This document provides an overview of Azure locks, highlighting their importance in governance by protecting subscriptions, resource groups, and resources from accidental deletion. It explains the types of locks (cannot delete and read-only), their inheritance properties, and the necessary permissions for implementation, contrasting them with Azure RBAC which manages user access. Additionally, it offers guidance on creating and applying locks using various tools like the Azure portal, PowerShell, and Azure CLI.

1. Module 2
Azure
Locks
Azure Free Training
Azure Governance Model
By Hicham KADIRI
January 20, 2018
A K&K Group Company

2. Contoso Ltd.
About me
Microsoft MVP
• Windows Expert-IT Pro (2014-2015)
• Cloud and Datacenter Management (2016)
• Enterprise Mobility /RDS (2017)
• CDCM /Azure (2018)
Founder
@BecomeITExpert.com
Co-Founder
@K&K Group
Think {Cloud /DevOps /Security}
IT Author (+10 eBooks)
• RDS 2012 R2 and 2016 Pocket Consultant
• RDS & OS Security & Hardening guide
• Azure CLI 2.0 Pocket Consultant
• GPO, PowerShell, AppLocker …
Lead Cloud Architect /Az Expert
• Working for several large companies
and international group including
Thales, Areva, Rabobank, Gemalto,
Vinci, CE, BP…etc
IT Blogger
• hichamkadiri.wordpress.com
• AskTheCloudExpert.wordpress.com
• ~2millions views ☺
/hicham_kadiri
/in/hichamkadiri
TechNet Contributor (Top 0,5%)
• MTFC (Microsoft Technical French Contributor)
• MCC (Microsoft Community Contributor)
Hicham KADIRI (aka #HK)

3. Document Objectives
• Reminder about Azure Governance
• Explains the importance of Locks in
the Microsoft Azure environment
• Keys items You Should Know
• Azure Locks vs Azure RBAC
• Required rights for Azure Locks
• Azure GUI & CLI Tools you can use
to create and Apply Azure Locks
• DEMO : HowTo Lock your Azure
Subscriptions, RG and Resources

4. Contoso Ltd.
Reminder about
Azure Governance
#HK

5. Contoso Ltd.
#HK

6. Contoso Ltd.
Azure Locks
Why it’s important ?
#HK

7. Contoso Ltd.
Microsoft Azure Locks
What is it and Why it’s important ?
• Azure Locks are an amazing way to protect your
subscriptions, resource groups and Azure resources.
• They ensure that what we have implemented
is not changed, or worse, accidentally deleted.
Important Note
Azure Lock does not replace Azure RBAC. Cf next Slide !
#HK

8. Contoso Ltd.
Azure Locks
Keys items You Should Know
#HK

9. Contoso Ltd.
Microsoft Azure Locks
What You Should Know : Lockable Objects
• You can Lock :
• Subscription
• Resource Group
• Resource
#HK

10. Contoso Ltd.
Microsoft Azure Locks
What You Should Know : Lock Types
• There are two Lock Types :
• CanNotDelete
▪ You can “Read & Modify” the Resource
▪ You can’t Delete the Resource
• Read-Only
▪ You can Read Resource Properties/Infos
▪ You can’t Delete or Modify Resource
▪ Important Note:
▪ Could have undesired results !
#HK

11. Contoso Ltd.
Microsoft Azure Locks
What You Should Know : Inheritance
• When you apply a lock at a parent scope, all resources within that scope
inherit the same lock. Even resources you add later inherit the lock from
the parent. The most restrictive lock in the inheritance takes precedence.
#HK
Resource Group inherits Locks from Subscriptions
Resource (eg : Azure VM) inherits Locks from Subscriptions
and Resource Groups

12. Contoso Ltd.
Microsoft Azure Locks
Hierarchy (ex)
#HK

13. Contoso Ltd.
Azure Locks
Required « Rights »
#HK

14. Contoso Ltd.
Microsoft Azure Locks
Required “Rights”
• To create or delete management locks, you must have access to the following
actions :
• Microsoft.Authorization/*
• Or Microsoft.Authorization/Locks/*
Note
Of the built-in roles, only Owner and User Access Administrator are granted those
actions.
#HK

15. Contoso Ltd.
Difference between
Azure Locks & Azure RBAC
#HK

16. Contoso Ltd.
Difference between
Azure Locks vs Azure RBAC
• Azure Role-Based Access Control (RBAC) helps you manage who has access to
Azure resources, what they can do with those resources, and what areas they have
access to. Azure RBAC helps you manage access for users, groups, service
principals.
• Unlike Role-Based Access Control, you use Azure Locks to apply a restriction across
all users and roles.
• Useful Link
• Visit the following link to read more about Azure RBAC :
https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/
#HK

17. Contoso Ltd.
Azure GUI & CLI Tools you can use
To create and apply Locks
#HK

18. Contoso Ltd.
Azure GUI & CLI Tools you can use
To create and apply Azure Locks
• Azure Locks can be created and applied using different GUI & CLI Tools :
• GUI :
▪ Azure Portal
• CLI
▪ Windows PowerShell (using AzureRM Module)
▪ Azure CLI 2.0
#HK

19. Contoso Ltd.
HowTo Lock
Your Azure Subscriptions, RG and Resources
#HK

20. Contoso Ltd.
Create & Apply your Azure Locks
using Azure Portal

21. Contoso Ltd.
HowTo #1
Lock your Az Subscriptions, RG and Resources via Azure Portal
• Connect to Azure Portal
• https://portal.azure.com
• Go to Subscriptions blade and select
the Subscription you want to Lock
• Then click on “Resource Locks”
• Click “Add” and add your Azure Lock
• You have to enter the following infos :
▪ Lock Name
▪ Lock Type :
▪ Delete
▪ Read-only
▪ Notes (Lock Description)
#HK

22. Contoso Ltd.
Important Note
Lock your Az Subscriptions, RG and Resources via Azure Portal
• If you want to create and apply Locks to Resource Groups or a specific Azure Resource, just Select
your RG ou Azure Resource to lock and then, click on “Locks”. Finally click “Add” and enter the
following infos :
• Lock Name
• Lock Type
▪ Delete
▪ Read-Only
• Lock Notes (description)
#HK

23. Contoso Ltd.
Create & Apply your Azure Locks
using AzureRM Module

24. Contoso Ltd.
Important Note
Lock your Az Subscriptions, RG and Resources via Azure Portal
• The New-AzureRmResourceLock Cmd-let is used to create a new Azure Lock.
• In the following example, a new Lock will be created and applied to hk-confident-rg resource group
#HK

25. Contoso Ltd.
Important Note
Lock your Az Subscriptions, RG and Resources via AzureRM Module
• If you want to create and apply Locks to a specific Azure Resource, you have to add –ResourceType
parameter
• In the following example, a new Azure Lock will be created and applied to “hk-prod-website”
resource. This is an Azure WebSite, a “Microsoft.web/sites” resource type is specified/used :
#HK
New-AzureRmResourceLock -LockName « hk-prod-website-lock"
-LockLevel CanNotDelete -LockNotes "This Lock prevents accidental
deletion of HK-Web-Prod-WebSite resource" -ResourceName « hk-
prod-website" -ResourceType "microsoft.web/sites"

26. Contoso Ltd.
Create & Apply your Azure Locks
using Azure CLI 2.0

27. Contoso Ltd.
HowTo #3
Lock your Az Subscriptions, RG and Resources via Azure CLI
• The Az Lock Create Command is used to create a new Azure Lock.
• In the following example, a new Lock will be created and applied to hk-confident-rg
resource group
#HK

28. Contoso Ltd.
Do you have any Azure
Project (Design/Architecture/Migration)?
If yes, feel free to contact us
Your Contacts
Hicham KADIRI
Lead Cloud Architect /Azure Advisor & Microsoft MVP
hicham.kadiri@k-nd-k-group.com
+33 (0)6 52 97 72 84
Mohsine CHOUGDALI
Key Account Manager
mohsine.chougdali@k-nd-k-group.com
+33 6 66 26 55 15
A K&K Group Company

29. Contoso Ltd.
#HK o_O
/hicham_kadiri
/in/hichamkadiri
Subscribe to my Blog
hichamkadiri.wordpress.com

30. Contoso Ltd.
End of Lesson
Hope this Helps ☺