Resource locks are a setting that can be applied to any resource to block modification or deletion. This prevents resources from inadvertently being deleted or modified.  Resource locks apply regardless of RBAC permissions. Even if you are an owner of the resource, you must still remove the lock before you’ll be able to perform the blocked activity.

Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels.

Resource locks can be set to

  • Delete – will allow all operations against the resource but block the ability to delete it.
  • Read-only – will only allow read activities to be performed against it, blocking any modification or deletion of the resource.


Applying Read-only can lead to unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a Read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.

Use resource locks to protect those key pieces of Azure that could have a large impact if they were removed or modified.