Azure Resource Locks

Last updated: August 1, 2024

Azure Resource Locks help prevent accidental deletion or modification of critical Azure resources. You can apply a lock to a subscription, resource group, or individual resource. Locks can be set at different scopes.

What are Resource Locks?

Resource locks are a management feature that helps to protect Azure resources from accidental deletion or modification. When a lock is applied to a resource, it restricts actions that can be performed on that resource. There are two types of locks:

CanNotDelete: Authorized users can read and modify a resource, but they can't delete it.
ReadOnly: Authorized users can read a resource, but they can't delete or update it. This is equivalent to restricting all authorized users to the permissions of an Azure Role-Based Access Control (RBAC) role that has only read permissions.

Scoping Resource Locks

Resource locks can be applied at different scopes. The lower the scope, the more specific the inheritance. For example, a lock applied to a resource group is inherited by all resources within that group.

Subscription: Applies locks to all resource groups and resources within the subscription.
Resource Group: Applies locks to the resource group and all resources within it.
Resource: Applies locks to a specific resource.

Applying Resource Locks

You can apply resource locks using the Azure portal, Azure PowerShell, or Azure CLI.

Using the Azure Portal

1. Navigate to the resource, resource group, or subscription you want to lock.

2. In the left-hand menu, select Locks.

3. Click Add.

4. Enter a Name for the lock.

5. Select the Lock type (CanNotDelete or ReadOnly).

6. Optionally, add notes.

7. Click OK.

Using Azure CLI

To apply a ReadOnly lock to a resource group named MyResourceGroup:

az lock create --name MyLock --notes "Prevents accidental deletion" --lock-type ReadOnly --parent /subscriptions/{subscriptionId}/resourceGroups/MyResourceGroup

To apply a CanNotDelete lock to a specific virtual machine named MyVM in MyResourceGroup:

az lock create --name NoDeleteVM --notes "Cannot delete VM" --lock-type CanNotDelete --parent /subscriptions/{subscriptionId}/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVM

Using Azure PowerShell

To apply a ReadOnly lock to a resource group:

New-AzResourceLock -LockName "MyLock" -LockLevel ReadOnly -ResourceGroupName "MyResourceGroup" -Notes "Prevents accidental deletion"

To apply a CanNotDelete lock to a specific resource:

New-AzResourceLock -LockName "NoDeleteVM" -LockLevel CanNotDelete -ResourceName "MyVM" -ResourceType "Microsoft.Compute/virtualMachines" -ResourceGroupName "MyResourceGroup" -Notes "Cannot delete VM"

Managing Resource Locks

You can view, edit, and delete existing resource locks through the Azure portal or via scripting.

Viewing Locks

In the Azure portal, navigate to the scope where the lock is applied and select Locks. A list of all applied locks will be displayed.

Deleting Locks

To delete a lock in the Azure portal, select the lock from the list and click Delete.

To delete a lock using Azure CLI:

az lock delete --name MyLock --parent /subscriptions/{subscriptionId}/resourceGroups/MyResourceGroup

To delete a lock using Azure PowerShell:

Remove-AzResourceLock -LockName "MyLock" -ResourceGroupName "MyResourceGroup"

Important Considerations

Resource locks are not a security feature. They are a management control to prevent accidental changes. Your permissions still determine what you can do.

Tip

It's a best practice to apply ReadOnly locks to production resource groups or subscriptions to prevent accidental deployments or deletions.

Common Use Cases

Protecting production environments from accidental resource deletion.
Ensuring critical infrastructure components remain operational.
Preventing configuration drift in compliance-sensitive environments.

By effectively using Azure Resource Locks, you can significantly enhance the stability and reliability of your Azure deployments.