What does ACTION mean in Azure Activity Log

1 min readNov 29, 2023

Azure Activity log captures events that have occurred.

Here’s a sample event of NetworkSecurityGroup change: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#sample-event

To capture what happened, an important field to look into is operationName . It usually ends with “write”, “delete” or “action”.

It is easy to assume “action” means “read”. But NO.



This event means someone has listed the access keys or Kerberos keys for the specified storage account.

This is a read action.


Based on the doc below, this action “deletes a managed cluster”. I wonder if the doc needs an update because it reads like “restarts a virtual machine” to me. But in either way, this is definitely not a read action.

I wonder how I could distinguish between read and non read actions. One idea is probably to extract the 2nd last word (the word before “/ACTION”) and anything that starts with ‘READ’ or ‘LIST’ will be classified as read actions.

But ‘listKeys’ is not a read action though it sounds like one. In Storage Accounts ‘listKeys’ is actually a POST request: https://learn.microsoft.com/en-us/rest/api/storagerp/storage-accounts/list-keys?view=rest-storagerp-2023-01-01&tabs=HTTP