In this article, we will learn how to restrict users to accidentally delete any resource in your Account using Resource Locks.

Everyone is aware of all the ease that Azure provides in creating and provisioning the resources quickly, at the same it is also simple that people make mistakes in deleting a resource accidentally.

Azure provides us a way to minimize the problem of deleting a resource accidentally by means of Locks.

As of this writing, we have the following two type of Locks

  1. Delete
  2. Read-only

Resource Locks lets us configure locks at different levels (discussed in a moment) so that users don’t delete them.

Below are different levels of Locks that you can configure.

  1. Subscription Level
    1. 1_Subscription_Locks
  2. Resource Group Level
    1. 2_ResourceGroup_Locks
  3. Individual Service Level (ex: App Service)
    1. 3_IndividualResource_Locks

At each level, you can view the ancestor Locks. For ex: when you are in the locks blade of the App Service, you can not only view the locks of the App Service, but also view the locks related to the Resource Group in which it resides as well as the locks of the Subscription to which the resource is associated with. That way, you can easily understand what type of locks are applied on your services.

Let’s add a Delete lock on each of the Levels and see how they work. Adding locks is straight forward and is same at each level. We need to perform the following steps to create a Delete lock.

Click on the Add button on the locks blade which would open a popup where you provide the following and click on OK button.

  1. Lock Name
  2. Lock Type (in our case, it’s Delete)
  3. Notes

Below is a screen capture of the Add lock popup for my Azure App Service.

4_Add_Locks

After clicking on OK button of the above step, I also created Delete locks on both my Resource Group as well as the Subscription and came back to the locks blade of the App Service. Below is how it looks.

5_Locks

Having the locks in place, let’s try to delete the App Service by clicking on the Delete button available in the Overview blade of the App Service. As soon as I clicked on the Delete button, it prompted me with the below popup where everything is deleted and message “The resource has a ‘delete’ lock that prevents us from deleting the resource. Please remove the lock and try again” is displayed as shown below.

6_Deletepopup

You first need to delete the locks created on both the subscription as well as the Resource Group to delete any of the services in that Subscription and the Resource Groups.

You can delete a lock by navigating to the locks blade and click on the delete button that opens when you click on the ellipses as shown below.

7_DeleteButton

Other points to note:

  1. You CANNOT delete a parent lock from the locks blade of the child resource.
  2. You CAN delete the child locks from the locks blade of the parent resource.
  3. Locks applied on the parent resource will take precedence over child locks.
  4. If you would like to delete a resource, you need to delete the delete locks at the resource level, resource group level and subscription level delete locks.