You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-resource-manager/management/lock-resources.md
+11-9Lines changed: 11 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
title: Lock resources to prevent changes
3
3
description: Prevent users from updating or deleting critical Azure resources by applying a lock for all users and roles.
4
4
ms.topic: conceptual
5
-
ms.date: 02/07/2020
5
+
ms.date: 05/19/2020
6
6
---
7
7
8
8
# Lock resources to prevent unexpected changes
@@ -20,13 +20,19 @@ Unlike role-based access control, you use management locks to apply a restrictio
20
20
21
21
Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to `https://management.azure.com`. The locks don't restrict how resources perform their own functions. Resource changes are restricted, but resource operations aren't restricted. For example, a ReadOnly lock on a SQL Database prevents you from deleting or modifying the database. It doesn't prevent you from creating, updating, or deleting data in the database. Data transactions are permitted because those operations aren't sent to `https://management.azure.com`.
22
22
23
-
Applying **ReadOnly** can lead to unexpected results because some operations that don't seem to modify the resource actually require actions that are blocked by the lock. The **ReadOnly** lock can be applied to the resource or to the resource group containing the resource. Some common examples of the operations that are blocked by a **ReadOnly** lock are:
23
+
## Considerations before applying locks
24
24
25
-
* A **ReadOnly** lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.
25
+
Applying locks can lead to unexpected results because some operations that don't seem to modify the resource actually require actions that are blocked by the lock. Some common examples of the operations that are blocked by locks are:
26
26
27
-
* A **ReadOnly**lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires write access.
27
+
* A read-only lock on a **storage account**prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.
28
28
29
-
* A **ReadOnly** lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. These operations require a POST request.
29
+
* A read-only lock on an **App Service** resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires write access.
30
+
31
+
* A read-only lock on a **resource group** that contains a **virtual machine** prevents all users from starting or restarting the virtual machine. These operations require a POST request.
32
+
33
+
* A read-only lock on a **subscription** prevents **Azure Advisor** from working correctly. Advisor is unable to store the results of its queries.
34
+
35
+
* A cannot-delete lock on the **resource group** created by **Azure Backup Service** causes backups to fail. The service supports a maximum of 18 restore points. When locked, the backup service can't clean up restore points. For more information, see [Frequently asked questions-Back up Azure VMs](../../backup/backup-azure-vm-backup-faq.md).
30
36
31
37
## Who can create or delete locks
32
38
@@ -52,10 +58,6 @@ To delete everything for the service, including the locked infrastructure resour
If you lock the resource group created by Azure Backup Service, backups will start to fail. The service supports a maximum of 18 restore points. With a **CanNotDelete** lock, the backup service is unable to clean up restore points. For more information, see [Frequently asked questions-Back up Azure VMs](../../backup/backup-azure-vm-backup-faq.md).
0 commit comments