AZ 104 & AZ-104 | Configure Resource Locks - AZ-104: Microsoft Azure Administrator

2.1.3.2. Configure Resource Locks

💡 First Principle: Resource locks provide a critical safeguard against accidental or unauthorized changes to essential infrastructure, acting as a persistent layer of protection that overrides user permissions.

Scenario: Your production resource group contains critical Virtual Machines and SQL Databases. You need to prevent accidental deletion of these resources, even by administrators who have "Contributor" permissions.

What It Is: Resource locks are a feature in Azure that prevents resources from being accidentally deleted or modified.

Lock Types:

CanNotDelete: Users can read and modify the resource, but deletion is blocked. Use this for resources that must remain but may need configuration changes (e.g., a production Virtual Network).
ReadOnly: Users can only read the resource; all modification and deletion actions are denied. This is the strictest lock, making the resource view-only (e.g., an archived Storage Account).

Scope of Application:

Locks can be set at the subscription, resource group, or individual resource level.
Locks at a higher scope (e.g., subscription) are inherited by all child resources, ensuring broad protection.

Practical Implementation: Applying a Lock with Azure CLI

# Apply a 'CanNotDelete' lock to a resource group
az lock create --name "ProdRG-NoDelete" --lock-type CanNotDelete --resource-group "Production-RG"

Visual: Resource Lock Functionality

Loading diagram...

⚠️ Common Pitfall: Forgetting that a resource lock is in place and spending time troubleshooting why a deployment or modification is failing with an access denied error.

Key Trade-Offs:

Protection vs. Agility: Locks provide strong protection but can slow down legitimate administrative tasks, as the lock must be removed before making changes. They should be used judiciously on critical, stable resources.

Reflection Question: How do Azure resource locks, by providing a persistent layer of protection against accidental or unauthorized changes, fundamentally safeguard critical infrastructure and ensure operational stability and compliance?