0
0
Azurecloud~5 mins

Resource locks (delete, read-only) in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Sometimes you want to protect important cloud resources from accidental changes or deletion. Azure resource locks help you do this by preventing users from deleting or modifying resources unintentionally.
When you want to stop accidental deletion of a virtual machine that runs critical applications.
When you want to prevent changes to a storage account that holds important backups.
When multiple team members manage resources and you want to avoid accidental updates.
When you want to protect a resource group from being deleted while still allowing read access.
When you want to ensure compliance by locking resources in a read-only state.
Commands
This command creates a delete lock named 'LockDelete' on the virtual machine 'example-vm' in the resource group 'example-rg'. It prevents the VM from being deleted accidentally.
Terminal
az lock create --name LockDelete --lock-type CanNotDelete --resource-group example-rg --resource-name example-vm --resource-type Microsoft.Compute/virtualMachines
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/virtualMachines/example-vm/providers/Microsoft.Authorization/locks/LockDelete", "name": "LockDelete", "properties": { "level": "CanNotDelete", "notes": null }, "type": "Microsoft.Authorization/locks" }
--lock-type - Specifies the type of lock: CanNotDelete or ReadOnly
--resource-group - Specifies the resource group containing the resource
--resource-name - Specifies the name of the resource to lock
This command creates a read-only lock named 'LockReadOnly' on the storage account 'example-storage' in the resource group 'example-rg'. It prevents any changes or deletion to the storage account.
Terminal
az lock create --name LockReadOnly --lock-type ReadOnly --resource-group example-rg --resource-name example-storage --resource-type Microsoft.Storage/storageAccounts
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Storage/storageAccounts/example-storage/providers/Microsoft.Authorization/locks/LockReadOnly", "name": "LockReadOnly", "properties": { "level": "ReadOnly", "notes": null }, "type": "Microsoft.Authorization/locks" }
--lock-type - Specifies the type of lock: CanNotDelete or ReadOnly
--resource-group - Specifies the resource group containing the resource
--resource-name - Specifies the name of the resource to lock
This command shows details about the 'LockDelete' lock on the virtual machine 'example-vm'. It helps verify the lock is applied correctly.
Terminal
az lock show --name LockDelete --resource-group example-rg --resource-name example-vm --resource-type Microsoft.Compute/virtualMachines
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/virtualMachines/example-vm/providers/Microsoft.Authorization/locks/LockDelete", "name": "LockDelete", "properties": { "level": "CanNotDelete", "notes": null }, "type": "Microsoft.Authorization/locks" }
This command removes the 'LockDelete' lock from the virtual machine 'example-vm', allowing deletion or modification again.
Terminal
az lock delete --name LockDelete --resource-group example-rg --resource-name example-vm --resource-type Microsoft.Compute/virtualMachines
Expected OutputExpected
No output (command runs silently)
Key Concept

If you remember nothing else from this pattern, remember: resource locks protect important Azure resources from accidental deletion or changes by enforcing delete or read-only restrictions.

Common Mistakes
Trying to delete a locked resource without removing the lock first.
Azure blocks deletion or modification of locked resources, causing errors.
Remove the lock using 'az lock delete' before deleting or modifying the resource.
Applying a read-only lock when only deletion prevention is needed.
Read-only locks prevent all changes, which might block needed updates.
Use a delete lock to only prevent deletion but allow updates.
Not specifying the correct resource type or name when creating a lock.
The lock will not apply to the intended resource, leaving it unprotected.
Double-check resource type and name to match the exact resource you want to lock.
Summary
Use 'az lock create' with --lock-type CanNotDelete or ReadOnly to protect Azure resources.
Verify locks with 'az lock show' to ensure they are applied correctly.
Remove locks with 'az lock delete' before making changes or deleting resources.