As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.

• Resource Lock Considerations
  • A read-only lock on a resource group prevents you from moving existing resources in or out of the resource group. But note that a resource with read-only lock can be moved to another resource group.

Some operations, like List Keys for storage account access, require POST operations to the Azure Resource Manager, and all POST operations are prevented by a ReadOnly lock on a resource (e.g. storage account). There are other operations that intuitively seem to be read operations that require a POST, therefore they would be prevented by a resource lock.

Locks only apply to control plane Azure operations and not to data plane operations.

To create or delete management locks, you need access to

To create or delete management locks, you need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Users assigned to the Owner and the User Access Administrator roles have the required access. Some specialized built-in roles also grant this access. You can create a custom role with the required permissions.