Enabling/Disabling Azure Logic Apps Using PowerShell

Typically, whenever you plan to do any automation involving Microsoft Azure, your trusty tool to turn is to the Az PowerShell module and the various cmdlets it has available. Somewhere in this treasure trove, you will almost always find one or two cmdlets available that will allow you to achieve your particular requirement. As a general rule of thumb, any task that we can comfortably carry out within the portal will also be available to do via PowerShell. Well, at least that’s what I thought until recently…

To elaborate a bit further - we had a requirement, as part of an Azure DevOps release pipeline, to ensure that all Logic Apps (which, incidentally, were linked to an Integration Service Environment (ISE)) within a resource group could be disabled and then enabled again. The Logic Apps continuously inserted data into Microsoft Dataverse and during a solution deployment, the environment was, naturally, inaccessible; therefore, to ensure no failed Logic App runs, switching them off while the deployment ran became the most obvious solution for us to consider. Sounds straightforward, and surely there must be a PowerShell Cmdlet like Enable-AzLogicApps or Disable-AzLogicApps, right?

Well, I wouldn’t be blogging about it today if it was as straightforward as that. 😁 But yes, unfortunately, there is no simple way of doing this using an Az PowerShell module cmdlet, so we must instead turn to another option instead - the Azure REST API. Fortunately, via this route, we do have the option of both enabling and disabling our Logic Apps and, provided you are comfortable working with PowerShell, we can look to put together a script similar to the one below to achieve this requirement:

param(
    #subscriptionID: GUID representing the Azure subscription to connect to
    [Parameter(Mandatory=$true)]
    [String]$subscriptionID,
    #tenantID: GUID of the Azure Active Directory (AAD) tenant being connected to
    [Parameter(Mandatory=$true)]
    [String]$tenantID,
    #clientID: AAD Client ID for the subscription service principle
    [Parameter(Mandatory=$true)]
    [String]$clientID,
    #clientSecret: AAD Client Secret for the subscription service principle
    [Parameter(Mandatory=$true)]
    [String]$clientSecret,
    #resourceGroup: Indicate the resource group to target
    [Parameter(Mandatory=$true)]
    [String]$resourceGroup,
    #action: Indicate the desired action to perform against the Logic Apps
    [ValidateSet("enable","disable")]
    [Parameter(Mandatory=$true)]
    [String]$action
)

#Build and send the request to obtain a valid Access Token
$authParam = @{
    Uri = "https://login.microsoftonline.com/$tenantId/oauth2/token";
    Method = 'Post';
    Body = @{ 
        grant_type = 'client_credentials'; 
        resource = 'https://management.core.windows.net/'; 
        client_id = $clientID; 
        client_secret = $clientSecret
    }
}
$result = Invoke-RestMethod @authParam
$token = $result.access_token
Write-Host "Access Token generated successfully"

#Retrieve all Logic Apps within the current environment
Write-Host "Attempting to retrieve all Logic Apps in resource group $resourceGroup..."
$getLAsParam = @{
    Uri = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Logic/workflows?api-version=2016-06-01"
    ContentType = 'application/json'
    Method = 'GET'
    headers = @{
        authorization = "Bearer $token"
        host = 'management.azure.com'
    }
}
$laList = Invoke-RestMethod @getLAsParam

#Iterate through and perform the desired action against each logic app
Foreach ($la in $laList.value)
{
    $laName = $la | Select name
    $laNameVal = $laName.name
    $actionLabel1 = If ($action -eq "enable") {"Enabling"} Else {"Disabling"}
    $actionLabel2 = If ($action -eq "enable") {"enabled"} Else {"disabled"}
    Write-Host "$actionLabel1 Logic App with name $laNameVal..."
    
    $laActionParam = @{
    Uri = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Logic/workflows/$laNameVal/" + $action + "?api-version=2016-06-01"
    ContentType = 'application/json'
    Method = 'POST'
    headers = @{
        authorization = "Bearer $token"
        host = 'management.azure.com'
        }
    }

    $actionResult = Invoke-RestMethod @laActionParam
    Write-Host "Logic App $laNameVal $actionLabel2 successfully!"
}

Now, a couple of things to note with this script

You will need to set up an Application Registration with permission to access the subscription(s) in question, and from here, you can derive the clientID and clientSecret parameter values for the script to work.
The action parameter is the bit that controls what the script does - either enable or disable the Logic Apps. This provides the flexibility to run the PowerShell cmdlets as many times as you need within your pipeline.
The script will target every single Logic App within the resource group you specify. So watch out. 😉
I’m thankful for this great article that talks through how to work with the Azure REST API using PowerShell, and I’ve based portions of the above script on the examples shared here.

It is a little annoying that we have to author scripts like this to achieve what seems to be a relatively common type of action that we’d want to perform against our Logic Apps using PowerShell. Fortunately, the REST API proves to be our saviour and allows us to achieve the requirement while still leveraging the capabilities of PowerShell at the same time.