Image by Harsh Patel | Azure logo by Microsoft Azure

Using Locks on Microsoft Azure

The resources in the cloud are effortless to manage but at the same time, the actions performed are to be meticulously observed. Since making accidental or unwanted modifications to your resources might result in higher billing. That’s why cloud service providers offer “lock” to prevent accidental deletion or modification of critical resources and help the administrator sustain control.

In this article, we will learn to use resource group locks on Microsoft Azure.

Resource Group Locks

Azure provides two locks at the resource group level.

1. Delete: users will be able to access the resource (read and modify) but won’t be able to delete it.
2. ReadOnly: users will be able to read a resource but won’t be able to modify or delete it. (Similar to granting the Reader role to the users)

Locks are inherited, meaning if you apply a lock at a parent level then all the resources within the scope will automatically inherit the lock. However, the most restrictive lock in the inheritance takes precedence.

Nature of the Lock

The Nature of the Lock is based on how it operates, as applying a lock prevents changes to a resource, but it doesn’t restrict the resources to perform their own functions. As an example, a ReadOnly lock on the Server prevents you from deleting or modifying the server. It doesn’t prevent you from creating, updating, or deleting data within the server. You must be a resource Owner or an Administrator (Eg. User Access Administrator) to apply locks on the resource group.

How to apply a lock

Let’s see how to apply a lock to a resource group, Open portal.azure.com, and go to Resource groups to apply a lock as shown below

Resource group Locks | Image from Microsoft Azure Portal

Add a lock by providing name and Lock type as shown in the below image

Applying ReadOnly lock | Image from Microsoft Azure Portal

Applying Delete lock | Image from Microsoft Azure Portal

Applied locks should now get reflected in the list

Lock gets listed | Image from Microsoft Azure Portal

Let’s check if the locks are working as desired, we tried to create a new Virtual Machine within a resource group containing ReadOnly lock.

Not able to create a VM due to ReadOnly lock | Image from Microsoft Azure Portal

Also, since the Delete lock is applied to this resource group we won’t be able to delete any resource and would receive a notification for a failed action.

Activity Notification | Image from Microsoft Azure Portal

In conclusion, the locks are an excellent approach to prevent any accidental modification to the resources on the cloud. 😉