azure:resource_locks

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		 Previous revision
azure:resource_locks [2024/08/26 19:58] – created mmuzeazure:resource_locks [2024/10/03 14:27] (current) – [Resource Locks] mmuze
Line 2: Line 2:
 > As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. > As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.
  
 +  * [[https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#considerations-before-applying-your-locks|Resource Lock Considerations]]
 +      * A read-only lock on a resource group prevents you from moving existing resources in or out of the resource group. But note that a resource (not a resource group) with read-only lock can be moved to another resource group.
 +  * If you have a Delete lock on a resource and attempt to delete its resource group, the feature blocks the whole delete operation. Even if the resource group or other resources in the resource group are unlocked, the deletion doesn't happen. You never have a partial deletion.
 +
 +<callout type="info">
 +===== ☝️ Note =====
 +Some operations, like //List Keys// for storage account access, require //POST// operations to the Azure Resource Manager, and all POST operations are prevented by a //ReadOnly// lock on a resource (e.g. storage account). There are other operations that intuitively seem to be read operations that require a //POST// operation, therefore they would be prevented by a resource lock.
 +  * A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue).
 +</callout>
 +
 +
 +
 +===== Scope =====
 +> Locks only apply to control plane Azure operations and not to data plane operations.
 +
 +====== Permissions to Create and Delete ======
 +> To create or delete management locks, you need access to ''%%Microsoft.Authorization/*%%'' or ''%%Microsoft.Authorization/locks/*%%'' actions. Users assigned to the **Owner** and the **User Access Administrator** roles have the required access. Some specialized built-in roles also grant this access. You can create a custom role with the required permissions.
  • azure/resource_locks.1724702288.txt.gz
  • Last modified: 2024/08/26 19:58
  • by mmuze