Description:

Mission-critical Azure resources must have Resource Locks configured to prevent accidental deletion or modification. Locks enforce protection at the subscription, resource group, or resource level and ensure essential services remain available and safeguarded from unintended changes.


Rationale:

Resource Locks provide an additional control layer to prevent configuration drift or accidental deletion by authorized users. They enforce operational discipline and protect business-critical infrastructure from outages caused by human error.


Impact:

Locked resources cannot be deleted or modified until the lock is removed. Operational teams must follow formal change procedures to make updates. This adds control but may slightly delay emergency fixes without proper access management.


Default Value:

Resource Locks: Not configured by default


Pre-Requisites:

  • Mission-critical Azure resources have been identified

  • Appropriate permissions (Owner role) are in place

  • Change approval has been obtained prior to implementation


Test Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Identify the mission-critical Azure resource, resource group, or subscription.

  3. Open the selected resource.

  4. Under Settings, select Resource locks.

  5. Verify that a Resource Lock is present.

  6. Confirm the Lock type is either:

  • Delete, or

  • Read-only

  1. If no lock is present, follow the Implementation Steps


Implementation Steps:

  1. Sign in to the Azure Portal athttps://portal.azure.com

  2. Identify the mission-critical Azure resource, resource group, or subscription.

  3. Open the selected resource.

  4. Under Settings, select Resource locks.

                                   

  1. Click Add.

  2. Enter a Lock name (meaningful and descriptive).

  3. Select the Lock type:

  • Delete (recommended), or

  • Read-only (if full change restriction is required).

                 

  1. (Optional) Add a justification in the Notes field.

  2. Click OK to apply the lock.

Backout Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open the mission-critical Azure resource, resource group, or subscription.

  3. Under Settings, select Resource locks.

  4. Identify the Resource Lock to be removed.

  5. Select the lock and click Delete.

  6. Confirm the deletion of the lock.


References: