Intro

Prevent resources from being modified/deleted

Documentation

• Lock resources to prevent unexpected changes

Tips and Tidbits

• As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.

• The lock overrides any permissions the user might have.

• You can set the lock level to CanNotDelete or ReadOnly.

  • CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.

  • ReadOnly means authorized users can read a resource, but they can't delete or update the resource.

    • Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

• Unlike role-based access control, you use management locks to apply a restriction across all users and roles

• When you apply a lock at a parent scope, all resources within that scope inherit the same lock.

  • Even resources you add later inherit the lock from the parent.

  • The most restrictive lock in the inheritance takes precedence.

• Locks will prevent any operations that require a POST request to the Azure Resource Manager API. 

• A cannot-delete lock on a storage account doesn't prevent data within that account from being deleted or modified.

  • This type of lock only protects the storage account itself from being deleted.