Creating Azure Resource Locks

  1. Home
  2. Creating Azure Resource Locks

Go back to AZ-500 Tutorials

In this tutorial, we will learn and understand about creating and managing Azure Resource locks.

However, you may require to lock a subscription, resource group, or resource for preventing other users as an administrator. For this, you can set the lock level to CanNotDelete or ReadOnly. Here, CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource. Whereas, ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

Applying locks

When you apply a lock to a parent scope, it applies to all resources within that scope. Furthermore, any resources you add subsequently will inherit the parent’s lock. Unlike role-based access control, you use management locks to apply a restriction to all users and roles.

Resource Manager locks, on the other hand, only apply to activities that take place on the management plane, such as those submitted to https://management.azure.com. The locks prevent resources from performing their own tasks.

Considerations before applying locks

Locks can have unanticipated consequences since certain procedures that don’t appear to affect the resource nonetheless need actions that the lock prevents. The following are some instances of procedures that are hindered by locks:

  • Firstly, a read-only lock on a storage account prevents all users from listing the keys. 
  • Secondly, a read-only lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires to write access.
  • Thirdly, a read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. 
  • Fourthly, a cannot-delete lock on a resource group prevents Azure Resource Manager from automatically deleting deployments in the history. Moreover, a cannot-delete lock on the resource group created by Azure Backup Service causes backups to fail. 

You should know that for creating or deleting management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. 

AZ-500 practice tests

Managed Applications and locks

Managed apps are used to implement some Azure services, such as Azure Databricks. One resource group, however, is unlocked and gives an overview of the service. The infrastructure for the locked service is included in the other resource group.

When you try to remove the infrastructure resource group, however, you get an error message claiming that it is locked. When you try to delete the lock for the infrastructure resource group, you get an error that says it can’t be done since it’s held by a system application.

Portal

  • Firstly, in the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks.
  • Secondly, to add a lock, select Add. However, if you want to create a lock at a parent level, then select the parent. 
  • Thirdly, give the lock a name and lock level. 
  • Lastly, for deleting the lock, select the ellipsis and Delete from the available options.

Template

When deploying a lock using a Resource Manager template, you use various values for the name and type depending on the lock’s scope.

Use the following formats when applying a lock to a resource: 

name – {resourceName}/Microsoft.Authorization/{lockName}

type – {resourceProviderNamespace}/{resourceType}/providers/locks

Use the format below when applying a lock to a resource group or subscription:

name – {lockName}

type – Microsoft.Authorization/locks

PowerShell

Using the New-AzResourceLock command in Azure PowerShell, you can now lock deploying resources.

Provide the resource’s name, resource type, and resource group name when locking a resource.

Azure PowerShell

New-AzResourceLock -LockLevel CanNotDelete -LockName LockSite -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

Provide the resource group’s name to lock the resource group.

Azure PowerShell

New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName exampleresourcegroup

For getting information about a lock, use Get-AzResourceLock. And, to get all the locks in your subscription, use:

Azure PowerShell

Get-AzResourceLock

For getting all locks for a resource, use:

Azure PowerShell

Get-AzResourceLock -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

For getting all locks for a resource group, use:

Azure PowerShell

Get-AzResourceLock -ResourceGroupName exampleresourcegroup

For deleting a lock, use:

Azure PowerShell

$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup -ResourceName examplesite -ResourceType Microsoft.Web/sites).LockId

Remove-AzResourceLock -LockId $lockId

Az-500 online course Azure resource locks concept

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu