Resource Locks

As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.

Resource Lock Considerations
- A read-only lock on a resource group prevents you from moving existing resources in or out of the resource group. But note that a resource (not a resource group) with read-only lock can be moved to another resource group.
If you have a Delete lock on a resource and attempt to delete its resource group, the feature blocks the whole delete operation. Even if the resource group or other resources in the resource group are unlocked, the deletion doesn't happen. You never have a partial deletion.

☝️ Note

Some operations, like List Keys for storage account access, require POST operations to the Azure Resource Manager, and all POST operations are prevented by a ReadOnly lock on a resource (e.g. storage account). There are other operations that intuitively seem to be read operations that require a POST operation, therefore they would be prevented by a resource lock.

A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue).

Scope

Locks only apply to control plane Azure operations and not to data plane operations.

Permissions to Create and Delete

To create or delete management locks, you need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Users assigned to the Owner and the User Access Administrator roles have the required access. Some specialized built-in roles also grant this access. You can create a custom role with the required permissions.

Table of Contents

Resource Locks

☝️ Note

Scope

Permissions to Create and Delete