AZ-900: Resource Locks

Posted on by Datablog

In Azure, resource locks prevent accidental changes or deletions. They are a simple but powerful governance control that helps ensure critical resources aren’t modified without intent.

Where Locks Can Be Applied

Locks can be applied at several different levels:

Locks are inheritable, which means that if a parent scope is locked, all child resources are also locked. When multiple locks are in place, the most restrictive lock applies.

Types of Locks

There are two types of locks available in Azure:

  1. CanNotDelete
    • Users with the right permissions can read and modify resources.
    • However, they cannot delete them.
  2. ReadOnly
    • Users can only read resources.
    • No changes or deletions are allowed.
    • This may have side effects. For example, you cannot start or restart a virtual machine if it is locked as ReadOnly.

Even Owners cannot perform the forbidden actions while a lock is in place. To make changes, the lock must first be removed.

Locking Resource Groups

If you apply a ReadOnly lock at the resource group level, then:

  • You cannot add new resources to the group.
  • You cannot remove existing resources from the group.
  • All resources inside the group inherit the restrictions.

Why Resource Locks Matter

Resource locks are a core part of Azure governance, complementing:

Next Steps

Resource locks are one of the governance fundamentals you need to understand for the AZ-900 exam. They ensure that critical Azure resources, such as virtual machines and storage accounts, are protected from accidental modification or deletion.

For more, check out our AZ-900 video course for in-depth guidance – or go back to the topics in the AZ-900 exam.

Please click here to find out more about Microsoft’s AZ-900 exam.

author avatar
Datablog
See Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *