Management locks can help you prevent accidental deletion or modification of your Azure resources. You can manage these locks from one of the following…the Azure Portal, ARM Templates, PowerShell, Azure CLI, or the REST API. To view, add, or delete locks, go to the Locks section of any resource’s settings blade. In the Azure Portal, the locks are called Delete and Read-Only respectively.
There are two possible types of locks on a resource:
- CanNotDetele – This means authorized users can still read and modify a resource, but they can’t delete the resource.
- ReadOnly – This means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
When a lock is applied at the parent level, all resources within that scope inherit the same lock. This applies to any resources you add later on to this parent resource. Resource locks do not restrict how a particular resource functions and only resource changes are restricted, but the most restrictive lock will always take precedence.
Creating a Lock using the Portal
1. In the portal, go to the particular resource you want to lock. In this case it’s a Resource Group but it could be any Resource, a Resource Group, or a Subscription and then click on the Lock option under the Settings section:
2. To add a lock click on the Add button:
3. Give your lock a name and the type of lock (Delete or Read-Only) and then click on the OK button:
Your resources are now locked. If you try to delete a resource that is locked you will see the following warning which prevents you from deleting the particular resource:
Unlocking a Resource
To unlock the resource click on the ellipse (…) button and click on the Delete option:
Using resource locks is a must and really prevents an “oops…I deleted the wrong resource” situation which leads to accidental and hard to recover from downtown.