Management and Governance Azure Resource Manager verified

Resource lock

A resource lock is a control-plane safety catch for Azure resources. It tells Azure Resource Manager to block deletion or broader changes even when the user normally has permission. CanNotDelete is the common production guardrail because it stops accidental removal while still allowing most updates. ReadOnly is stricter and can break normal operations if used carelessly. Locks are not backups, RBAC, soft delete, or data protection. They are a deliberate pause before someone or something changes critical infrastructure.

Back to glossary browser Open Microsoft Learn source
Aliases
ARM lock, Management lock, Azure resource lock
Difficulty
fundamentals
CLI mappings
5
Last verified
2026-05-22

Microsoft Learn

Microsoft Learn describes Azure management locks as controls applied to a subscription, resource group, or resource to help prevent accidental deletion or modification. A CanNotDelete lock permits reads and updates but blocks deletes, while a ReadOnly lock blocks broader management changes.

Microsoft Learn: Lock your Azure resources to protect your infrastructure2026-05-22

Technical context

In Azure architecture, resource locks live in the Azure Resource Manager control plane and are managed through Microsoft.Authorization. They can be applied at subscription, resource group, or resource scope, and child resources can inherit locks from parent scopes. Locks are evaluated during management operations, not every data-plane action inside a service. They sit beside RBAC, Azure Policy, deployment stacks, backup, soft delete, and change management. Operators use them on shared networking, vaults, monitoring, production databases, and other high-impact resources.

Why it matters

Resource locks matter because many serious cloud incidents start with ordinary delete or update mistakes. A cleanup script targets the wrong group, a rushed engineer deletes a shared DNS zone, or a pipeline rollback removes a resource that five systems still need. A lock does not make the resource invincible, but it forces an explicit unlock step that gives the team time to notice risk. That friction is valuable for production infrastructure, especially stateful services and shared platform resources. Bad lock design, however, can block emergency fixes, scale changes, or managed service operations. The right lock turns a dangerous click into a reviewed operational decision.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In the Azure portal Locks blade, a subscription, resource group, or resource shows lock name, type, notes, inherited protection, and blocked delete behavior during operational review.

Signal 02

In az lock list output, the level, id, notes, and scope fields reveal whether CanNotDelete or ReadOnly protection is applied or inherited across parent scopes.

Signal 03

In deployment failures and Activity Log, lock-related errors identify the blocked operation, responsible identity, exact scope, and lock that stopped the change during release troubleshooting.

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Protect shared hub networking, private DNS zones, recovery vaults, and monitoring workspaces from project-level cleanup scripts.
  • Add a CanNotDelete lock to production databases or storage accounts before migrations, disaster-recovery tests, or risky release windows.
  • Require a documented unlock, verify, and relock process before deleting resources whose recovery depends on backups or replicas.
  • Audit inherited ReadOnly locks that explain why deployments, scale operations, diagnostic updates, or provider actions keep failing.
  • Prevent accidental deletion of platform foundations while still allowing normal configuration updates through carefully scoped CanNotDelete locks.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Airport authority protects shared private DNS

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

An airport authority used private DNS zones for baggage, gate, and operations systems. A cleanup job deleted a test-linked zone and nearly removed the production zone with a similar name.

Business/Technical Objectives
  • Prevent accidental deletion of shared DNS and hub networking resources.
  • Keep authorized engineers able to update legitimate records.
  • Make lock removal visible during emergency maintenance.
  • Reduce outage risk for operational systems that depend on private name resolution.
Solution Using Resource lock

The network team applied resource lock protection with CanNotDelete locks on production private DNS zones, hub virtual networks, and central firewall resources. Locks were created by Azure CLI after Bicep deployment, with notes naming the owner, support bridge, and unlock runbook. ReadOnly locks were avoided because DNS record updates were still needed during maintenance. Activity Log alerts flagged lock deletion or update events. Before any cleanup run, a script listed inherited and direct locks, checked resource tags, and failed safely if a protected resource appeared in the deletion set.

Results & Business Impact
  • The next cleanup simulation blocked four risky delete attempts before they reached production DNS.
  • Name-resolution incidents linked to accidental deletion dropped to zero over nine months.
  • Emergency DNS record updates still completed within the 15-minute operations target.
  • Lock state evidence was included in every quarterly infrastructure control review.
Key Takeaway for Glossary Readers

Resource lock protection is most valuable when one shared resource quietly supports many critical systems.

Case study 02

Legal SaaS adds deletion friction to evidence storage

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A legal document SaaS platform stored court exhibits in Azure Storage with immutability policies. A junior engineer almost deleted the production storage account while cleaning old test accounts.

Business/Technical Objectives
  • Protect evidence storage accounts from control-plane deletion.
  • Avoid weakening data immutability, backup, or retention controls.
  • Create an auditable unlock process for rare maintenance actions.
  • Keep cleanup automation from crossing production boundaries.
Solution Using Resource lock

The operations team used resource lock controls as a narrow guardrail on production storage accounts, Key Vaults, and recovery vaults. They selected CanNotDelete, not ReadOnly, so approved configuration updates and retention monitoring could continue. Azure CLI created locks with case-management owner notes and exported lock IDs into change tickets. Cleanup pipelines first ran az lock list and deployment what-if, then refused to process resources with production tags or inherited locks. Lock deletion required privileged elevation, a change record, backup verification, and relock validation before the ticket closed. The team also reviewed Activity Log alerts weekly to confirm no one removed protection outside the change process.

Results & Business Impact
  • Accidental production delete attempts were blocked in two later cleanup runs.
  • Approved storage maintenance still completed without ReadOnly-related failures.
  • Change evidence for protected legal repositories was prepared 70 percent faster.
  • No evidence-retention control was weakened because locks complemented, rather than replaced, immutability.
Key Takeaway for Glossary Readers

Resource locks add control-plane friction without pretending to be the whole data-protection strategy.

Case study 03

Renewable operator replaces brittle ReadOnly locks

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A renewable energy operator placed ReadOnly locks on an entire production resource group. During a wind-farm telemetry incident, engineers could not scale an ingestion service or update diagnostics.

Business/Technical Objectives
  • Keep critical resources protected from deletion without blocking normal operations.
  • Identify which locks caused incident-response delays.
  • Define a safer unlock and relock runbook.
  • Reduce time to restore telemetry ingestion during site events.
Solution Using Resource lock

The platform team reviewed lock scope and found inherited ReadOnly protection blocking multiple management actions. They replaced broad ReadOnly locks with targeted CanNotDelete locks on the event hub namespace, private DNS zone, Log Analytics workspace, and recovery vault. Azure CLI reports captured current lock levels, notes, and scopes before and after the change. Incident runbooks were updated to show which locks could be removed, who could approve removal, and how to validate relock. Activity Log alerts watched for unexpected lock deletion.

Results & Business Impact
  • Incident scale changes that previously failed completed in under eight minutes during the next telemetry surge.
  • Protected shared resources retained deletion safeguards with no broad ReadOnly blocker.
  • Lock-related deployment failures fell from 14 in one month to two minor warnings.
  • Operations review found 19 stale locks and removed retired resources safely.
Key Takeaway for Glossary Readers

Resource lock design must protect the asset without freezing the operations needed to keep it healthy.

Why use Azure CLI for this?

After ten years of Azure engineering work, I use Azure CLI for locks because inherited scope is easy to miss in the portal. CLI can list locks across a subscription, show exact lock IDs, create named locks with notes, and remove them by ID during approved windows. It also turns lock state into evidence for change reviews and post-incident timelines. Portal clicks work for one resource, but CLI is better when a deployment failed somewhere in a hierarchy and you need to prove which lock, scope, and identity caused it. Those details matter when a change ticket must explain the exact blocker.

CLI use cases

  • List locks at subscription, resource group, and resource scopes before a deployment, cleanup script, or migration plan runs.
  • Create named CanNotDelete locks with notes after deploying protected platform resources through Bicep or Terraform.
  • Show a lock by ID to identify level, scope, and notes during a failed deployment or delete operation.
  • Remove a lock during an approved maintenance window and recreate it immediately after validation.
  • Export lock inventory for governance reviews, stale-resource cleanup, and production readiness evidence.

Before you run CLI

  • Confirm tenant, subscription, resource group, resource ID, and whether the intended lock scope is direct or inherited.
  • Verify you have Microsoft.Authorization lock permissions; ordinary resource Contributor access may not be enough to remove locks.
  • Review destructive risk because deleting a lock may allow immediate deletion or modification of production resources.
  • Check cost risk because creating a lock may block cleanup of retired resources that continue billing.
  • Use JSON output for automation and capture lock ID, level, notes, scope, and requester identity in the change record.

What output tells you

  • The level field shows CanNotDelete or ReadOnly, which determines whether only deletes or broader management changes are blocked.
  • The id field provides the exact lock resource path needed for safe deletion or audit evidence.
  • The scope shows whether the lock sits on a subscription, resource group, or individual resource and whether inheritance may apply.
  • The notes field should explain owner, reason, and removal process; blank notes mean the lock needs governance review.
  • Successful lock deletion removes protection only; it does not delete the underlying resource or change service data permissions.

Mapped Azure CLI commands

Resource lock CLI Commands

direct
az lock list --resource-group <resource-group> --output table
az lockdiscoverManagement and Governance
Microsoft docs
az lock create --name <lock-name> --lock-type CanNotDelete --resource-group <resource-group> --notes "Protect production resources from accidental deletion"
az locksecureManagement and Governance
Microsoft docs
az lock list --resource-group <resource-group> --resource-name <resource-name> --namespace <provider-namespace> --resource-type <resource-type> --output json
az lockdiscoverManagement and Governance
Microsoft docs
az lock show --name <lock-name> --resource-group <resource-group> --query "{id:id,level:level,notes:notes,scope:id}" --output json
az lockdiscoverManagement and Governance
Microsoft docs
lockid=$(az lock show --name <lock-name> --resource-group <resource-group> --query id -o tsv) && az lock delete --ids $lockid
Microsoft docs

Architecture context

A good Azure architecture uses locks selectively. CanNotDelete belongs on resources where accidental removal creates a larger outage than temporary operational friction: hub networks, private DNS zones, Log Analytics workspaces, recovery vaults, production databases, key vaults, and shared integration components. ReadOnly should be rare because many Azure operations are implemented as management writes or POST actions. Locks should be part of the landing-zone pattern, with RBAC controlling who can manage locks, policy documenting required protection, and runbooks defining unlock, verify, and relock steps. The best design protects critical assets without making routine platform operations brittle. Every lock should have an owner, note, and removal procedure.

Security

Security impact is indirect but real. A lock does not authenticate users, encrypt data, rotate secrets, or block every data-plane delete. Its security value is protecting control-plane assets that support security controls, such as key vaults, diagnostic settings, firewalls, private DNS zones, and monitoring workspaces. The risk is assuming a lock replaces RBAC, soft delete, backup, or least privilege. Anyone with permission to manage locks can lower the barrier. Protect lock permissions with Privileged Identity Management, change approval, Activity Log alerts, and least-privilege roles. Treat unexpected lock removal as suspicious. Lock governance should be reviewed with the same seriousness as privileged access.

Cost

Locks have no direct SKU charge, but they affect cost control in both good and bad ways. A CanNotDelete lock can prevent accidental deletion of expensive-to-recover resources, avoiding emergency rebuild labor and downtime. It can also stop a cleanup script from removing retired resources, leaving disks, databases, plans, or gateways billing for months. ReadOnly locks may block right-sizing or retention changes that would reduce spend. FinOps reviews should include lock inventory, owner notes, and retirement status. The cost question is whether protection prevents a worse loss or preserves waste. Cost reports should flag locked resources with no recent owner confirmation.

Reliability

Reliability impact is direct at the management layer. Locks reduce the chance that a critical resource disappears during cleanup, migration, failed deployment rollback, or incident response. They also limit blast radius when automation has overly broad scope. The tradeoff is operational friction: ReadOnly locks can block scale, start, stop, backup cleanup, diagnostic changes, list-key operations, or provider actions depending on service behavior. Reliable use means choosing the narrowest lock level, documenting owners, testing deployments against locks, and building runbooks that remove and restore protection safely during maintenance. The relock step should be treated as part of service restoration, not optional cleanup.

Performance

Runtime performance is usually not affected because locks act on Azure Resource Manager operations rather than application data paths. A locked web app, database, or network still handles traffic normally unless a blocked management change prevents scaling, patching, tuning, or diagnostics. Operational performance is affected: engineers can diagnose lock-related deployment failures quickly when lock IDs and scopes are documented. Broad ReadOnly locks can slow incident response because every blocked action requires an unlock decision. Good lock design preserves runtime speed while adding only intentional friction to risky management operations. That balance is what keeps protection from becoming a bottleneck during incidents.

Operations

Operators manage locks by listing scope, level, notes, and inheritance before making changes. They create locks through templates, CLI, or portal workflows, then record why the lock exists and who can remove it. Troubleshooting often starts with a failed deployment or delete operation that names a blocking lock. Change windows should include explicit steps to remove the lock, complete the work, validate the resource, and recreate the lock. Operations teams should review stale locks because protected retired resources can become expensive clutter. Lock evidence belongs in audit and incident records. The review should include inherited locks that are not visible on the child resource at first glance.

Common mistakes

  • Assuming CanNotDelete protects data-plane objects, such as blobs or secrets, when it mainly blocks management-plane deletion.
  • Applying ReadOnly broadly and then discovering scale, start, backup cleanup, diagnostic settings, or list-key actions are blocked.
  • Removing a lock for maintenance and forgetting to recreate it after the deployment or migration succeeds.
  • Using locks as a substitute for RBAC, backup, soft delete, policy, or deployment what-if validation.
  • Leaving retired resources locked for months because nobody documented the owner or approved cleanup path.