Description:

This control ensures that permissions for managing Azure resource locks are granted only through a custom role. Using a custom role limits access to lock-related actions, prevents accidental changes or deletions of critical resources, and provides better control over who can modify or remove protection settings.


Rationale:

Restricting resource lock management to a custom role reduces the risk of unauthorized deletion or modification of critical resources. It enforces least privilege access and ensures accountability by allowing only approved users to manage protection controls.


Impact:

Only users assigned the custom role will be able to manage resource locks. Other users may lose the ability to change or remove locks, which improves security but may require role updates for teams that previously had broad permissions.


Pre-requisites:

  • Azure subscription access

  • Owner or User Access Administrator role

  • Custom roles feature enabled

  • Approved list of users who should manage locks

Test Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Navigate to Subscriptions and select the relevant subscription

  3. Open Access control (IAM)

  4. Select Roles and review Custom roles

  1. Verify a custom role exists with permissions to manage resource locks

  2. Verify the custom role is assigned to the intended users or groups

  3. If a custom role with resource lock permissions is not present or assigned, follow the implementation steps


Implementation Steps:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open Subscriptions and select the relevant subscription

  3. Select Access control (IAM)

                         

  1. Select Roles and choose Create

  2. Click on Add Select Custom role

  1. Enter a role name and description for administering resource locks

  2. Add the following permissions individually under Microsoft.Authorization

    • Add Microsoft.Authorization/locks/read

    • Add Microsoft.Authorization/locks/write

    • Add Microsoft.Authorization/locks/delete

  3. Set the assignable scope to the required subscription or resource group

  4. Create and save the custom role

Backout plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open Subscriptions and select the relevant subscription

  3. Select Access control (IAM)

  4. Select Roles and open the custom role for resource locks

  5. Remove the role assignment or delete the custom role

  6. Save the changes


Reference: