Subscription locks

Each lock is a separate resource and is available on either a subscription, resource group, or a resource level. In this section, we will cover working with them using Azure portal, but under the hood, locks are just Azure resources that are accessible via the ARM API. If you want to create a lock, follow these steps:

1. If you go to your subscription, you can find the Resource locks blade in the Settings section:

1. From the new screen, you can click on the + Add button, where you will able to enter the lock's properties:

Adding a lock requires that you provide the following information:

• • Lock name: The unique lock name across the given scope
  • Lock type: Determines the behavior of a lock
  • Notes: Optional notes

Once you click the OK button, a lock will be applied on the subscription level and a specific action (changes/deletion) will become forbidden.

1. The same can be done from the Azure CLI level. To list all the locks, you can use the following command:

$ az lock list

1. Since we are using an Azure CLI command without providing an output type, the default result representation is a JSON document. It contains information about the full identifier of the lock (id), its type (the level parameter) and additional information (such as a description and its name):

[
  {
    "id": "/subscriptions/.../providers/Microsoft.Authorization/locks/Delete",
    "level": "CanNotDelete",
    "name": "Delete",
    "notes": "Delete lock for the subscription",
    "owners": null,
    "type": "Microsoft.Authorization/locks"
  }
]

1. Now, to create a new one, execute the following command:

$ az lock create -n "Read-only" -t "ReadOnly"

Now, you should be able to see the result of creating a read-only lock. Since we only provided the name (-n) and lock type (-t), only those fields will be filled in inside the JSON document:

{
  "id": "/subscriptions/.../providers/Microsoft.Authorization/locks/Read-only",
  "level": "ReadOnly",
  "name": "Read-only",
  "notes": null,
  "owners": null,
  "type": "Microsoft.Authorization/locks"
}

Now, let's look at resource group locks, which are more focused locks. This is because they're only applied at the resource group level.