Azure: Locking Resources

Azure lets you lock your resources so they cannot be deleted without first removing the lock. Only an owner or administrator in your account can use this feature. It overrides a user’s permission so that they cannot accidentally delete or remove a resource. These locks are outside the Role Based Access Controls (RBAC). When the lock is set, it is applied to all users (even administrators).

In addition, if someone attempts to delete a “locked” resource via PowerShell then the delete is stopped stating there is a lock on it.

Furthermore, if you are using template deployments and a team member changes the deployment mode from “Incremental” to “Complete” then the CI/CD pipeline in Azure DevOps will fail to deploy since it cannot delete the resource.

Finally this could help in a hack against your Azure Subscription in the event that a hacker does NOT get into an Admin account but instead hacks into a lesser account. The lesser account should not have permission to delete accounts thus preventing the hacker from deleting resources and really screwing with your day.

Locking a Resource

It seems that almost every resource can be locked. Under the resource, there will be a menu item for “Locks”. You can easily add a lock by clicking add. Note, you can also apply these locks at the resource group (parent level) which is then applied to all resources in that group.

The “Delete” Lock type actually stands for “DoNotDelete”.

Delete Attempt

When this lock type is set, if a user attempts to delete the resource via that Azure Portal then the user will get the following message.

Deleting a Resource via PowerShell

When deleting a resource via PowerShell, the command fails to remove the resource since there is a lock it. However, due note that there is a PowerShell command to delete locks. Obviously, use that command wisely.

References

Check out the following references: