Creating Azure Resource Locks
In this tutorial, we will learn and understand about creating and managing Azure Resource locks.
However, you may require to lock a subscription, resource group, or resource for preventing other users as an administrator. For this, you can set the lock level to CanNotDelete or ReadOnly. Here, CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource. Whereas, ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Applying locks
When you apply a lock to a parent scope, it applies to all resources within that scope. Furthermore, any resources you add subsequently will inherit the parent’s lock. Unlike role-based access control, you use management locks to apply a restriction to all users and roles.
Resource Manager locks, on the other hand, only apply to activities that take place on the management plane, such as those submitted to https://management.azure.com. The locks prevent resources from performing their own tasks.
Considerations before applying locks
Locks can have unanticipated consequences since certain procedures that don’t appear to affect the resource nonetheless need actions that the lock prevents. The following are some instances of procedures that are hindered by locks:
- Firstly, a read-only lock on a storage account prevents all users from listing the keys.
- Secondly, a read-only lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires to write access.
- Thirdly, a read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine.
- Fourthly, a cannot-delete lock on a resource group prevents Azure Resource Manager from automatically deleting deployments in the history. Moreover, a cannot-delete lock on the resource group created by Azure Backup Service causes backups to fail.
You should know that for creating or deleting management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions.
Managed Applications and locks
Managed apps are used to implement some Azure services, such as Azure Databricks. One resource group, however, is unlocked and gives an overview of the service. The infrastructure for the locked service is included in the other resource group.
When you try to remove the infrastructure resource group, however, you get an error message claiming that it is locked. When you try to delete the lock for the infrastructure resource group, you get an error that says it can’t be done since it’s held by a system application.
Portal
- Firstly, in the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks.
- Secondly, to add a lock, select Add. However, if you want to create a lock at a parent level, then select the parent.
- Thirdly, give the lock a name and lock level.
- Lastly, for deleting the lock, select the ellipsis and Delete from the available options.
Template
When deploying a lock using a Resource Manager template, you use various values for the name and type depending on the lock’s scope.
Use the following formats when applying a lock to a resource:
name – {resourceName}/Microsoft.Authorization/{lockName}
type – {resourceProviderNamespace}/{resourceType}/providers/locks
Use the format below when applying a lock to a resource group or subscription:
name – {lockName}
type – Microsoft.Authorization/locks
PowerShell
Using the New-AzResourceLock command in Azure PowerShell, you can now lock deploying resources.
Provide the resource’s name, resource type, and resource group name when locking a resource.
Azure PowerShell
New-AzResourceLock -LockLevel CanNotDelete -LockName LockSite -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup
Provide the resource group’s name to lock the resource group.
Azure PowerShell
New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName exampleresourcegroup
For getting information about a lock, use Get-AzResourceLock. And, to get all the locks in your subscription, use:
Azure PowerShell
Get-AzResourceLock
For getting all locks for a resource, use:
Azure PowerShell
Get-AzResourceLock -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup
For getting all locks for a resource group, use:
Azure PowerShell
Get-AzResourceLock -ResourceGroupName exampleresourcegroup
For deleting a lock, use:
Azure PowerShell
$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup -ResourceName examplesite -ResourceType Microsoft.Web/sites).LockId
Remove-AzResourceLock -LockId $lockId
Reference: Microsoft Documentation