Management and Governance Management locks premium

CanNotDelete lock

A CanNotDelete lock is an Azure Resource Manager management lock that prevents a resource, resource group, or subscription from being deleted while still allowing many read and update operations. In plain English, it is a protection against accidental or unauthorized deletion. Teams place it on critical storage accounts, networking resources, production resource groups, or shared services where deletion would be painful. The lock does not make a resource immutable or fully read-only; it blocks delete actions at the protected scope and inherited child scopes.

Back to glossary browser Open Microsoft Learn source
Aliases
delete lock
Difficulty
intermediate
CLI mappings
4
Last verified
2026-05-12

Microsoft Learn

A CanNotDelete lock is an Azure Resource Manager management lock that prevents a resource, resource group, or subscription from being deleted while still allowing many read and update operations. Microsoft Learn places it in Lock your Azure resources to protect your infrastructure; operators confirm scope, configuration, dependencies, and production impact.

Microsoft Learn: Lock your Azure resources to protect your infrastructure2026-05-12

Technical context

Technically, CanNotDelete is one of the Azure management lock levels. Locks can be applied at subscription, resource group, or resource scope, and child resources inherit locks from parent scopes. Resource Manager evaluates the lock before allowing delete operations, even when the user otherwise has RBAC permission. Operators inspect locks through the portal, az lock commands, ARM, Bicep, activity logs, and deployment failures. Because locks can affect cleanup, deployment history, backup retention, and service-managed operations, they must be documented with owner and exception process.

Why it matters

CanNotDelete lock matters because accidental deletion is one of the simplest ways to create a severe outage. A critical storage account, firewall, key vault, virtual network, or production resource group can be protected from casual cleanup or mistaken automation by applying the lock. It also supports audit expectations for crown-jewel resources. The tradeoff is operational friction: legitimate deletions, restore-point cleanup, deployment history cleanup, or service-managed lifecycle tasks may fail until the lock is removed. The value comes from using the lock deliberately on resources that deserve protection, with a clear process for emergency removal and reapplication. That evidence keeps accountability clear.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In the Azure portal Locks blade, CanNotDelete appears with lock name, level, notes, scope, inherited status, and resource or group target. for governance and incident response.

Signal 02

In CLI or ARM output, the lock appears as Microsoft.Authorization/locks with level CanNotDelete, lock ID, scope, owners, and deployment metadata. for governance and incident response.

Signal 03

In deployment or deletion failures, lock evidence appears as blocked delete operations, Activity Log records, error messages, and temporary removal approvals. for governance and incident response.

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • List locks at subscription, resource group, and resource scope during a failed deletion.
  • Create standard locks from source-controlled templates for critical platform resources.
  • Capture lock removal and reapplication evidence during approved maintenance.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

CanNotDelete lock for treasury storage

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Silvergate Treasury Services, a financial operations firm, stored daily settlement files in Azure Storage and needed protection against accidental deletion by cleanup automation.

Business/Technical Objectives
  • Prevent deletion of the production settlement storage account
  • Allow approved configuration changes without full read-only lock
  • Audit any lock removal before maintenance
  • Keep disaster-recovery tests from bypassing protection
Solution Using CanNotDelete lock

The platform team applied a CanNotDelete management lock at the storage-account scope using Bicep and recorded the lock reason in deployment metadata. RBAC limited lock management to the cloud platform group, while storage data access stayed controlled separately. Activity Log alerts notified security if the lock was modified or removed. The maintenance runbook required a change ticket, two-person approval, temporary lock removal, the planned delete or replace action, and immediate reapplication. Disaster-recovery tests verified that restoration workflows respected the locked resource and did not depend on deleting it. The team reviewed results with application owners before closing the change record. Support notes documented rollback ownership and business approval. Risks were reviewed.

Results & Business Impact
  • No production settlement storage deletion occurred after automation rollout
  • Lock-change alerts were reviewed within 15 minutes
  • Maintenance lock removals had complete approval evidence
  • DR testing passed without weakening storage data controls
Key Takeaway for Glossary Readers

A CanNotDelete lock is useful when deletion prevention is needed without blocking every configuration update.

Case study 02

CanNotDelete lock for municipal network hub

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Greenfield City IT, a public-sector technology team, had a shared Azure virtual network hub supporting police, utilities, and public works applications.

Business/Technical Objectives
  • Prevent accidental deletion of hub networking resources
  • Document emergency lock removal process
  • Keep normal firewall and route updates possible
  • Reduce confusion during resource group cleanup
Solution Using CanNotDelete lock

Cloud engineers applied CanNotDelete locks to the hub resource group and selected critical child resources, including the virtual network, gateway, and firewall. They avoided a ReadOnly lock because routine route and rule updates were required. The runbook taught operators how to list inherited locks and distinguish lock errors from RBAC or Azure Policy failures. Activity Log alerts watched for lock removal, and cleanup scripts were changed to skip locked production scopes. Quarterly reviews confirmed that the locks still protected active shared services. The team reviewed results with application owners before closing the change record. Support notes documented rollback ownership and business approval. Risks were reviewed. Evidence remained available for later audit review. Operators reviewed lessons learned after completion.

Results & Business Impact
  • Two mistaken cleanup attempts were safely blocked
  • Network rule updates continued without lock-related change failures
  • Operator triage of lock errors dropped from 40 minutes to 8 minutes
  • Quarterly audit found no undocumented lock removals
Key Takeaway for Glossary Readers

A CanNotDelete lock can protect shared infrastructure while still allowing controlled operational changes.

Case study 03

CanNotDelete lock for SaaS recovery vaults

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

NimbusCRM, a SaaS provider, needed to protect Recovery Services vaults used for VM backups after an engineer accidentally deleted a test vault during cleanup.

Business/Technical Objectives
  • Protect production backup vaults from deletion
  • Avoid blocking backup jobs and retention cleanup unnecessarily
  • Alert platform owners on lock changes
  • Define when lock removal is allowed
Solution Using CanNotDelete lock

The infrastructure team applied CanNotDelete locks to production Recovery Services vault resources rather than broadly locking every backup resource group. They reviewed Azure Backup behavior and tested retention operations before final rollout. RBAC allowed backup operators to manage policies and jobs but not remove locks. Activity Log alerts notified the platform security channel if any vault lock changed. The documented exception path required verifying restore points, exporting backup job status, performing the approved maintenance action, and reapplying the lock before closing the ticket. The team reviewed results with application owners before closing the change record. Support notes documented rollback ownership and business approval. Risks were reviewed. Evidence remained available for later audit review.

Results & Business Impact
  • No production backup vault deletion occurred during cleanup campaigns
  • Backup policy changes continued without unnecessary lock failures
  • Lock-change alerts had complete owner acknowledgment
  • Restore-readiness evidence improved for compliance audits
Key Takeaway for Glossary Readers

CanNotDelete locks are strongest when applied at the right scope and paired with tested backup operations.

Why use Azure CLI for this?

Use CLI, ARM, and Activity Log for CanNotDelete locks because inherited scopes and deletion failures need precise evidence before removing protection.

CLI use cases

  • List locks at subscription, resource group, and resource scope during a failed deletion.
  • Create standard locks from source-controlled templates for critical platform resources.
  • Capture lock removal and reapplication evidence during approved maintenance.

Before you run CLI

  • Confirm tenant, subscription, scope, resource group, region, and environment before collecting or changing production evidence.
  • Use least-privileged access and avoid exposing keys, tokens, personal data, billing details, or confidential topology in output.
  • Know whether the command is read-only, mutating, cost-impacting, or security-impacting before running it in production.

What output tells you

  • Output confirms whether the live configuration exists at the expected Azure scope and matches the approved design.
  • Returned properties, metrics, or logs help separate healthy service behavior from drift, missing configuration, or workload symptoms.
  • Differences between environments provide evidence for rollback, tuning, support escalation, audit review, or owner follow-up.

Mapped Azure CLI commands

Management locks CLI commands

direct
az lock list --resource-group <resource-group> --output table
az lockdiscoverManagement and Governance
read-only Microsoft docs
az lock create --name <lock-name> --lock-type CanNotDelete --resource-group <resource-group>
az locksecureManagement and Governance
mutating Microsoft docs
az lock show --name <lock-name> --resource-group <resource-group>
az lockdiscoverManagement and Governance
read-only Microsoft docs
az lock delete --name <lock-name> --resource-group <resource-group>
az lockremoveManagement and Governance
destructive Microsoft docs

Architecture context

CanNotDelete lock matters because accidental deletion is one of the simplest ways to create a severe outage. A critical storage account, firewall, key vault, virtual network, or production resource group can be protected from casual cleanup or mistaken automation by applying the lock. It also supports audit expectations for crown-jewel resources. The tradeoff is operational friction: legitimate deletions, restore-point cleanup, deployment history cleanup, or service-managed lifecycle tasks may fail until the lock is removed. The value comes from using the lock deliberately on resources that deserve protection, with a clear process for emergency removal and reapplication. That evidence keeps accountability clear.

Security

Security for a CanNotDelete lock starts with understanding that it supplements RBAC but does not replace it. Users might still modify configuration, rotate settings, or read data if their roles allow those actions. Lock management permissions should be limited to platform or security operators, and lock removal should require approval for production. Audit Activity Log for create, update, and delete-lock events, especially before resource deletion attempts. Avoid using locks as a substitute for backup, soft delete, private networking, or least privilege. A malicious insider with lock permissions can remove protection first, so monitor and alert on lock changes. Review exceptions after each change.

Cost

Cost impact is indirect but real. A CanNotDelete lock can prevent accidental deletion of business-critical resources, avoiding expensive outage recovery. It can also keep unused resources alive if teams forget to remove locks during decommissioning. Locked resource groups may block cleanup of deployment history or backup restore points, creating operational issues and sometimes extra storage or management effort. FinOps teams should include lock review in cleanup campaigns so protected resources are either justified or removed through an approved path. The best cost outcome is protecting valuable assets without letting locks preserve waste. Review outcomes after each billing cycle. Review outcomes after each billing cycle.

Reliability

Reliability improves when CanNotDelete locks protect resources whose deletion would interrupt recovery, networking, identity, storage, or shared platform services. But reliability can also suffer if locks block legitimate cleanup or service operations. Azure Backup, deployment history, and automation can encounter problems when locks are placed at broad resource group scope without understanding side effects. Test operational workflows before applying locks widely. Runbooks should explain how to identify the blocking lock, who can approve temporary removal, how to perform the maintenance action, and how to reapply protection. Reliable lock use balances deletion safety with maintainability. Test the recovery path regularly. Test the recovery path regularly.

Performance

Performance is not directly changed by a CanNotDelete lock, but performance operations can be affected. Teams may need to delete and recreate resources, replace gateways, rotate storage accounts, or clean deployment artifacts during tuning or repair, and a lock can block those steps. Operators should know whether performance remediation is a modification, scale action, or delete operation. If removing a lock is required during a performance incident, approvals must be fast and documented. Locks should not be blamed for runtime latency, but they can slow the operational path used to fix a constrained or misconfigured resource. Document baseline measurements before tuning.

Operations

Operationally, every CanNotDelete lock should have a name, scope, reason, owner, approval path, and review date. Platform teams should prefer source-controlled deployment for standard locks and avoid mystery portal changes. During incidents or cleanup, operators need commands to list inherited locks and determine whether a failure is caused by RBAC, policy, or lock protection. Change records should capture lock removal and reapplication. Periodic reviews should find locks on retired environments, test resource groups, or automation-managed scopes where they create unnecessary friction. Good operations make locks visible and intentional rather than surprising. Keep owners and evidence current. Keep owners and evidence current.

Common mistakes

  • Assuming CanNotDelete prevents configuration changes or data access by itself.
  • Applying broad resource group locks without testing backup, cleanup, and deployment workflows.
  • Removing a production lock for maintenance and forgetting to reapply it afterward.