Cloud Computing

Microsoft Azure: Prevent Accidental Deletion by Locking Resources

Azure Cloud Hero Server Devices

Azure has role-based access control (RBAC) to restrict access to resources and management features, and while an important feature, it can’t be used to quickly prevent all users from accidentally deleting a resource. There may be times when you want to protect a resource from accidental deletion, or prevent unwanted changes, even when users have high-level access to the resource.

For more information on Microsoft Azure, see What is Microsoft Azure? on the Petri IT Knowledgebase.

Azure Locks

Locks come in two forms: Read-only and Delete; and can only be created or deleted by users that are assigned Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions, and this includes the Owner and User Access Administrator roles.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

  • Read-only: No changes can be made to a resource.
  • Delete: Resource cannot be deleted.

Applying read-only locks should be done with care as they can have unpredictable results. For example, some resource types, such as storage accounts, require that users can write to them under normal operating circumstances. Locks can be applied to resource groups, and any child objects automatically inherit the lock from the parent. Additionally, the most restrictive lock always takes precedence.

Apply Locks to Resources

To complete the instructions below, you’ll need to have Owner or User Access Administrator access to an Azure subscription.

  • Log in to the Azure management portal here with your Microsoft, or work or school account.
  • In the list of options on the left of the portal window, click All resources.
  • In the list of resources, click the resource you want to apply a lock to.

Alternatively, you can select Resource groups, select a resource group, and apply a lock to it. Not forgetting that any child objects will inherit the lock applied to the resource group.

Add a management lock to a resource in Azure (Image Credit: Russell Smith)
Add a management lock to a resource in Azure (Image Credit: Russell Smith)
  • In the resource panel under Settings, click Locks.
  • In the Locks pane, click + Add.
  • Give the lock a name, and then select Read-only or Delete from the Lock type menu.
  • Optionally, give the lock a description in the Notes field.
  • To complete the process, click OK.

The new lock will now appear in the list.

Add a management lock to a resource in Azure (Image Credit: Russell Smith)
Add a management lock to a resource in Azure (Image Credit: Russell Smith)

To see all the locks in your subscription, click Subscription at the top of the Locks pane. You can also see all the locks associated with a resource group by clicking Resource group at the top of the locks pane. To delete a lock, right click the three dots (…) to the right of the lock and select Delete from the menu.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: