How to Protect Azure Resources by Adding Locks?

Azure Resource Lock:

In Azure, Adding Resource Lock helps in protecting the resources against accidental deletion and modification. This also protects the environment against uncontrolled provisioning of new resources by blocking the creation of new resources.

What types of resource locks are available in Azure?

In azure, there are two types of resource locks that can be applied at select scope or resource.

• Read-Only Lock: this will be selected only for read only actions.
• CanNotDelete Lock: this will allow authorized users to read and modify the resource except deleting the resource.

Where can we apply locks in Azure?

In azure, we can apply locks at three different levels:

1. Subscription Level
2. Resource Group Level
3. Resource Level

When ever we add a recourse lock at a parent level scope, all resources within that scope inherit the same lock.

Example 1: If you add or apply lock at Subscription Level then all resources within that scope inherit the same lock. (Includes all Resource Group and Resources Types)

Example 2: If you add or apply lock at Resource Group Level then all resources within the resource group scope level will inherit the same lock. (Includes all Resources Types)

Q) Who can add locks on Azure Resources?

Ans) Only Azure account access users with Owner or User Access Administrator or user with Custom Role assignments can only be able to add or remove the locks on azure resources.

Q) Who can delete locks on Azure Resources?

Ans) Owner and User Access Administrator can only delete the locks on the azure resources.

Q) What is the use of Azure Resource Locks?

Ans) Adding locks will protect existing azure resource from accidental deletion.

Q) What are the ways to remove a lock on Azure Resources?

Ans) One can remove locks using Azure Portal or Azure PowerShell or Azure CLI or Rest API.

Azure Resource Lock Operations:

Required powershell module Az.Resources to perform the actions.

Add Lock on Azure Resource Group:

New-AzResourceLock -LockLevel CanNotDelete -LockName "CanNotDeleteLock" -ResourceGroupName "_add_rg_name_" -Force

Remove Lock on Azure Resource Group:

Remove-AzResourceLock -LockName CanNotDelete -ResourceGroupName "_add_rg_name_"

Remove Lock on Azure Resource Group at Force:

Remove-AzResourceLock -LockName CanNotDelete -ResourceGroupName "_add_rg_name_" -Force

Add Lock on Azure Resources:

New-AzResourceLock `
-LockLevel CanNotDelete `
–LockName CanNotDeleteLock `
-ResourceGroupName "_add_rg_name_" `
-ResourceName "_add_resource_name_" `
-ResourceType "Microsoft.Compute/virtualMachines"

Automate Adding Resource Group Locks in Azure via PowerShell:

PowerShell Script to Add Resource Group Locks.

$Subscription=""
$ResourceGroupName = ""
Set-AzContext -SubscriptionName "$Subscription"
New-AzResourceLock -LockLevel CanNotDelete -LockName "CanNotDeleteLock" -ResourceGroupName "$ResourceGroupName" -Force

PowerShell Script to Add Locks for Selected List of Resource Groups.

$Subscription=""
Set-AzContext -SubscriptionName "$Subscription"
$RGs=Get-AzResourceGroup
$RGList = @("RG01","RG02","RG09","Test-RG01")
foreach ($RG in $RGs){
  $ResourceGroupName = $RG.ResourceGroupName
  ## Write-Output ("ResourceGroup  : $ResourceGroupName")
  if($RGList -contains $ResourceGroupName){
    Write-Output ("ResourceGroup  : $ResourceGroupName")
    New-AzResourceLock -LockLevel CanNotDelete -LockName "CanNotDeleteLock" -ResourceGroupName "$ResourceGroupName" -Force
  }
}

PowerShell Script to Add Locks to All Resource Groups within a Subscription.

$Subscription=""
Set-AzContext -SubscriptionName "$Subscription"
$RGs=Get-AzResourceGroup
foreach ($RG in $RGs){
  $ResourceGroupName = $RG.ResourceGroupName
  Write-Output ("ResourceGroup  : $ResourceGroupName")
  New-AzResourceLock -LockLevel CanNotDelete -LockName "CanNotDeleteLock" -ResourceGroupName "$ResourceGroupName" -Force
}

Microsoft reference document resources:

👉 Get-AzResourceLock 
👉 New-AzResourceLock 
👉 Set-AzResourceLock 
👉 Remove-AzResourceLock