WRITE" and ActivityStatusValue == "Failure"
| extend Properties = parse_json(Properties)
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend ["Extension Name"] = tostring(split(Properties.resource,"/")[1])
| summarize
    ['Extensions Count'] = dcount(["Extension Name"]),
    ['List of Extensions'] = make_set(["Extension Name"])
    by Server

Extension Activity Monitoring

Monitor all Azure Arc extension installations and modifications, including user activity, IP addresses, and status.

Extension Provisioning State Verification

List all Azure Arc extensions to verify they appear in inventory. Note: Just because an extension appears here doesn't mean it's functioning correctly.

Resource Graph - List All Extensions
resources
| where type == "microsoft.hybridcompute/machines/extensions"

Failed Extension Provisioning States

Identify extensions assigned to servers but not working properly. This query shows all extensions where ProvisioningState is not "Succeeded", helping you find extensions that require attention.

Resource Graph - Non-Succeeded Extensions
resources | where type == "microsoft.hybridcompute/machines"
| project ServerName = tostring(name)
| join kind = inner ( resources
    | where type == "microsoft.hybridcompute/machines/extensions"
    | extend ServerName = tostring(split(tostring(id),"/",8)[0])
    | extend ["Provisioning State"] = properties.provisioningState
    | where  ["Provisioning State"] != "Succeeded"
    | extend Extension = name
    )
    on ServerName
| project ServerName, Extension,["Provisioning State"]
PowerShell Alternative: Use the Get-AzConnectedMachineExtension cmdlet to list machine extensions, then filter for non-acceptable states. This approach works well when you need to verify extension status during troubleshooting or automation workflows.

All Extension Write Operations

Track all extension installation and modification activities across Arc-enabled servers. Shows user, IP address, extension name, and status for security monitoring and troubleshooting.

Azure Activity - All Extension Operations
AzureActivity
| where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/WRITE" and ResourceProviderValue == "MICROSOFT.HYBRIDCOMPUTE"
| extend Properties = (parse_json(Properties))
| extend Server = split(Properties.resource,"/")[0]
| extend ["Extension Name"] = split(Properties.resource,"/")[1]
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated, Server, ['Extension Name'], User, ['Resource Group'], ['Susbcription ID'], ['IP Address'], ["Activity Status"]
| sort by TimeGenerated
Security Note: Monitor extension installations carefully. Malicious actors can exploit Custom Script Extensions to execute unauthorized PowerShell or Bash scripts on your servers. Use this query in Microsoft Sentinel for security detection and alerting.

Deleted Server Tracking

Track who deleted Azure Arc-enabled servers from your environment.

Arc Server Deletion Audit

Identify deleted Azure Arc servers, including who deleted them, when, and from which resource group. Critical for security auditing and troubleshooting missing servers.

Azure Activity - Deleted Arc Servers
AzureActivity
| where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/DELETE" and ActivityStatusValue == "Success"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| project TimeGenerated, Server, User, ['Resource Group']
| sort by TimeGenerated desc

Azure Monitoring Agent (AMA) Removal Detection

Detect when Azure Monitoring Agent extensions are removed from Arc-enabled servers. Critical for maintaining security monitoring coverage.

AMA Extension Removal Audit

Track AMA extension deletions across your Arc infrastructure. Shows who removed the extension, when, and from which server. Essential for Microsoft Sentinel monitoring and compliance.

Azure Activity - AMA Extension Removal
AzureActivity
| where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/DELETE" and ActivityStatusValue == "Success"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend ["Extension Name"] = split(Properties.resource,"/")[1]
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| where ['Extension Name'] == "amawindows" or ['Extension Name'] == "azuremonitorwindowsagent"
| project TimeGenerated, Server, User, ['Resource Group'], ["Extension Name"], ['Susbcription ID'], ['IP Address'], ["Activity Status"]
| sort by TimeGenerated
Note: This query checks for two AMA extension names: amawindows and azuremonitorwindowsagent. Extension naming varies based on your Azure Arc implementation date.

New Server Onboarding Tracking

Identify new Azure Arc-enabled server onboardings to track environment expansion and detect unauthorized server registrations.

New Arc Server Onboardings

Track new Azure Arc server onboardings with server name, user, resource group, and subscription details. Use this query to monitor environment growth and security compliance.

Azure Activity - New Arc Onboardings
AzureActivity
| where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/WRITE" and ActivityStatusValue == "Success"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Subscription ID"] = Properties.SubscriptionId
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated, Server, User, ['Resource Group'], ['Subscription ID'], ["Activity Status"]
| sort by TimeGenerated desc

Failed Update Deployments

Track failed Azure Update Manager deployments on Arc-enabled servers to maintain patching compliance and troubleshoot update issues.

Failed Patch Installation Tracking

Identify failed update deployments from Azure Update Manager. Shows which servers failed to install patches, when, and why.

Azure Activity - Failed Update Deployments
AzureActivity
| where OperationNameValue == "MICROSOFT.COMPUTE/VIRTUALMACHINES/INSTALLPATCHES/ACTION" and ActivityStatusValue == "Failed"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Subscription ID"] = Properties.SubscriptionId
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated, Server, User, ['Resource Group'], ['Subscription ID'], ["Activity Status"]
| sort by TimeGenerated desc
Note: This query works with Azure Update Manager deployments on Arc-enabled servers. Failed deployments indicate patching issues that require troubleshooting.

Resource Health & Connectivity Tracking

Monitor Azure Arc agent connectivity and track disconnection events to identify connectivity issues and agent failures.

Arc Agent Disconnection Tracking

Track Arc agent disconnection and reconnection events. Shows when servers lost connectivity (ActivityStatusValue = "Active") and when they reconnected (ActivityStatusValue = "Resolved"). Use this to identify connectivity patterns and investigate prolonged disconnections.

Azure Activity - Resource Health Events
AzureActivity
| where CategoryValue == "ResourceHealth"
| where ResourceProviderValue == "MICROSOFT.HYBRIDCOMPUTE"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Health Status"] = ActivityStatusValue
| project TimeGenerated, Server, ['Resource Group'], ["Health Status"]
| sort by TimeGenerated desc
Connectivity Analysis: "Active" status indicates agent disconnection. "Resolved" status indicates reconnection. Brief disconnections are normal, but prolonged disconnections require investigation.

Resource Graph Inventory Queries

Use these Resource Graph queries to inventory and track your Azure Arc-enabled servers across subscriptions.

List All Azure Arc Machines

Basic query to list all Azure Arc-enabled servers in your environment.

Resource Graph - List Arc Machines
resources
| where type == "microsoft.hybridcompute/machines"

Count Machines by Subscription and Resource Group

Aggregate Azure Arc machines by subscription and resource group to understand distribution across your environment.

Resource Graph - Count by Subscription/RG
resources
| where type == "microsoft.hybridcompute/machines"
| summarize machineCount = count() by subscriptionId, resourceGroup

Enrich with Subscription Names

Join Azure Arc machine data with subscription information to show subscription names alongside machine counts.

Resource Graph - Enrich with Subscription Names
resources
| where type == "microsoft.hybridcompute/machines"
| project serverName = name, subscriptionId, resourceGroup
| join kind=inner (
    resourcecontainers
    | where type == "microsoft.resources/subscriptions"
    | project subscriptionName = name, subscriptionId
) on subscriptionId
| summarize machineCount = count() by subscriptionId, subscriptionName, resourceGroup

Count Machines by Status

Track the operational status distribution of your Azure Arc machines (Connected, Disconnected, Error).

Resource Graph - Count by Status
resources
| where type == "microsoft.hybridcompute/machines"
| extend machineStatus = tostring(properties.status)
| summarize machineCount = count() by machineStatus

Agent Version Inventory

List all Arc-enabled servers with their agent versions and connection status. Use this to identify servers running outdated agents.

Resource Graph - Agent Versions
resources
| where type == "microsoft.hybridcompute/machines"
| extend ["Server Name"] = toupper(name)
| extend ["Agent Version"] = properties.agentVersion
| extend ["Connection Status"] = properties.status
| project ["Server Name"], ["Agent Version"], ["Connection Status"]

About the Author

Kaido Järvemets - Microsoft MVP

Kaido Järvemets

Microsoft MVP | Microsoft Hybrid-Cloud Security Expert

With over 15 years of experience in IT, cybersecurity, and Microsoft technologies, Kaido specializes in Microsoft Azure, Microsoft 365, and hybrid-cloud security solutions. As a Microsoft MVP since 2010, he has deep expertise in Configuration Manager, Enterprise Mobility, and Azure Hybrid & Security.

Kaido is a Microsoft Certified Trainer who has been traveling across Europe for the past 12 years, speaking at events including the Microsoft Management Summit and Midwest Management Summit. He founded User Group Estonia and System Center User Group Estonia, building strong communities of Microsoft technology professionals.

🎯 Specializations

Microsoft Security:
  • Microsoft Defender XDR
  • Microsoft Sentinel SIEM & SOAR
  • Microsoft Entra ID (Azure AD)
  • Microsoft Intune
Azure & Hybrid Cloud:
  • Azure Arc Services
  • Azure Log Analytics
  • Azure Automation
  • Hybrid Cloud Management

"I simplify the process and make each change meaningful. It's all about adopting modern solutions that replace archaic ones and make the workplace easier for everyone involved."

🚀 Join Membership 💬 Get in Touch
PREMIUM ACCESS

Done-for-You Solutions

Please sign in to access exclusive premium content

For authorized members only