Lock Resources from Deletion in Azure Resource Manager Portal

If you are wondering that your resources might be deleted in Azure Resources Manager (ARM) there are few useful tips that I want to share with you. You might already know that with ARM you have role-based access control (RBAC) where you can set different type permissions for users and roles. There is a great quick intro about RBAC and how to manage access to your ARM resources.

But what I want to show you today is how to lock resources with Lock function in ARM. There are two lock types: Read-only and Delete.

  • Read-only lock will provide the users/administrators to access the resources but nobody will be able to update, change or delete those artifacts.
  • Delete lock will not allow to delete resources but it will allow to modify it.

You can implement locks on Resource Group level or on separate items. If implemented on Resource Group level, all artifacts that belong to that Resource Group will be under the same lock.

Let’s try few examples. If I want to create lock on Resource Group, I select one and click on Lock from Settings. It will allow to create new resources in this Resource Group and all new items will fall under the read-only lock.

If I select any of the items within this Resource Group and will go on Locks menu, it will prompt me with the warning message.

I have created a test VNET in this Resource Group and if I try to add another Subnet I am getting the error message.

It is worth mentioning that I am performing those actions with the same account with the administrative privileges on the Azure subscription. And other administrators will have exactly the same output until this lock will be deleted from the Resource Manager.

If you want to delete Lock, select the ellipsis and choose Delete.

You can also create, change and delete lock resources with powershell.

New-AzureRmResourceLock -LockLevel CanNotDelete -LockNotes "My lock notes" -LockName mylock -ResourceName mySite -ResourceType microsoft.web/sites

Set-AzureRmResourceLock -LockName test -ResourceName myResource -ResourceType microsoft.web/sites -ResourceGroupName myResourceGroup -LockLevel CanNotDelete -LockNotes "Updated note"

Remove-AzureRmResourceLock -ResourceId /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Default-Storage-SouthCentralUS/providers/Microsoft.ClassicStorage/storageAccounts/mystorageaccount/providers/Microsoft.Authorization/locks/test

Leave a Reply

Your email address will not be published.