Azure Locks – How to prevent accidental deletion of azure resources

Azure Locks

Microsoft Azure offers a feature known as ‘Locks’. It enables to prevent deletion and applying unexpected changes to azure resources accidentally. By default, Owner and User administrators have access to apply Locks.

There are two types of Locks: CanNotDelete and ReadOnly

CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.

ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role

You can apply locks on followings levels in Azure

  1. Subscription
  2. Resource Group
  3. Resource

How to apply Locks?

Go to Azure Portal and select the resource. In my case I am applying it at resource level (SQL database).

Azure Locks
How to find locks

Under settings, click on ‘Locks’ to open the blade, enter the lock details and click on ‘Add’.

Azure Locks
Adding Lock

Once the lock is created, go to resource and click on delete. Azure will give you an error message saying delete operation can not be performed because it is locked.

Now we know what locks are and what they do. We can apply them on all kind of resources. Especially on resources which if deleted can not be recovered. For example, storage, if ‘soft delete’ is not ON, once storage account is deleted, it can not be recovered. Other scenario can be if you have multiple co-admins, contributors in your organisation and you want to make sure no resource is deleted accidentally, you can lock those resources. In a nutshell, locks can be used in a lot of ways and can make our life easy.