Governance and compliance
📘Microsoft Certified: Azure Fundamentals (AZ-900)
1. What Are Resource Locks in Azure?
A resource lock in Azure is a governance feature that helps protect your Azure resources from being accidentally deleted or modified.
In simple terms, a resource lock adds an extra layer of protection to your resources, even if someone has permission to manage them.
For the AZ-900 exam, remember:
Resource locks prevent accidental changes or deletion of Azure resources.
They are part of Azure Resource Manager (ARM) and are used to protect critical resources.
2. Why Resource Locks Are Important
In an IT environment, many administrators and engineers may have access to resources such as:
- Virtual Machines (VMs)
- Storage Accounts
- Databases
- Virtual Networks
- Resource Groups
Even experienced administrators can accidentally:
- Delete a production virtual machine
- Remove a storage account containing important data
- Modify a network configuration
- Delete an entire resource group
Resource locks help prevent these types of accidental actions.
They are especially useful for:
- Production environments
- Shared environments
- Critical business systems
- Compliance-sensitive workloads
3. Types of Resource Locks
There are two types of resource locks in Azure.
You must know both for the exam.
1️⃣ Read-only Lock
What it does:
- Prevents any changes to the resource
- Users can still view (read) the resource
- No modifications are allowed
What is blocked:
- Updating settings
- Deleting the resource
- Changing configurations
- Adding or removing properties
What is allowed:
- Viewing the resource
- Reading data (if permitted by RBAC)
Important Exam Point:
A Read-only lock is more restrictive than the Delete lock.
Even users with the Owner role cannot modify the resource if a Read-only lock is applied.
2️⃣ Delete Lock (CanNotDelete)
What it does:
- Prevents deletion of the resource
- Allows modifications
What is blocked:
- Deleting the resource
What is allowed:
- Updating settings
- Changing configurations
- Restarting services
- Scaling resources
Important Exam Point:
A Delete lock allows changes but prevents deletion.
4. Lock Levels Compared
| Lock Type | Can View | Can Modify | Can Delete |
|---|---|---|---|
| No Lock | Yes | Yes | Yes |
| Read-only | Yes | No | No |
| Delete | Yes | Yes | No |
Memorize this table for the exam.
5. Where Can Resource Locks Be Applied?
Resource locks can be applied at different levels:
- 🔹 Subscription
- 🔹 Resource Group
- 🔹 Individual Resource
Important Concept: Inheritance
If you apply a lock at a higher level, it applies to all resources below it.
For example:
- Lock applied at subscription level → affects all resource groups and resources.
- Lock applied at resource group level → affects all resources in that group.
- Lock applied at resource level → affects only that specific resource.
This is called inheritance.
Exam Tip:
The most restrictive lock takes precedence.
If a resource has different locks at different levels, the stricter one applies.
6. Resource Locks and RBAC (Role-Based Access Control)
This is very important for AZ-900.
Resource locks work together with RBAC, but they are different.
RBAC:
- Controls who can access a resource
- Controls what actions they are allowed to perform
Resource Locks:
- Override permissions
- Prevent specific actions even if the user has permission
For example:
- A user has Owner role.
- A Read-only lock is applied.
- The user still cannot modify the resource.
So remember:
Resource locks override RBAC permissions.
7. Real IT Examples (Without Non-IT Analogies)
Here are practical IT scenarios where locks are used:
Example 1: Protecting a Production Database
A company runs a SQL Database used by customers.
A Delete lock is applied to prevent accidental deletion.
Administrators can still:
- Update settings
- Scale the database
But they cannot delete it unless they remove the lock first.
Example 2: Protecting a Critical Virtual Network
A virtual network connects multiple applications.
If it is deleted, all applications may stop working.
A Delete lock is applied to prevent accidental removal.
Example 3: Preventing Configuration Changes
A compliance-approved storage account must not be modified.
A Read-only lock is applied to:
- Prevent configuration changes
- Prevent deletion
Example 4: Protecting an Entire Resource Group
A production resource group contains:
- Web servers
- Databases
- Networking components
A Delete lock is applied at the resource group level to prevent accidental deletion of the entire environment.
8. How Resource Locks Work Technically
Resource locks are part of Azure Resource Manager (ARM).
When someone attempts to:
- Modify
- Delete
- Update
Azure checks:
- RBAC permissions
- Whether a lock exists
If a lock blocks the action, Azure denies the request.
Even if the user has full permissions.
9. How to Remove a Lock
Only users with appropriate permissions (like Owner or User Access Administrator) can remove a lock.
Steps:
- Remove the lock.
- Perform the action.
- Optionally reapply the lock.
This ensures controlled changes.
10. Resource Locks and Compliance
Resource locks help with:
- Change control
- Governance policies
- Preventing unauthorized modifications
- Protecting regulated workloads
They support compliance frameworks by:
- Reducing risk of accidental deletion
- Maintaining system stability
- Supporting audit and control processes
However:
Resource locks do NOT replace backup solutions.
If data is deleted before a lock is applied, the lock does not restore it.
11. What Resource Locks Do NOT Do
For the exam, understand limitations:
- They do NOT control access (RBAC does).
- They do NOT prevent data access inside the resource.
- They do NOT provide backup.
- They do NOT stop all types of internal data operations.
- They do NOT replace Azure Policy.
12. Resource Locks vs Azure Policy (Exam Comparison)
This is a common exam topic.
| Feature | Resource Lock | Azure Policy |
|---|---|---|
| Prevent deletion | Yes | Indirectly |
| Prevent modification | Yes | Yes (via policy rules) |
| Enforce standards | No | Yes |
| Compliance tracking | No | Yes |
| Governance control | Basic | Advanced |
Key Difference:
- Resource Locks = Protection against accidental change.
- Azure Policy = Enforce organizational standards and compliance rules.
13. Important Exam Points to Memorize
✔ There are two lock types: Read-only and Delete.
✔ Read-only is more restrictive than Delete.
✔ Locks override RBAC permissions.
✔ Locks can be applied at subscription, resource group, or resource level.
✔ Locks inherit from higher levels.
✔ The most restrictive lock takes precedence.
✔ Locks help prevent accidental deletion or modification.
✔ Locks are part of Azure governance.
14. Simple Summary for Non-IT Learners
- Azure resources can be accidentally changed or deleted.
- Resource locks protect important resources.
- There are two types:
- Read-only → No changes allowed.
- Delete → Cannot delete.
- Locks work even if someone has full permissions.
- Locks can be applied at different levels.
- They are used to protect production systems and critical infrastructure.
Final AZ-900 Exam Reminder
If the exam question asks:
- “How do you prevent accidental deletion?” → Delete Lock
- “How do you prevent changes and deletion?” → Read-only Lock
- “What overrides RBAC permissions?” → Resource Locks
- “Which governance feature protects resources from accidental changes?” → Resource Locks
