Resource group locks

By default nothing stops a developer from deleting a resource group or a single resource in Azure Portal. This short post will show what you can do to prevent such situations and save your time and nerves.

Locks in Azure Portal

Each resource group and a resource it contains has a Locks tab in the Settings section. What is lock in this particular case? Well, it's a specific property attached to your resource, which either forbids updates(by marking it as read-only) or prevents from unintentional deletion.


Now if you try to delete a resource, you will get a message telling you, that it's protected by a lock. To actually delete or update a resource secured by a lock, you have to delete it.

Locks in ARM templates

ARM template allow you to create a resource with a lock attached. If we take a look at the documentation:

    "type": enum,
    "apiVersion": "2015-01-01",
    "name": string,
    "dependsOn": [ array values ],
        "level": enum,
        "notes": string

we'll see that we have two possible levels of a lock:

  • CannotDelete
  • ReadOnly

once this applied, no one will be able to perform forbidden action. Note that to create a lock, user have to have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions.