Protect your Azure resources with a lock - Azure Resource Manager (2023)

As an administrator, you can lock an Azure subscription, resource group, or resource to protect it from accidental deletion and modification by users. Blocking will override all user permissions.

You can set locks that prevent deletions or changes. These locks are called up in the portalExtinguisheJust read. These locks are invoked on the command linecan not deleteeJust read.

• can not deletemeans that authorized users can read and modify a resource, but cannot delete it.
• Just readmeans authorized users can read a resource but cannot delete or update it. Applying this lock is similar to restricting all authorized users to the permissionsReaderfunction provides.

Unlike role-based access control (RBAC), you use management locks to enforce restriction on all users and roles. For more information on setting permissions for users and roles, seeAzure-RBAC.

block inheritance

If you apply a lock to a parent scope, all resources in that scope inherit the same lock. Even functions added later inherit the same parent lock. The most restrictive inheritance lock takes precedence.

extension functionsinherit locks from the resource they are applied to. For example, Microsoft.Insights/diagnosticSettings is an extension resource type. If you apply a diagnostic configuration to a storage blob and lock the storage account, you cannot delete the diagnostic configuration. This inheritance makes sense because the full diagnostic configuration resource ID is:

/subscriptions/{sub-id}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storage-name}/blobServices/default/providers/microsoft.insights/diagnosticSettings/{setting-name}"

Which corresponds to the scope of the locked resource's ID:

/subscriptions/{sub-id}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storage-name}

if you have oneExtinguishblock a resource and try to delete its resource group, the resource blocks the entire deletion process. Even if the resource group or other resources in the resource group are unlocked, the deletion doesn't take place. You never have a partial deletion.

If youcancel an Azure subscription:

• A function lock does not block the logoff.
• Azure preserves your resources by deactivating them instead of deleting them immediately.
• Azure simply permanently deletes your resources after a waiting period.

Understand the perimeter of blocks

Azure control plane operations go tohttps://management.azure.com. Azure data plane operations go to your service instance, e.ghttps://myaccount.blob.core.windows.net/. VerAzure control plane and data plane. To find out which operations use the control plane URL, read theAPI REST for Azure.

The distinction means that locks protect a resource from modification, but do not restrict how a resource performs its functions. A ReadOnly lock, for example on a logical SQL database server, protects it from being deleted or modified. It allows you to create, update or delete data in the server's database. Data plane operations enable data transactions. These orders will not go throughhttps://management.azure.com.

Considerations before applying your locks

Applying locks can produce unexpected results. Some operations that don't appear to change a resource require blocked actions. Locks prevent the POST method from sending data to the Azure Resource Manager (ARM) API. Some common examples of blocked operations are:

• A read-only lock on astorage accountprevents users from listing account keys. Azure Storage processes a POST requestlist keyProcess to protect access to account keys. Account keys provide full access to data in the storage account. When a storage account has a read-only lock, users who don't have account keys must use their Azure AD credentials to access blob or queue data. A read-only lock also prevents assignment of Azure RBAC roles associated with the storage account or a data container (blob container or queue).

• A read-only lock on astorage accountBacks up RBAC allocations associated with a storage account or a data container (blob container or queue).

• A read-only lock on astorage accountprevents the creation of a blob container.

• A read-only lock or a non-volatile lock on astorage accountdoes not prevent your data from being deleted or changed. It also doesn't protect any data in a blob, queue, table, or file.

• The Storage Accounts API is exposeddata planeControl planoperations. If used a requestdata planOperations, locking the storage account does not protect any blob, queue, table, or file data in that storage account. If the request usedControl planHowever, locking protects these resources.

  For example, when using a requestFile Shares - Delete, which is a control-level operation, the delete fails. If the request usedDelete share, which is a data-level operation, the delete operation succeeds. We recommend that you use a control plane operation.

• A read-only lock on aapp serviceThe feature prevents Visual Studio Server Explorer from viewing files for the feature because this interaction requires write access.

• A read-only lock on aresource groupthat contains aApp Service Planprevent youget on or off the plane.

• A read-only lock on aresource groupthat contains avirtual machineprevents all users from starting or restarting a virtual machine. These operations require a POST method request.

• A read-only lock on aresource groupthat contains aautomation accountprevents all runbooks from starting. These operations require a POST method request.

• A lock that cannot be cleared on aresource groupprevents Azure Resource ManagerAutomatically exclude deploymentsin the history. If you reach 800 historical deployments, your deployments will fail.

• A lock that cannot be erasedresource groupcreated byAzure Backup servicecauses backups to fail. The service supports a maximum of 18 recovery points. If blocked, the backup service cannot clean up recovery points. For more information, seeFrequently Asked Questions - Back up VMs to Azure.

• A lock that cannot be cleared on aresource groupThis containsAzure Machine LearningWorkspaces prevents automatic scaling ofAzure Machine Learning-Compute-Clusterto function properly. When locked, autoscale cannot remove unused nodes. Your solution is consuming more resources than the workload requires.

• A read-only lock on aLog Analytics workspacehinderUser and Entity Behavior Analysis (UEBA)to be activated.

• A lock that cannot be cleared on aLog Analytics workspacedoes not preventdata sanitization operations, remove thatdata cleaninguser role.

• A read-only lock on aSubscriptionhinderAzure Advisorto function properly. Advisor cannot save the results of its queries.

  (Video) Lab 8: Protecting Azure Resources with Resource Manager Locks

• A read-only lock on aapplication gatewayprevents you from getting the integrity of the Application Gateway backend. WhatThe operation uses a POST method, which blocks a read-only lock.

• A read-only lock on an Azure Kubernetes Service (AKS) cluster restricts access to cluster resources through the portal. A read-only lock prevents you from using the AKS cluster's Kubernetes resources section in the Azure portal to select a cluster resource. These operations require a POST method request for authentication.

• A lock that cannot be cleared on aVirtual machinewhich is protected bySite RecoveryPrevents certain links to Site Recovery-related resources from being removed correctly when you remove protection or disable replication. If you later want to protect the VM again, you must remove the lock before disabling protection. If you don't remove the lock, you need to take some steps to clean up stale links before backing up the VM. For more information, seeTroubleshoot Azure VM replication.

Who can create or delete blocks?

To create or delete management locks, you must accessMicrosoft.Authorization/*orMicrosoft.Authorization/locks/*Actions. Justownerit is atuser access managerBuilt-in roles can create and delete management locks. You can create a custom role with the required permissions.

Managed apps and locks

Some Azure services, e.g. B. Azure Databricksmanaged applicationsto implement the service. In this case, the service creates two resource groups. One is an unlocked resource group that contains an overview of the service. The other is a locked resource group that contains the service infrastructure.

If you try to delete the infrastructure resource group, you receive an error message that the resource group is locked. When you try to delete the infrastructure resource group lock, you receive an error message that the lock cannot be deleted because it is owned by a system application.

Instead, delete the service, which also deletes the infrastructure resource group.

For managed apps, select the service you provide.

Please note that the service contains a link to aManaged resource group. This resource group contains the infrastructure and is locked. You can only delete it indirectly.

To delete everything for the service, including the suspended infrastructure resource group, chooseExtinguishfor the service.

Configure locks

Portal

In the left navigation pane is the name of the signature lock featureresource locks, while the resource group lock resource name isCastles.

1. On the settings blade for the resource, resource group, or subscription you want to lockCastles.

   

   (Video) AZ-900 Episode 29 | Azure Resource Locks

2. To add a lock, selectAdd to. If you want to create a parent level lock, select the parent level. The currently selected resource inherits the lock from the parent resource. For example, you can lock a resource group to apply a lock to all of its resources.

   

3. Give the block a name and a block level. Optionally, you can add notes that describe the lock.

   

4. To clear the lock, selectExtinguishKnopf.

   

model

If you use an ARM template or bicep file to deploy a lock, it's good to understand how the staging scope and lock scope work together. To apply a deployment-related lock, e.g. For example, locking a resource group or a subscription, leave the scope property undefined. When locking a resource within the staging area, set the area property for the lock.

The following template applies a lock to the resource group to which it is deployed. Note that there is no area property for the lock feature as the lock area is the same as the staging area. Deploy this template at the resource group level.

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { }, "resources": [ { "type": "Microsoft.Authorization/locks", "apiVersion": "2016-09-01", "name": "rgLock", "properties": { "level": "CanNotDelete" , "notes": "The resource group must not be deleted." } } ]}

To create and lock a resource group, deploy the following template at the subscription level.

{ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "rgName ": { "type": "string" }, "rgLocation": { "type": "string" } }, "variables": {}, "resources": [ { "type": "Microsoft.Resources/resourceGroups ", "apiVersion": "2021-04-01", "name": "[parameters('rgName')]", "location": "[parameters('rgLocation')]", "properties": {} }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", "name": "lockDeployment", "resourceGroup": "[parameters('rgName')]", "dependsOn": [ "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" ], "properties": { "mode": "Incremental", "template": { "$schema ": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameter": {}, "variáveis": {}, "resources": [ { "type": "Microsoft.Authorization/locks", "apiVersion": "2016-09-01", "name": "rgLock", "properties": { "le vel ": "CanNotDelete", "notes": "O grupo de recursos e seus recursos não devem ser excluídos." } } ], "saídas": {} } } } ], "saídas": {}}

When applying a lock to aResourceWithin the resource group, include the scope property. Set the scope to the name of the resource to lock.

The following example shows a template that creates an App Service plan, a site, and a block on the site. The scope of the ban is set to the site.

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "hostingPlanName ": { "type": "string" }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]" } }, "variables": { "siteName": "[concat('ExampleSite', uniqueString(resourceGroup().id))]" }, "resources": [ { "type": "Microsoft.Web/serverfarms", "apiVersion": "2020-12-01" , "name": "[parameters('hostingPlanName')]", "location": "[parameters('location')]", "sku": { "tier": "Free", "name": "f1 ", "capacity": 0 }, "properties": { "targetWorkerCount": 1 } }, { "type": "Microsoft.Web/sites", "apiVersion": "2020-12-01", "name" : "[variables('siteName')]", "location": "[parameters('location')]", "dependsOn": [ "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName') )]" ], "properties": { "serverFarmId": "[parameters('hostingPlanName')]" } }, { "type": "Microsoft.Authorization/locks", "apiVersion": "2016-09-01 “, „nom e": "siteLock", "scope": "[concat('Microsoft.Web/sites/', variables('siteName'))]", "dependsOn": [ "[resourceId('Microsoft.Web/sites ', variables('siteName'))]" ], "properties": { "level": "CanNotDelete", "notes": "O site não deve ser excluído." } } ]}

Azure-PowerShell

You lock down resources deployed with Azure PowerShell usingNew-AzResourceLockCommand.

To lock a resource, specify the resource's name, its resource type, and its resource group name.

New-AzResourceLock -LockLevel CanNotDelete -LockName LockSite -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

To lock a resource group, specify the resource group name.

New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName exampleresourcegroup

Use for information about a lockGet-AzResourceLock. To get all locks in your signature use:

Get-AzResourceLock

To get all locks on a resource:

Get-AzResourceLock -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

To get all locks for a resource group, use:

Get-AzResourceLock -ResourceGroupName Sample resource group

To clear a lock on a resource, use:

$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup -ResourceName examplesite -ResourceType Microsoft.Web/sites).LockIdRemove-AzResourceLock -LockId $lockId

To clear a lock on a resource group, use:

$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup).LockIdRemove-AzResourceLock -LockId $lockId

CLI power Azure

You lock resources deployed with the Azure CLI usingcreate azlockCommand.

To lock a resource, specify the resource's name, its resource type, and its resource group name.

az lock create --name LockSite --lock-type CanNotDelete --resource-group exampleresourcegroup --resource-name examplesite --resource-type Microsoft.Web/sites

To lock a resource group, specify the resource group name.

az lock create --name LockGroup --lock-type CanNotDelete --resource-group exampleresourcegroup

Use for information about a lockthe Sperrliste. To get all locks in your signature use:

the Sperrliste

To get all locks on a resource:

az lock list --resource-group exampleresourcegroup --resource-name examplesite --namespace Microsoft.Web --resource-type sites --pai ""

To get all locks for a resource group, use:

az blacklist --resource-group exampleresourcegroup

To clear a lock on a resource, use:

lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --resource-type Microsoft.Web/sites --resource-name examplesite --output tsv --query id)az lock delete --ids $lockid

To clear a lock on a resource group, use:

lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --output tsv --query id)az lock delete --ids $lockid

API-REST

You can lock deployed resources withREST API to manage locks. The REST API allows you to create and delete locks and get information about existing locks.

To create a lock, run:

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/locks/{lock-name}?api-version={api-version}

The scope can be a subscription, resource group, or resource. The lock name can be anything. For using the API version01.09.2016.

In the request, include a JSON object that specifies locking properties.

{ "properties": { "level": "CanNotDelete", "notes": "Optionale Textnotizen." }}

Next Steps

• To organize your resources logically, seeUsing tags to organize your resources.
• Custom policies allow you to enforce restrictions and conventions for your subscription. For more information, seeWhat is Azure Policy?.
• For guidance on how organizations can use Resource Manager to efficiently manage subscriptions, seeAzure Enterprise Framework - Mandatory subscription governance.