Imagine this:
Your team is working at full speed… and suddenly someone deletes a production resource group – and everything vanishes. 😱
Oops?
Enter Azure Locks – the safety net you didn’t know you needed until something got nuked.
🧠 What Are Azure Locks?
Azure Locks prevent accidental changes or deletions to critical Azure resources by enforcing strict control.
✅ You can apply them to:
- Entire subscriptions
- Individual resource groups
- Specific resources
“Locks = Administrative guardrails – even owners and contributors can’t bypass them without removing the lock first.”
🔐 Types of Locks
Azure supports two lock types:
| Lock Type | What It Does |
|---|---|
Read-only (CanNotModify) | Allows read access only – no changes allowed |
Delete (CanNotDelete) | Allows changes, but prevents deletion |
🧠 Read-only = like putting a resource in glass
CanNotDelete = changes okay, delete not allowed
📌 Where Can You Apply Locks?
| Level | Scope |
|---|---|
| Subscription | Applies to everything under that subscription |
| Resource Group | Applies to all resources within that RG |
| Resource | Applies to that individual resource only |
✅ Lock is inherited downward, based on Azure’s resource hierarchy.
🧬 Lock Inheritance & Hierarchy
Locks follow a top-down inheritance model:
- A subscription-level lock affects all RGs and resources below
- A resource group-level lock applies to all resources inside
- A resource-level lock can override nothing – but is still enforced
🧠 Important:
You can’t override a higher-level lock by placing a different lock at a lower level.
Example:
If there’s a CanNotDelete lock on the resource group, even a Contributor cannot delete individual resources inside, even if the resource has no lock of its own.
🛡️ Critical Resources You Should Lock
| Resource | Why Lock It? | Recommended Lock Type |
|---|---|---|
| Production Resource Groups | Prevent deletion of live infra | CanNotDelete |
| Virtual Networks | Avoid breaking network dependencies | Read-only (if static) |
| Azure Firewall | Critical for security perimeter | CanNotDelete |
| App Services | If linked to backend APIs | CanNotDelete |
| Storage Accounts (for logs, backups) | Audit and retention | Read-only |
| Key Vaults | Security! | CanNotDelete |
✅ Also useful for shared services, e.g., DNS zones, VPN gateways, monitoring infra.
🛠️ How to Apply Locks
| Method | Command/Action |
|---|---|
| Azure Portal | Resource → Locks → Add |
| PowerShell | New-AzResourceLock |
| CLI | az lock create --lock-type CanNotDelete |
| ARM Template/Bicep | Define resources block for Microsoft.Authorization/locks |
✅ Locks are visible in the Locks blade of each resource or RG
🧠 AZ-104 + Admin Nuggets
- ✅ Locks don’t prevent billing or monitoring
- ✅ You must be Owner or User Access Admin to manage locks
- ✅ Locks do not apply to Data Plane (e.g., cannot prevent writing to a storage blob)
- ✅ Removing a lock is a deliberate action – and is logged!
- ✅ NSGs, VNets, and Firewalls are top candidates for Read-only locks in secure setups
🏁 TL;DR – Azure Locks at a Glance
| Feature | Summary |
|---|---|
| Purpose | Prevent unwanted deletion or changes |
| Lock Types | CanNotDelete, ReadOnly |
| Scope | Sub, RG, or Resource |
| Inheritance | ✅ Top-down enforced |
| Override? | ❌ No lower-level override allowed |
| Use Cases | Prod RGs, VNets, Firewalls, Storage, Key Vault |
“Azure Locks are like seatbelts – not glamorous, but you’ll thank them when something hits the fan.” 😎
Until your next locked-down deployment,
Cya & keep securing smart 🚀
BrontoWise 
Leave a comment