Lock Azure resources to prevent accidental deletion

06 Jan, 2017
Xebia Background Header Wave

In some cases you want to protect critical resources from accidental deletion. Some examples are a storage account with source data for processing, a Key Vault with disk encryption keys, or another key component in your infrastructure. When losing some resources that are key in your infrastructure, recovery can be dramatic. Resource Manager locks will enable you to protect these critical resources from deletion.

Resource Manager locks
Resource Manager locks apply to the management function of the locked resources. The locks do not have any impact the normal functions of the resource. You have two possible types of locks on a resource:

Locking down a resource can save your contributors from accidently delete a critical resources. An ‘oeps… I deleted the wrong resources’ moment should be a thing of the past.

CannotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

In practice user or service principles have the role Contributor on a resource. This role allows the user to delete the resource. A lock on the resource will prevent the user with the Contributor role to delete the resource. Only the roles Owner and User Access Administrator can change the locks on the resources.

When deploying a lock from a VSTS release pipeline, the Service Principle should have the role User Access Administrator on the resource group.

Deploying Resource Manager locks
Deploying locks can be done with ARM templates or Powershell. I prefer to add them to my ARM template and deploy them with my release pipeline. A simple template to add a lock looks like:

  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "lockedResource": {
      "type": "string"
  "resources": [
      "name": "[concat(parameters('lockedResource'), '/Microsoft.Authorization/myLock')]",
      "type": "Microsoft.Storage/storageAccounts/providers/locks",
      "apiVersion": "2015-01-01",
      "properties": {
        "level": "CannotDelete",
        "notes": "prevent resource from accidental deletion"

The parameter lockedResource should look like: ‘/Microsoft.Authorization/’ in the case of locking down a storage account.

When you delete a group in the portal with a locked resource, prevent-delete-of-resourcethe deletion is prevented and the following message is shown to the user:

After removing the lock from the storage account, you will be able to remove the resource group.

Locking critical resources can prevent you from accidental and hard to recover downtime. Applying them from within your arm template is very easy and enables you to manage them like any other resource.


Get in touch with us to learn more about the subject and related solutions

Explore related posts