Skip to main content
Resource locks in Azure are essential for preventing accidental modifications or deletions of critical resources. Whether you’re preparing for the AZ-400 exam or managing production environments, understanding how to apply and manage locks will help you maintain stability and security.

Lock Types in Azure

Azure offers two built-in lock levels:
Lock TypeDescriptionOperations Allowed
Cannot DeletePrevents deletion but permits all other operations (read, write, update)Read, Write, Update
Read OnlyBlocks create, update, and delete operationsRead only

Cannot Delete Lock

The Cannot Delete lock (also known as CanNotDelete) ensures a resource remains in place:
  • Read and write operations are fully supported.
  • Any attempt to delete the resource is blocked.
Use this lock for resources such as production databases, critical storage accounts, or network appliances. 
# Create a Cannot Delete lock via Azure CLI
az lock create \
  --name BlockDeletion \
  --lock-type CanNotDelete \
  --resource-group MyResourceGroup \
  --resource-name MyVM \
  --resource-type Microsoft.Compute/virtualMachines
Apply locks at the highest possible scope (subscription or resource group) to cover all child resources automatically.

Read Only Lock

The Read Only lock restricts a resource to read-only mode:
  • Only GET operations are permitted.
  • All PUT, PATCH, POST, and DELETE actions are blocked.
This lock is ideal for archival assets or environments where changes must be fully prohibited. 
# Create a Read Only lock via Azure CLI
az lock create \
  --name ViewOnly \
  --lock-type ReadOnly \
  --resource-group MyResourceGroup
Applying a Read Only lock will prevent even administrative updates. Always verify you won’t need to modify the resource before locking.

Managing Locks in Azure

You can manage locks in multiple ways:
MethodCommand / Action
Azure PortalNavigate to Resource > Locks and Add new lock
Azure CLIaz lock create / az lock delete
Azure PowerShellNew-AzResourceLock / Remove-AzResourceLock
ARM TemplateUse "Microsoft.Authorization/locks" under resources in JSON

Sample ARM Template Snippet

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "resources": [
    {
      "type": "Microsoft.Authorization/locks",
      "apiVersion": "2016-09-01",
      "name": "BlockDeletion",
      "properties": {
        "level": "CanNotDelete",
        "notes": "Prevent accidental deletion"
      }
    }
  ]
}

Integration with RBAC and Governance

Resource locks complement Azure Role-Based Access Control (RBAC) and policies:
  • RBAC defines who can perform operations.
  • Locks define which operations are blocked, regardless of RBAC rights.
  • Combine both for granular governance across subscriptions.

Key Points

  • Locks are inherited by child resources.
  • You need Microsoft.Authorization/locks/delete permission to remove a lock.
  • Policy-based locks can enforce organizational standards at scale.

Exam and Real-World Scenarios

For the AZ-400 certification and practical deployments, be prepared to:
  • Differentiate between Cannot Delete and Read Only locks.
  • Choose the appropriate lock type based on business requirements.
  • Explain how locks interact with RBAC roles and Azure Policy.
Master resource locks to safeguard your Azure workloads and ensure uninterrupted operations.

Watch Video