Preventing Azure Resource Deletion or Unexpected Changes using Locks

By | February 13, 2018

Locking a Resource Group

In your Azure environment, there could be several critical Azure resources that you don’t ever want to be deleted or modified. For an instance, deleting a SQL Azure resource, or deleting any running services from the Azure portal. Of course, no one just really doesn’t want to do it. Nevertheless, it may get deleted or modified by chance, or as an administrator or owner the solution you want to prevent the delete or change access to other users of the same subscription or resources. You can take help of Azure Resource Locking. This will help you by ‘locking down‘ a resource or a resource group all together to prevent accidentally modifying or deleting it.

Locking Azure Resource

From the Azure Portal, Open the respective Azure Resource you want to lock. In this case, we choose one Cosmos DB resource and select the Locks option from the Settings category.

Add Lock Azure Resource

Add Lock Azure Resource

Provide a Lock name and choose the type of Lock.  The lock type you can choose here it to make it read-only or restrict delete access. Let’s choose “Delete” lock and provide some additional notes for future references.

 

Lock Details for Azure Lock

Lock Details for Azure Lock

Once the above information is filled. Click on OK to proceed with Lock creation.
Once the lock is created, you can see the details of Locks as shown in the below screenshot.

 

 

Lock Created with Resource Scope

Lock Created with Resource Scope

 

Once the lock is in placed, if you and anyone who has the access to this resource try to delete it, will get a Delete Failure notification.

 

Failed To Delete Locked Azure Resources

Failed To Delete Locked Azure Resources

You need to unlock the resource before you delete. The same goes for making a read-only lock as well.

Locking Azure Resource Group

The scope of the above lock was set to “This Resource”, which mean only that attached resource is bounded with the lock. There are cases you may lock your entire resource group which is running on production. In that case, you can lock the entire resource group. It will cascade the effects to all its child resources.

Locking a Resource Group

Locking a Resource Group

Once the lock is created, if you check for the scope of this lock – it is set to “Resource Group

 

Resource Group Locking Scope

Resource Group Locking Scope

Now if you try to delete the resource group you will get a similar message like what you received for Resources

 

Deleting Prevention of Resource Group

Deleting Prevention of Resource Group

 

 

When the lock is set to “Resource Group”, if you try to delete any resources under that group you will receive following error.

 

 

Parent Lock Resource

Parent Locked Resource

 

Overall, this locking feature is extremely useful for Portal to lock a resource, a resources group or even a subscription to prevent other users from accidentally deleting or modifying critical resources.
Hope this helps

2 thoughts on “Preventing Azure Resource Deletion or Unexpected Changes using Locks

  1. Pingback: Dew Drop - February 13, 2018 (#2664) - Morning Dew

  2. Pingback: Azure Weekly: Feb 19, 2018 – Build Azure

Leave a Reply