Learn using Resource Locks
If you an administrator, then there is a need to either lock a subscription, resource group, or resource. Resource Locks prevent other users in the organization from accidentally deleting or modifying critical resources. We can set the lock level to CanNotDelete or ReadOnly.
- CanNotDelete – This lock authorizes users to still read and modify a resource, but they can’t delete the resource.
- ReadOnly – This lock authorizes users to read a resource, but they can’t delete or update the resource. By applying this lock we restrict all authorized users to the permissions granted by the Reader role.
Process of Applying Resource Locks
When we apply a lock at a parent scope, then all the resources within that scope inherit the same lock features. Moreover, the resources that we add later inherit the lock from the parent. Such that the most restrictive lock in the inheritance takes precedence.
Primarily we use management locks to apply a restriction across all users and roles. Also, the Resource Manager locks apply only to operations that occur in the management plane, which consists of operations sent to https://management.azure.com.
Resource locks do not restrict the performance of the functions of the resource. This indicates that the resource changes are restricted, but resource operations are not restricted. Note, data transactions are permitted since those operations are not sent to https://management.azure.com.
Features of Resource Lock
- A read-only lock on a storage account prevents all users from listing the keys.
- A read-only lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires to write access.
- A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. These operations require a POST request.
- A cannot-delete lock on a resource group prevents Azure Resource Manager from automatically deleting deployments in the history.
- A cannot-delete lock on the resource group created by Azure Backup Service causes backups to fail.
- A read-only lock on a subscription prevents Azure Advisor from working correctly.
Prerequisites to create or Delete locks
In order to create or delete management locks, it is important that you have access to –
- Microsoft.Authorization/* or
- Microsoft.Authorization/locks/* actions.
Such that of the built-in roles, only Owner and User Access Administrator are granted those actions.
Steps to apply Resource Locks (Portal)
- In the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks
- To add a lock, select Add. If you want to create a lock at a parent level, select the parent. The currently selected resource inherits the lock from the parent.
- Give the lock a name and lock level. Optionally, you can add notes that describe the lock.
- To delete the lock, select the ellipsis and Delete from the available options.
Resource Locks Templates
While using a Resource Manager template to deploy a lock, we use different values for the name and type depending on the scope of the lock. So when applying a lock to a resource, we use the given formats –
- name – {resourceName}/Microsoft.Authorization/{lockName}
- type – {resourceProviderNamespace}/{resourceType}/providers/locks
Also while applying a lock to a resource group or subscription, we should use the given formats:
- name – {lockName}
- type – Microsoft.Authorization/locks
Reference: Microsoft Documentation