Resource Locks
Start course

As an IT professional tasked with managing resources in Azure, it’s important to understand key administrative roles and permissions within a subscription and within a resource group. It’s also important to know how to leverage Role Based Access Control (RBAC) for managing such administrative roles and permissions.

In the first part of this course, you will learn about Azure subscriptions.  You will learn about key roles within a subscription, including contributor, owner, reader, and user access administrator. You’ll also learn how to manage these roles by using RBAC. We’ll also cover subscription policies and the role they play in the management of an Azure subscription.

In the second part of the course, we’ll talk about resource groups in Azure.  We’ll touch on what they do and how they are managed. You will learn how to secure resources within a resource group via resource policies and resource locks.  You’ll also learn about resource tagging and how it can be used to manage and group Azure resources.

Rounding out this course, we’ll cover the process of moving resources from one resource group to another, as well as the deletion of resource groups altogether.

Learning Objectives

Azure Subscriptions

  • Understand the owner role
  • Understand the subscription administrator Role
  • How to manage roles and permissions with RBAC
  • Understand subscription policies

Resource Groups

  • Understanding the purpose of resource groups
  • How to leverage resource group policies
  • How to use resource locks to protect resources
  • How to leverage resource tags  
  • Moving resources between resource groups
  • Removing resource groups

Intended Audience

  • IT professionals interested in becoming Azure cloud architects
  • IT professionals preparing for Microsoft’s Azure certification exams


  • General knowledge of IT infrastructure
  • General knowledge of the Azure environment

Day-to-day administration will sometimes require you to lock a subscription, resource group, or specific resource to prevent other users from accidentally deleting or modifying critical resources. When this need arises, you can set resource locks by setting lock levels to CanNotDelete or to ReadOnly you can ensure resources are not deleted or modified.

In the Azure portal, the locks are called Delete and ReadOnly respectively. The CanNotDelete lock allows authorized users to read and modify a resource, but not delete the resource. ReadOnly allows authorized users to read a resource but not delete or update the resource.

Applying the ReadOnly lock is similar to restricting all authorized users to the permissions granted by the reader role. When a lock is applied at a parent scope all resources within that scope inherit the lock. Resources added later, will also inherit the lock from the parent.

The most restrictive lock in any inheritance takes precedence. It's important to note that applying ReadOnly can sometimes lead to unexpected results because some operations that appear to be read operations are actually operations that require additional actions. For example, a read-only lock on a storage account will prevent all users from listing the keys. This is because the list keys operation is handled through a post request because the keys returned are available for right operations.

Similarly, placing a ReadOnly lock on an app service resource will prevent visual studio server Explorer from displaying files for the resource because displaying files requires right access. To create or delete management locks, you must have access to Microsoft.authorization/* or Microsoft.authorization/locks/*actions. Only the built-in owner and user access administrator roles are granted these actions.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.