Blog Azure Security & Compliance

Azure Resource Locks: Prevent Accidental Deletes & Changes Now

The speed of Azure is unmatched; but it can turn down on you quickly when someone accidentally wipes out a production workload with a single click.

Azure Resource Locks are your seatbelt against that risk.

In this article, we’ll explore how Azure Resource Locks protects your cloud resources from accidental deletion or modification and demonstrate how you can deploy them using Azure Bicep templates.

Niels Kroeze

Author

Niels Kroeze IT Business Copywriter

Reading time 10 minutes Published: 23 October 2025

KEY POINTS:

  • Azure Resource Locks prevent accidental deletion or modification of resources.
  • The main types are CanNotDelete and ReadOnly
  • Locks can be applied at subscription, resource group, or resource level.
  • Locks are not foolproof and may affect normal operation

 

What are Azure Resource Locks?

Azure Resource Locks are a built-in feature in Azure that prevents cloud resources from being changed or deleted within an Azure tenant.

A lock protects resources in Azure from accidental deletions or modifications.”

Locks overrides administrator permissions. Here’s an example: 

  • Let’s say you deploy an application using automation like a DevOps pipeline (although we don’t recommend the use of ClickOps, Locks would be equally effective here). 
  • Imagine the app is partly a database with customer records. 
  • Something happens, and now you need to redeploy it. The automation process might remove and recreate all resource - including the database. 
  • Or an admin mistypes a resource group name and accidentally deletes production resources instead of the intended lab resources. 

In both cases, hopefully there are backups. But with locks, you can prevent these mistakes. The automation or administrator action would fail because of the lock. 

Azure Security Ebook (1)

Security E-book

Learn how to secure your Azure environment with different technologies, tools and best practices we apply daily with our software-driven customers.

Download now!

Types of Resource Locks 

There are two types of resource locks you can apply: CanNotDelete and ReadOnly.

1. CanNotDelete:  

Example of a resource lock in the Azure portal.

  • An authorised user can read and modify a resource 
  • They cannot delete it until the lock is removed 
  • Often used for production environments 

Example: You can change the storage capacity of a resource, but you can’t remove the storage account. 

 

2. ReadOnly 

Screenshot of adding a resource lock with read-only in an Azure subscription

  • An authorised user can only view and read a resource. 
  • They cannot delete or update it, turning it into a “look but don’t touch” object. 
  • Restricts all authorised users to the permissions that the Reader role provides. 
  • Limits or prevents POST methods to the ARM API. 
Note:

Not all services handle ReadOnly well - for example, it can disrupt monitoring agents or automation scripts.

Azure Resource Locks 
Lock Type Protects from config changes  
ReadOnly Yes Yes
CanNotDelete  No Yes

*All protections described in this table apply to management actions at the control plane. Locks do not restrict data operations within the resource (data plane).

Note:

A resource lock is not the same as an RBAC role. RBAC controls who can take actions, while locks control what actions are allowed. Locks apply across all roles. Even an Owner cannot modify a resource if a ReadOnly lock is applied. 

However, an owner or contributor may be able to remove a lock should they have similar or equivalent permissions over where the lock was created.

How do Azure Resource Locks work? 

Azure Resource Locks only apply to the management of resources through the control plane - the interface for creating, updating, or deleting resources - not to the data plane, where actual data operations occur within the resource. 

In Azure terms: 

  • The control plane (sometimes called the management layer) is responsible for managing resources - such as deploying, configuring, or deleting them - using tools like the Azure Portal, ARM templates, Bicep, CLI, or PowerShell. 
  • The data plane is where you interact with the actual data or service provided by a resource (e.g., reading/writing blobs in a storage account, querying a database). 

Examples: 

  • ReadOnly lock: With this lock applied to an Azure SQL database, applications can still read and write data within the database (data plane). The ReadOnly lock only prevents modification to the database resource at the control plane (such as deleting or reconfiguring the database). 
  • CanNotDelete lock: Similarly, this lock on a file share stops deletion of the file share through Azure management (control plane), but it doesn’t prevent someone from deleting files inside the share (data plane). 

Key point: Locks protect resource management at the control plane, not the resource’s internal functionality at the data plane. 

 

Scope and inheritance 

  • Locks can be applied to a subscription, a resource group, or an individual resource.  
  • When applied to a subscription or resource group, all resources within that scope inherit the lock, including new resources created after the lock. 
  • If multiple locks exist on a resource (e.g., a Delete lock on a subscription and a ReadOnly lock on a resource group), the most restrictive lock applies. 
  • You cannot delete a resource group if any resource inside has a lock. All locks must be removed first. Partial deletes aren’t allowed. 
Note:

If you cancel a subscription with locked resources inside, the lock won't stop the cancellation. Azure will deactivate and eventually delete resources in a cancelled subscription, regardless of locks. 

Use cases of Azure Resource Locks 

The table below shows some examples of which locks are recommended for specific resource types: 

Resource Type  Recommended Lock  Motives 
Resource Groups (Production)  CanNotDelete  Prevent accidental deletion of multiple critical resources at once. 
Azure VMs  CanNotDelete  Prevent deletion or re-creation by mistake on critical VMs. 
Storage Accounts  CanNotDelete  Prevent accidental deletion of the storage account. 
Key Vault  ReadOnly  Prevent accidental configuration changes. 
Azure Firewall / NSGs ReadOnly  Prevent accidental rule deletion. 
Logic Apps / Functions  CanNotDelete  Stop accidental removal of automation workflows or serverless functions. 
SQL Databases / Managed Instances  CanNotDelete  Protect critical databases from being deleted. 
App Service / Web Apps  ReadOnly  Prevent accidental changes to app configuration. 
Azure Security Workshop

Want to learn how to secure your Azure cloud?

Then watch our Azure Security On-demand for practical tips, best practices, and demos on securing your Azure environment. 

Watch it now!

Additional considerations for Azure Resource Locks 

Azure Resource Locks are highly recommended for protecting live environments, but it’s important to understand their potential side effects. Applying locks can sometimes have unintended consequences, especially if you’re not aware of how they interact with Azure management operations. 

Key points to consider: 

  • Locks operate at the control plane: They limit or prevent certain management actions via the Azure API. For example:  
    • A ReadOnly lock on a virtual machine prevents you from powering it on or off through the Azure portal or API (control plane), but does not affect the running state or data within the VM (data plane). 
    • A ReadOnly lock on a Network Security Group blocks the creation of NSG flow logs (control plane). 
  • CanNotDelete locks allow modifications, so some operations remain possible. 
  • ReadOnly locks can interfere with normal Azure management operations, and some actions may fail if such a lock is applied. 
Important: 

Azure Resource Locks are not a substitute for robust access control or RBAC. Always use RBAC to ensure only authorised users have the necessary permissions and use locks as an extra layer of protection against accidental changes or deletions. 

Always review Microsoft’s official guidance before applying resource locks to ensure you understand the implications for your specific workloads. 

Tip

Applying locks manually doesn’t scale well in large or multi-subscription environments. Instead, use Azure Policy to enforce locks automatically on resource groups or based on tags.  

Example: You can apply a CanNotDelete lock to all resources in resource groups tagged with Environment = Production.

Policy definitions can audit or enforce lock usage, and when combined with Management Groups, they enable consistent protection across multiple subscriptions. 

 

How to apply Resource Locks in Azure 

There are multiple ways to deploy Azure Resource locks. You can use Azure PowerShell, Azure CLI, Python and more. The “easiest” way may be to deploy Azure resource locks by using the Azure Portal

However, at Intercept, we recommend that you avoid doing ClickOps in the Azure portal and use IaC (Infrastructure as Code) instead.  

Iac Whitepaper

Want to learn more about Infrastructure as Code (IaC) in Azure?

Read our latest white paper about IaC in Azure, master Azure Bicep, Azure Verified Modules (AVM) and more!

Download the IaC whitepaper for free!

Let's show you how to deploy resource locks in Azure using templates with Azure Bicep

 

Deploy Resource Locks Azure Bicep 

When deploying a lock using a Bicep file, it’s important to understand how the deployment scope and the lock scope interact. 

  • To apply a lock at the deployment scope (for example, on a resource group or subscription), do not set the scope property. 
  • To lock a resource within the deployment scope, set the scope property on the lock. 

The example below applies a lock to a resource group: 

Bicep

resource createRgLock 'Microsoft.Authorization/locks@2020-05-01' = { 
  name: 'rgLock' 
  properties: { 
    level: 'CanNotDelete' 
    notes: 'Resource group should not be deleted.' 
  }
}
Note:

The lock resource does not include a scope property, because its scope matches the deployment scope. Deploy this template at the resource group level. 

To create a resource group and apply a lock, deploy the template above at the subscription level. In this setup, the main Bicep file creates the resource group and then calls a module to apply the lock. 

Bicep 

targetScope = 'subscription' 

param rgName string 
param rgLocation string 

resource createRg 'Microsoft.Resources/resourceGroups@2025-04-01 = { 
  name: rgName 
  location: rgLocation 
} 

module deployRgLock './lockRg.bicep' = { 
  name: 'lockDeployment' 
  scope: resourceGroup(createRg.name) 
}

The module uses a separate Bicep file called lockRg.bicep to create the resource group lock. 

resource createRgLock 'Microsoft.Authorization/locks@2020-05-01' = { 
  name: 'rgLock' 
  properties: { 
    level: 'CanNotDelete' 
    notes: 'Resource group and its resources should not be deleted.' 
  }
}

When locking a resource within the resource group, include the scope property in the lock definition. Set scope to the name of the resource you want to lock.

param hostingPlanName string 
param location string = resourceGroup().location 

var siteName = 'ExampleSite${uniqueString(resourceGroup().id)}'

The example below shows a template that creates an App Service Plan, a website, and a lock on the website. The lock includes the scope property, which is set to the website to ensure it protects that specific resource.

resource serverFarm 'Microsoft.Web/serverfarms@2024-11-01' = { 
  name: hostingPlanName 
  location: location 
  sku: {
    tier: 'Free' 
    name: 'f1' 
    capacity: 0 
  } 
  properties: { 
    targetWorkerCount: 1 
  }
}

resource webSite 'Microsoft.Web/sites@2024-11-01' = { 
  name: siteName 
  location: location 
  properties: { 
    serverFarmId: serverFarm.name 
  }
} 

resource siteLock 'Microsoft.Authorization/locks@2020-05-01' = { 
  name: 'siteLock' 
  scope: webSite 
  properties:{ 
    level: 'CanNotDelete' 
    notes: 'Site should not be deleted.'
  }
}

 

Closing thoughts

We discussed Azure Resource Locks as an excellent way to prevent accidental deletion or modification of resources.

Remember, locks aren’t foolproof; they prevent accidents but won’t stop intentional actions by authorised (or unauthorised) users. Always consider potential side effects on normal operations before applying them.

FAQ about Resource Locks

What if you need to remove or modify a resource with a lock? 

Who can create or delete locks?

Working Jack

Reach Out to Us!

Intercept can help you secure your Azure cloud so you can focus on delivering value to your customers and driving business.

info@intercept.cloud (+31) 38 777 98 20