Resource locks

Natasha Ong
This is some text inside of a div block.
4 min read

In a nutshell:

A resource lock prevents resources from being accidentally deleted or changed.
There are two types of resource locks - a Delete lock, and a ReadOnly lock.

What are resource locks?

Even with Azure role-based access control (Azure RBAC) policies in place, there's still a risk that people with the right level of access could delete critical cloud resources.

Resource locks prevent resources from being deleted or updated.

Resource locks can be applied to individual resources, resource groups, or even an entire subscription. Resource locks are inherited, meaning that if you place a resource lock on a resource group, all of the resources within the resource group will also have the resource lock applied.

Types of resource locks

There are two types of resource locks:

  1. A Delete lock prevents users from deleting a resource. Authorised users can still read or update the resource.
  2. A Read-only lock prevents users from deleting OR updating a resource. Authorised users can only read the resource.
  3. Tip: Applying this lock is similar to restricting all authorised users to the permissions granted by the Reader role. As a refresher, the Reader role can view resources and configurations but can't make any changes. This role is typically for someone who needs to see what's happening but not modify anything.

Here's what it looks like when you try to add a lock:

How do I manage resource locks?

You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an Azure Resource Manager (ARM) template.

To view, add, or delete locks in the Azure portal, go to the Settings section of any resource's left hand panel. Select the Locks option.

A screenshot showing the resource lock control, under settings, for a storage account.

How do I delete or change a locked resource?

Resource locks helps prevent accidental changes, but you can still get around them by following a two-step process.

To update or delete a locked resource, you must first remove the lock. After you remove the lock, you can apply any action you have permissions to perform.

Some final things to note:

  • Resource locks apply regardless of RBAC permissions.
  • Even if you're an owner of the resource, you must still remove the lock before you can perform the blocked activity.