Azure Resource Lock
Â
Intro
Prevent resources from being modified/deleted
Documentation
Â
Tips and Tidbits
As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
The lock overrides any permissions the user might have.
You can set the lock level to CanNotDelete or ReadOnly.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource.
Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Unlike role-based access control, you use management locks to apply a restriction across all users and roles
When you apply a lock at a parent scope, all resources within that scope inherit the same lock.
Even resources you add later inherit the lock from the parent.
The most restrictive lock in the inheritance takes precedence.
Locks will prevent any operations that require a POST request to the Azure Resource Manager API.Â
A cannot-delete lock on a storage account doesn't prevent data within that account from being deleted or modified.
This type of lock only protects the storage account itself from being deleted.Â