This time around I want to discuss a powerful feature that doesn't seem to get much coverage; Azure Management Locks. Management Locks (locks for short) are a mechanism for protecting resources in your Azure subscription from accidental deletion or modification. Let's take a look at what locks are, how to administer them, and discuss a practical use for their application.
Management Locks prevent accidental changes from occurring. A lock can be applied to a subscription, resource group, or resource. When a lock is applied on a resource, that resource cannot be modified or deleted by anyone. If someone wants to make a change, he/she needs to explicitly remove the lock before the change can occur.
There are two types of locks, ReadOnly, and CanNotDelete. The ReadOnly lock prevents modifications and the CanNotDelete lock prevents deletions. Locks are hierarchical. A lock applied to a resource group cascades down to all of resources in the group. Locks are applied across all users and roles. Only members of the Owner and User Access Administrator roles can manage locks.
ReadOnly and CanNotDelete locks can lead to unexpected issues because some maintenance actions require the ability to modify the resource. For example, a ReadOnly lock on a virtual machine in a resource group would prevent users from starting or restarting the VM. In another example, Azure Backup Service backups may fail if a CanNotDelete lock is placed on the resource group because Azure Backup needs to be able to delete restore points. Bottom line, be sure to read the documentation for locks before you apply them to your resources.
Locks can be managed in any number of ways including, the Azure Portal, Resource Manager Templates, PowerShell, the Azure CLI, and REST API. I will demonstrate how to create a lock via the portal and PowerShell. You can learn about the other methods here
For this example, you need to have an Azure subscription with a resource group containing at least one resource. If you don't have an Azure account, you can create one here.
Creating a lock using the portal is a simple process. Login to the Azure Portal and navigate to your resource group. From there, select the Locks link in the Settings blade.
Let's create a CanNotDelete lock to prevent deletions within your resource group. Click Add to add the lock. Name it PreventDelete and select the Delete option from the Lock type dropdown. As a side note, CanNotDelete locks are simply called Delete locks in the portal. Click OK to create the lock.
Managing locks via PowerShell requires you to install the Azure PowerShell modules. Instructions for installing the modules can be found here. After the modules are installed, start PowerShell and run the
Connect-AzAccount commandlet. This commandlet is how you connect to Azure from PowerShell. Follow the instructions to sign in to your Azure account. Once connected, issue the
Get-AzResourceLock commandlet with the -ResourceGroupName parameter to retrieve a list of locks for your resource group.
Get-AzResourceLock -ResourceGroupName your_resource_group
You should see information about the PreventDelete lock you created via the portal. Take note of the lock's LockId property. You will use that in the next section to delete the lock.
You can delete the PreventDelete lock you created earlier by issuing the
Remove-AzResourceLock commandlet, specifying the lock id of the lock you want to delete. Of course, you can also delete the lock via the portal if you prefer.
Remove-AzResourceLock -LockId your_locks_lockid_property
When you run this command, you will be prompted to confirm your intention to delete the lock. Press enter to continue with the deletion of the lock.
You can create a lock using the
New-AzResourceLock PowerShell commandlet. The commandlet has parameters for the LockName, LockLevel, and ResourceGroupName, among others. The LockName specifies the lock's name, the LockLevel is the Lock type, i.e., CanNotDelete or ReadOnly, and the ResourceGroupName is the resource group's name. Execute the following to recreate the PreventDelete lock using PowerShell:
New-AzResourceLock -LockName PreventDelete -LockLevel CanNotDelete -ResourceGroupName your_resource_group
Get-AzResourceLock commandlet to confirm the lock has been created.
To get a true understanding of a lock's value, try to delete a resource in your resource group. You can do that using your preferred method, portal, PowerShell, etc. With the lock in place, you'll get an error that a lock is applied and the delete operation will fail. If you needed to delete that resource, you would have to explicitly remove the lock, then redo the delete operation.
As an administrator, you should consider creating locks within your Azure environment to prevent unexpected changes. Without locks in place, users with the correct permissions are capable of accidentally deleting resources. Locks prevent ALL users, regardless of role, from making unexpected changes.
Management locks are a nice feature within Azure that I feel deserves a bit of attention. They offer flexibility in how they are managed, including command line, portal, and API methods. Locks provide tremendous value by protecting your Azure resource from accidental modification or deletion. They can be applied to multiple items like subscriptions, resource groups, and resources. Locks should be employed in all of your Azure environments.