Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Microsoft Azure: Prevent Accidental Deletion by Locking Resources

Azure has role-based access control (RBAC) to restrict access to resources and management features, and while an important feature, it can’t be used to quickly prevent all users from accidentally deleting a resource. There may be times when you want to protect a resource from accidental deletion, or prevent unwanted changes, even when users have high-level access to the resource.

For more information on Microsoft Azure, see What is Microsoft Azure? on the Petri IT Knowledgebase.

Azure Locks

Locks come in two forms: Read-only and Delete; and can only be created or deleted by users that are assigned Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions, and this includes the Owner and User Access Administrator roles.

Read-only: No changes can be made to a resource.
Delete: Resource cannot be deleted.

Applying read-only locks should be done with care as they can have unpredictable results. For example, some resource types, such as storage accounts, require that users can write to them under normal operating circumstances. Locks can be applied to resource groups, and any child objects automatically inherit the lock from the parent. Additionally, the most restrictive lock always takes precedence.

Apply Locks to Resources

To complete the instructions below, you’ll need to have Owner or User Access Administrator access to an Azure subscription.

Log in to the Azure management portal here with your Microsoft, or work or school account.
In the list of options on the left of the portal window, click All resources.
In the list of resources, click the resource you want to apply a lock to.

Alternatively, you can select Resource groups, select a resource group, and apply a lock to it. Not forgetting that any child objects will inherit the lock applied to the resource group.

Add a management lock to a resource in Azure (Image Credit: Russell Smith)

In the resource panel under Settings, click Locks.
In the Locks pane, click + Add.
Give the lock a name, and then select Read-only or Delete from the Lock type menu.
Optionally, give the lock a description in the Notes field.
To complete the process, click OK.

The new lock will now appear in the list.

To see all the locks in your subscription, click Subscription at the top of the Locks pane. You can also see all the locks associated with a resource group by clicking Resource group at the top of the locks pane. To delete a lock, right click the three dots (…) to the right of the lock and select Delete from the menu.

by Russell Smith
Sep 20, 2016

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

Streamlining SaaS Governance: How Nudge Security Simplifies Compliance and Security Management for Cloud Apps

Oct 30, 2023
Nov 03, 2023
The Dirty Truth About IT Offboarding Automation

Jul 21, 2023
Aug 25, 2023
What is Azure Data Studio?

Aug 14, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.