As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.

Some operations, like List Keys for storage account access, require POST operations to the Azure Resource Manager, and all POST operations are prevented by a ReadOnly lock on a resource (e.g. storage account).

Locks only apply to control plane Azure operations and not to data plane operations.

To create or delete management locks, you need access to

To create or delete management locks, you need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Users assigned to the Owner and the User Access Administrator roles have the required access. Some specialized built-in roles also grant this access. You can create a custom role with the required permissions.