Shulou(Shulou.com)06/03 Report--

Many customers have been thinking about improving the security of their Azure subscriptions. Want to protect some resources from accidental deletion, for example, the rules of NSG will not be accidentally changed. To achieve this, we generally recommend that they use Azure management locks. There are two different levels of Azure management locks, "Read-Only" and "Delete".

CanNotDelete (Delete): means that authorized users still have read and modify access to resources, but cannot delete resources. (it depends on the role of the user)

Read-Only (Read-Only): means that authorized users can only read resources. They will not be able to modify or delete resources. This lock is similar to restricting all authorized users to the Reader role.

We can apply locks at the subscription level, the resource group level, or on a single resource. If locks are set at the subscription level, all resources in the subscription, including those added later, inherit the same lock. The same is true at the resource group level.

At this point, a friend may ask what role can create or delete resource locks: to create or delete administrative locks, we must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* operations. In the built-in role, only the owner and user access administrator are granted these operations.

There are many ways to create resource locks, either when creating resources using ARM templates, or using Azure portals or PowerShell. Next I will show you the Portal method and the PowerShell method.

Create a resource lock using Azure Portal:

Navigate to the resource, resource group, or subscription to which you want to add a lock. Under the Settings blade, click Lock:

Click "add":

Type the Lock name and select the lock level (delete or read-only), and enter a description. Then click OK.

After the creation is completed, it is shown in the following figure:

If you want to remove the lock, you can click the ellipsis. And click Delete in the options:

Create a resource lock using PowerShell

To lock a resource group, you can use the following cmdlet. Just make sure you change the variable at the top to match the resource. We can also change Lock Level to Read-Only

$LockName = "DemoLock"

$RGName = "PBI-RG"

New-AzureRmResourceLock-LockName $LockName-LockLevel CanNotDelete-ResourceGroupName $RGName

You can use the following cmdlet to remove locks on a resource group.

After talking so much, I believe you already know what resource locks are and how to create and delete them using PowerShell and portals. By using locks, we can set up additional protection to prevent accidental or malicious changes / deletions of Azure resources.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.