Resource Locks

Azure Resource Locks prevent accidental or unauthorized modifications and deletions of critical resources. They apply at the subscription, resource group, or individual resource level and cannot be bypassed by any user—including Owners and Contributors—without first removing the lock.

However the best way to accomplish this is through Azure Policy. As a resource lock can be bypassed by Owners and Contributors.

Types of Locks

• CanNotDelete — Allows read and modify operations, but blocks deletion.
• ReadOnly — Blocks all modifications and deletions; only read operations are permitted.

Scope and Inheritance

Locks are inherited from parent scopes:

• A lock on a subscription applies to all resource groups and resources within it
• A lock on a resource group applies to all resources within it
• Individual resources can have their own locks

Common Use Cases

• Production resources — Prevent accidental deletion of databases, storage accounts, or networking infrastructure
• Compliance & audit — Enforce immutability for resources subject to regulatory requirements
• Shared environments — Protect shared infrastructure from unintended changes by team members

Usage

# Create a Delete lock on a resource group
New-AzResourceLock -LockName "rg-prod-delete-lock" -LockLevel CanNotDelete -ResourceGroupName "rg-myapp-prod-uks-01"
 
# Create a ReadOnly lock on a resource group
New-AzResourceLock -LockName "rg-prod-readonly-lock" -LockLevel ReadOnly -ResourceGroupName "rg-myapp-prod-uks-01"
 
# Remove a lock
Remove-AzResourceLock -LockName "rg-prod-delete-lock" -ResourceGroupName "rg-myapp-prod-uks-01"

# Create a Delete lock using Azure CLI
az lock create --name "rg-prod-delete-lock" --lock-type CanNotDelete --resource-group "rg-myapp-prod-uks-01"
 
# Create a ReadOnly lock
az lock create --name "rg-prod-readonly-lock" --lock-type ReadOnly --resource-group "rg-myapp-prod-uks-01"
 
# Remove a lock
az lock delete --name "rg-prod-delete-lock" --resource-group "rg-myapp-prod-uks-01"

Best Practices

• Use meaningful lock names that describe their purpose (e.g. rg-prod-nodelete)
• Document who is authorised to remove locks and under what circumstances
• Combine locks with RBAC for layered security—locks are a last line of defence, not a substitute for proper permissions
• Regularly audit locks to remove stale or unnecessary ones
• Consider enforcing locks via Azure Policy to ensure consistency across environments