This is an old revision of the document!
Resource Locks
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.
-
- A read-only lock on a resource group prevents you from moving existing resources in or out of the resource group. But note that a resource (not a resource group) with read-only lock can be moved to another resource group.
☝️ Note
Some operations, like List Keys for storage account access, require POST operations to the Azure Resource Manager, and all POST operations are prevented by a ReadOnly lock on a resource (e.g. storage account). There are other operations that intuitively seem to be read operations that require a POST operation, therefore they would be prevented by a resource lock.
- A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue).
Scope
Locks only apply to control plane Azure operations and not to data plane operations.
Permissions to Create and Delete
To create or delete management locks, you need access toMicrosoft.Authorization/*orMicrosoft.Authorization/locks/*actions. Users assigned to the Owner and the User Access Administrator roles have the required access. Some specialized built-in roles also grant this access. You can create a custom role with the required permissions.