Lock Resources from Deletion in Azure Resource Manager Portal

If you are wondering that your resources might be deleted in Azure Resources Manager (ARM) there are few useful tips that I want to share with you. You might already know that with ARM you have role-based access control (RBAC) where you can set different type permissions for users and roles. There is a great quick intro about RBAC and how to manage access to your ARM resources.

But what I want to show you today is how to lock resources with Lock function in ARM. There are two lock types: Read-only and Delete.

  • Read-only lock will provide the users/administrators to access the resources but nobody will be able to update, change or delete those artifacts.
  • Delete lock will not allow to delete resources but it will allow to modify it.

You can implement locks on Resource Group level or on separate items. If implemented on Resource Group level, all artifacts that belong to that Resource Group will be under the same lock.

Let’s try few examples. If I want to create lock on Resource Group, I select one and click on Lock from Settings. It will allow to create new resources in this Resource Group and all new items will fall under the read-only lock.

If I select any of the items within this Resource Group and will go on Locks menu, it will prompt me with the warning message.

I have created a test VNET in this Resource Group and if I try to add another Subnet I am getting the error message.

It is worth mentioning that I am performing those actions with the same account with the administrative privileges on the Azure subscription. And other administrators will have exactly the same output until this lock will be deleted from the Resource Manager.

If you want to delete Lock, select the ellipsis and choose Delete.

You can also create, change and delete lock resources with powershell.

New-AzureRmResourceLock -LockLevel CanNotDelete -LockNotes "My lock notes" -LockName mylock -ResourceName mySite -ResourceType microsoft.web/sites

Set-AzureRmResourceLock -LockName test -ResourceName myResource -ResourceType microsoft.web/sites -ResourceGroupName myResourceGroup -LockLevel CanNotDelete -LockNotes "Updated note"

Remove-AzureRmResourceLock -ResourceId /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Default-Storage-SouthCentralUS/providers/Microsoft.ClassicStorage/storageAccounts/mystorageaccount/providers/Microsoft.Authorization/locks/test

One comment

  1. This is a good article, but I am missing details.
    I have a lock that I need deleted, so I do the following to view the locked resource.
    Get-AzureRmResourceLock -ResourceGroupName “HyvaAZureMXiecrdps2m7hlq”
    the result I get is below.
    Name : e66f5b3b08274953a0be4cd24e589cc6
    ResourceId : /subscriptions/f89af0cb-a5e3-4982-906e-f935914fe922/resourceGroups/HyvaAZureMXiecrdps2m7hlq/providers/Microsoft.Authorization/locks/e66f5b3b08274953a0be4cd24e589cc6
    ResourceName : e66f5b3b08274953a0be4cd24e589cc6
    ResourceType : Microsoft.Authorization/locks
    ResourceGroupName : HyvaAZureMXiecrdps2m7hlq
    SubscriptionId : f89af0cb-a5e3-4982-906e-f935914fe922
    Properties : @{level=ReadOnly}
    LockId : /subscriptions/f89af0cb-a5e3-4982-906e-f935914fe922/resourceGroups/HyvaAZureMXiecrdps2m7hlq/providers/Microsoft.Authorization/locks/e66f5b3b08274953a0be4cd24e589cc6

    So then I run the command.
    Get-AzureRmResourceLock -ResourceGroupName “HyvaAZureMXiecrdps2m7hlq” | Remove-AzureRmResourceLock -Force
    I get the followng error:
    Remove-AzureRmResourceLock : UnauthorizedApplicationId : The management lock ‘e66f5b3b08274953a0be4cd24e589cc6’ is owned by system application(s) ‘ba4bc2bd-843f-4d61-9d33-199178eae34e’. Please see https://aka.ms/arm-lock for detail.
    At line:1 char:73
    + … upName “HyvaAZureMXiecrdps2m7hlq” | Remove-AzureRmResourceLock -Force
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [Remove-AzureRmResourceLock], ErrorResponseMessageException
    + FullyQualifiedErrorId : UnauthorizedApplicationId,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.RemoveAzureResourceLockCmdlet

    I do understanmd that you cannot delete the resource from the child perspective, but how can I find out what the parent resource is?

    The management lock ‘e66f5b3b08274953a0be4cd24e589cc6’ is owned by system application(s) ‘ba4bc2bd-843f-4d61-9d33-199178eae34e’.

    I think I shoukd try to delete ‘ba4bc2bd-843f-4d61-9d33-199178eae34e’, where and now?

Leave a Reply

Your email address will not be published.