Open In App

Microsoft Azure - Create Pie Charts For Orphaned Resources using KQL

Last Updated : 07 Jun, 2025
Comments
Improve
Suggest changes
Like Article
Like
Report

When using Microsoft Azure, it is easy to end up with resources that are no longer needed, like a disk without a virtual machine or a public IP that is not being used. These are called orphaned resources, and while they might seem harmless, they can increase your cloud bills and make your setup messy. So, how can you find them quickly?

When working in Microsoft Azure, it is easy to end up with leftover resources you don’t need anymore, like a disk without a virtual machine or a public IP address that isn’t being used. These are called orphaned resources.

Even though they seem harmless, orphaned resources can increase your cloud bills, make your setup messy, harder to manage, and cause security risks if left unchecked

Let’s see how you can use KQL (Kusto Query Language) and Azure Workbooks to find and visualize these resources using simple pie charts.

What are Orphaned Resources?

In Azure, orphaned resources are components that are no longer actively used or associated with any running services but still exist within your environment. These resources can accumulate over time, leading to unnecessary costs and potential security risks.

Common Types of Orphaned Resources

Here are some typical examples:

  • Unattached Disks: When a virtual machine (VM) is deleted, its associated disks might not be removed automatically. These unattached disks continue to incur storage costs.
  • Unused Public IP Addresses: Reserved IP addresses that are not linked to any active resource still generate charges.
  • Network Security Groups (NSGs) Without Associations: NSGs not connected to any network interface or subnet serve no purpose but can complicate network configurations.
  • Idle App Service Plans: App Service Plans without any hosted applications still accrue costs.
  • Empty Resource Groups: Resource groups without any resources can clutter your Azure environment, making management more challenging.

What is KQL?

Kusto Query Language (KQL) is a read-only query language developed by Microsoft. It is designed to retrieve and analyze large volumes of data, particularly logs and telemetry data. KQL is optimized for fast data exploration and is used across various Azure services.

KQL is utilized in several Azure services, including:

  • Azure Resource Graph Explorer: To explore and manage Azure resources at scale.
  • Azure Log Analytics: For querying and analyzing log data collected from Azure resources.
  • Azure Monitor: To monitor applications and infrastructure by analyzing telemetry data.
  • Azure Data Explorer: For interactive analytics on large datasets.

These platforms provide interfaces where you can write and run KQL queries to gain insights into your data.

Create Pie Charts to Spot Orphaned Resources

You can use Azure Workbooks to write KQL queries and create pie charts to see how many orphaned resources you have.

Follow the below queries to implement the problem statement:

Note: You can use Workbooks to Save the Graph Queries and You can Pin to Dashboard for Analysis.

1. To get the Count of Azure Orphaned Disks by Subscription Category:

 KQL Azure Resource Graph Query:

Resources
| where type has "microsoft.compute/disks"
| extend diskState = tostring(properties.diskState)
| where  diskState == 'Unattached' or managedBy == ""
| extend SubscriptionName=case(subscriptionId =~ 'Add Subscription 1 Id here ', 'Add Subscription 1 Name Here', 
subscriptionId =~ 'Add Subscription 2 Id here ', 'Add Subscription 2 Name Here'
subscriptionId =~ 'Add Subscription 3 Id here ', 'Add Subscription 3 Name Here'
,subscriptionId) // You can in similar way to add more
| summarize count() by SubscriptionName

Output:

2. To get the Count of Azure Orphaned NICs by Subscription Category:

KQL Azure Resource Graph Query:

Resources
| where type has "microsoft.network/networkinterfaces" 
| where properties !has 'virtualmachine'
| extend SubscriptionName=case(subscriptionId =~ 'Add Subscription 1 Id here ', 'Add Subscription 1 Name Here', 
subscriptionId =~ 'Add Subscription 2 Id here ', 'Add Subscription 2 Name Here'
subscriptionId =~ 'Add Subscription 3 Id here ', 'Add Subscription 3 Name Here'
,subscriptionId) // You can in similar way to add more
| summarize count() by SubscriptionName

Output:

3. To get the Count of Azure Orphaned NSGs by Subscription Category:

KQL Azure Resource Graph Query:

Resources
| where type =~ 'microsoft.network/networksecuritygroups' 
and isnull(properties.networkInterfaces) 
and isnull(properties.subnets)
| extend SubscriptionName=case(subscriptionId =~ 'Add Subscription 1 Id here ', 'Add Subscription 1 Name Here', 
subscriptionId =~ 'Add Subscription 2 Id here ', 'Add Subscription 2 Name Here'
subscriptionId =~ 'Add Subscription 3 Id here ', 'Add Subscription 3 Name Here'
,subscriptionId) // You can in similar way to add more
| summarize count() by SubscriptionName

Output:

That's it!

Conclusion

Cleaning up unused resources in Azure can be really simple. By running a few KQL queries and using pie charts to see the results, you can easily find things like unused disks, IP addresses, or security groups. Removing these orphaned resources can save you money, make your Azure setup cleaner, and help you manage things better. It’s a quick way to keep your cloud tidy and cost-effective. Give it a try it’s easier than you think!


Next Article
Microsoft Azure - Patch Management Update Summary Status
author
jaysurya9
Improve
Article Tags :

Similar Reads

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox