| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Lock Azure resources to prevent changes | Microsoft Docs |
Prevent users from updating or deleting critical Azure resources by applying a lock for all users and roles. |
azure-resource-manager |
tfitzmac |
timlt |
tysonn |
53c57e8f-741c-4026-80e0-f4c02638c98b |
azure-resource-manager |
multiple |
na |
na |
article |
06/27/2017 |
tomfitz |
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly.
- CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
- ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.
Unlike role-based access control, you use management locks to apply a restriction across all users and roles. To learn about setting permissions for users and roles, see Azure Role-based Access Control.
Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to https://management.azure.com. The locks do not restrict how resources perform their own functions. Resource changes are restricted, but resource operations are not restricted. For example, a ReadOnly lock on a SQL Database prevents you from deleting or modifying the database, but it does not prevent you from creating, updating, or deleting data in the database. Data transactions are permitted because those operations are not sent to https://management.azure.com.
Applying ReadOnly can lead to unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a ReadOnly lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations. For another example, placing a ReadOnly lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires write access.
To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.
[!INCLUDE resource-manager-lock-resources]
The following example shows a template that creates a lock on a storage account. The storage account on which to apply the lock is provided as a parameter. The name of the lock is created by concatenating the resource name with /Microsoft.Authorization/ and the name of the lock, in this case myLock.
The type provided is specific to the resource type. For storage, set the type to "Microsoft.Storage/storageaccounts/providers/locks".
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"lockedResource": {
"type": "string"
}
},
"resources": [
{
"name": "[concat(parameters('lockedResource'), '/Microsoft.Authorization/myLock')]",
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"apiVersion": "2015-01-01",
"properties": {
"level": "CannotDelete"
}
}
]
}
You lock deployed resources with Azure PowerShell by using the New-AzureRmResourceLock command.
To lock a resource, provide the name of the resource, its resource type, and its resource group name.
New-AzureRmResourceLock -LockLevel CanNotDelete -LockName LockSite `
-ResourceName examplesite -ResourceType Microsoft.Web/sites `
-ResourceGroupName exampleresourcegroupTo lock a resource group, provide the name of the resource group.
New-AzureRmResourceLock -LockName LockGroup -LockLevel CanNotDelete `
-ResourceGroupName exampleresourcegroupTo get information about a lock, use Get-AzureRmResourceLock. To get all the locks in your subscription, use:
Get-AzureRmResourceLockTo get all locks for a resource, use:
Get-AzureRmResourceLock -ResourceName examplesite -ResourceType Microsoft.Web/sites `
-ResourceGroupName exampleresourcegroupTo get all locks for a resource group, use:
Get-AzureRmResourceLock -ResourceGroupName exampleresourcegroupAzure PowerShell provides other commands for working locks, such as Set-AzureRmResourceLock to update a lock, and Remove-AzureRmResourceLock to delete a lock.
You lock deployed resources with Azure CLI by using the az lock create command.
To lock a resource, provide the name of the resource, its resource type, and its resource group name.
az lock create --name LockSite --lock-type CanNotDelete \
--resource-group exampleresourcegroup --resource-name examplesite \
--resource-type Microsoft.Web/sites
To lock a resource group, provide the name of the resource group.
az lock create --name LockGroup --lock-type CanNotDelete \
--resource-group exampleresourcegroup
To get information about a lock, use az lock list. To get all the locks in your subscription, use:
az lock list
To get all locks for a resource, use:
az lock list --resource-group exampleresourcegroup --resource-name examplesite \
--namespace Microsoft.Web --resource-type sites --parent ""
To get all locks for a resource group, use:
az lock list --resource-group exampleresourcegroup
Azure CLI provides other commands for working locks, such as az lock update to update a lock, and az lock delete to delete a lock.
You can lock deployed resources with the REST API for management locks. The REST API enables you to create and delete locks, and retrieve information about existing locks.
To create a lock, run:
PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/locks/{lock-name}?api-version={api-version}
The scope could be a subscription, resource group, or resource. The lock-name is whatever you want to call the lock. For api-version, use 2015-01-01.
In the request, include a JSON object that specifies the properties for the lock.
{
"properties": {
"level": "CanNotDelete",
"notes": "Optional text notes."
}
}
- For more information about working with resource locks, see Lock Down Your Azure Resources
- To learn about logically organizing your resources, see Using tags to organize your resources
- To change which resource group a resource resides in, see Move resources to new resource group
- You can apply restrictions and conventions across your subscription with customized policies. For more information, see What is Azure Policy?.
- For guidance on how enterprises can use Resource Manager to effectively manage subscriptions, see Azure enterprise scaffold - prescriptive subscription governance.