Manage Azure subscriptions and governance
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
Azure resources include things like:
- Virtual Machines (VMs)
- Storage Accounts
- Databases
- Resource Groups
- Subscriptions
Without locks, someone could accidentally delete a VM or modify a storage account, causing service outages or data loss. Locks protect against this.
1. Types of Resource Locks
Azure provides two types of locks:
- CanNotDelete (Read-only but still usable)
- Prevents deletion of a resource.
- Users can still read and modify the resource.
- Example: A critical database that must not be deleted, but can be updated with new data.
- ReadOnly (No changes allowed)
- Users cannot delete or modify the resource.
- Only read operations are allowed.
- Example: A production configuration file that must not be altered.
| Lock Type | Can Delete? | Can Edit? | Can Read? |
|---|---|---|---|
| CanNotDelete | ❌ No | ✅ Yes | ✅ Yes |
| ReadOnly | ❌ No | ❌ No | ✅ Yes |
2. Where Locks Can Be Applied
Locks can be applied at different scopes in Azure:
- Subscription – Protects all resources within the subscription.
- Resource Group – Protects all resources inside that resource group.
- Resource – Protects a specific resource, like a VM or Storage Account.
Important:
- Locks inherit downwards.
- If you apply a lock at the subscription level, it affects all resource groups and resources within it.
- But a lock on a resource group does not affect other resource groups.
3. How Locks Work
- Locking a resource prevents accidental changes but does not override user permissions.
- Users with Owner or Contributor roles can still perform actions unless a lock prevents it.
- Certain actions via scripts or Azure Resource Manager (ARM) templates are also blocked if they violate a lock.
4. How to Create a Resource Lock
You can create a lock using:
- Azure Portal (GUI)
- Navigate to the resource → Settings → Locks → Add
- Choose Lock Type (CanNotDelete / ReadOnly)
- Give it a name and description
- Azure PowerShell
# Example: Lock a VM to prevent deletion New-AzResourceLock -LockName "VM-Lock" -LockLevel CanNotDelete -ResourceName "MyVM" -ResourceGroupName "MyResourceGroup" -ResourceType "Microsoft.Compute/virtualMachines" - Azure CLI
# Example: Lock a storage account as read-only az lock create --name "StorageLock" --lock-type ReadOnly --resource-group MyResourceGroup --resource-name MyStorageAccount --resource-type "Microsoft.Storage/storageAccounts"
5. How to Remove a Resource Lock
- Only users with the Owner role or a role with Microsoft.Authorization/locks/delete permission can remove a lock.
- You can remove it using the Portal, PowerShell, or CLI, just like creating it.
6. Exam Tips for AZ-104
- Understand the two types of locks – CanNotDelete vs ReadOnly.
- Know the scopes – Subscription, Resource Group, Resource.
- Remember inheritance – Locks on a higher-level scope apply to lower levels.
- Remember limitations – Locks do not override role-based access permissions; they only prevent certain actions.
- Know commands – Portal navigation, PowerShell
New-AzResourceLock, and CLIaz lock create.
Sample Question Style:
You want to prevent deletion of a critical VM but allow updates. Which lock type should you use?
Answer: CanNotDelete
You want to prevent any changes (including updates) to a storage account. Which lock type should you use?
Answer: ReadOnly
✅ Key Points Summary
- Locks protect resources from accidental deletion or modification.
- Two types: CanNotDelete and ReadOnly.
- Can be applied at subscription, resource group, or resource level.
- Locks inherit downwards, affecting child resources.
- Creation and deletion can be done via Portal, PowerShell, or CLI.
- Locks do not override RBAC permissions.
