Prevent mistakes with Azure Resource Locks

Sometimes you have to give people a little more access to an Azure environment than you might like, and then there’s the chance of someone accidentally deleting a resource.

A resource deletion may not sound like too much of a big thing if you’re deploying Infrastructure as code, hey we’ll just terraform apply again and it’ll pop backup.

In theory that’s a great idea, just with one big problem. The new resource isn’t the old resource!

For an example, an Azure SQL Database server is a unique resource. If you delete one you lose any backups you’ve taken as they’re hosted on the server. Spinning up a new one isn’t going to get them back! A phone call to MS Support may if you’re quick and lucky

To avoid this you want to be user Azure Resource Locks. Think of these as the Azure version of child proof locks on your kitchen drawers. Yes, they may occaisonally mean you’ve got an extra step to get a knife out, but the little on can’t get their hands on it.

Auzre Resource Locks

First thing about Azure Resource Locks is that they apply to everyone and every role. Even if you’ve the Owner role on a Resource Group via RBAC, if there’s an Azure Resource Lock on that Resource Group you’re going to be blocked until you’ve removed the lock

This is great because it prevents those “oh ****, that was the wrong subscription” moments

Locks apply downwards from the resource they’re applied to. So if you apply one on a Resource group then it’s lock applies to every resource within that resource group. Apply it to an Azure SQL Database server, and it will apply to all of the Databases on that server.

Azure Resource Lock Types

Resource locks come in 2 flavours

  • CanNotDelete
  • ReadOnly

CanNotDelete does what it says on the tin. Once this lock is applied the resource (and it’s children) can not be deleted, even if you use -force

ReadOnly implements CanNotDelete and also prevents any modification of the locked resource and it’s children

Setting Azure Resource Locks

You can set Azure Resource Locks via the Azure Portal, Azure CLI, Azure Powershell or ARM Templates. Below are how you can set the same CanNotDelete lock on the Lock Resource Group using each of the 4 options:

  • Azure Portal
  • ARM Template

Create a template.json file:

"$schema": "",
"contentVersion": "",
"parameters": {},
"variables": {},
"resources": [
"type": "Microsoft.Authorization/locks",
"apiVersion": "2015-01-01",
"name": "LockGroupNotDelete",
"level": "CanNotDelete",
"notes": ""
"outputs": {}

Which you’d deploy with:

New-AzResourceGroupDeployment -ResourceGroupName lock -Name lock -TemplateFile ./template.json 
  • Azure CLI:
 az lock create --name LockGroupNotDelete --lock-type CanNotDelete --resource-group Lock 
  • Azure PowerShell:
 New-AzResourceLock -LockName LockGroupNotDelete -LockLevel CanNotDelete -ResourceGroupName Lock 

What you’ll see with Azure Resource Locks

So now we’ve seen how to create a resource lock, what are going to see if we try to delete the resourcegroup, just to prove it works and also so we know what to look out for when we bump into one we didn’t expect to see

  • Azure Portal
Delete resource group failed

Azure CLI


Azure PowerShell


As you can see the Resource Locks will stop you deleting the resource, which is nice. The errors messages are also nice and informative, so you know the resource is locked and at which scope the lock is placed. Which makes it easier to find the lock to remove it. Talking of removing locks:

Removing Azure Resource Locks

You can remove locks with any of the methods you can use to create them, so you’re free to mix and match how you do things.

  • Azure Portal
  • Azure CLI
 az lock delete --name LockGroupNotDelete --resource-group Lock 
  • Azure PowerShell
 Remove-AzResourceLock -ResourceGroupName lock -LockName LockGroupNotDelete 

About the Author:

Stuart Moore

W –

T – @napalmgram

Stuart had spent 20+ years pushing data around many platforms using whatever tools he can find, mainly using SQL Server, PowerShell and Azure these days. Has been a Microsoft Data Platform MVP since 2018. Spends lots of time contributing to the dbatools project. In his copious spare time he also organises DataRelay, Nottingham SQL Server User Group and PowerShell Usergroup, and Nottingham Global Azure Bootcamp


Moore, S. (2019). Prevent misthakes with Azure resources locks. Available at: [Accessed: 10th October 2019].

Share this on...

Rate this Post: