You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-resource-manager/management/lock-resources.md
+8-4Lines changed: 8 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,17 +2,15 @@
2
2
title: Lock resources to prevent changes
3
3
description: Prevent users from updating or deleting critical Azure resources by applying a lock for all users and roles.
4
4
ms.topic: conceptual
5
-
ms.date: 05/14/2019
5
+
ms.date: 02/07/2020
6
6
---
7
7
8
8
# Lock resources to prevent unexpected changes
9
9
10
10
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to **CanNotDelete** or **ReadOnly**. In the portal, the locks are called **Delete** and **Read-only** respectively.
11
11
12
12
***CanNotDelete** means authorized users can still read and modify a resource, but they can't delete the resource.
13
-
***ReadOnly** means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the **Reader** role.
***ReadOnly** means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the **Reader** role.
16
14
17
15
## How locks are applied
18
16
@@ -31,6 +29,7 @@ Applying **ReadOnly** can lead to unexpected results because some operations tha
31
29
* A **ReadOnly** lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. These operations require a POST request.
32
30
33
31
## Who can create or delete locks
32
+
34
33
To create or delete management locks, you must have access to `Microsoft.Authorization/*` or `Microsoft.Authorization/locks/*` actions. Of the built-in roles, only **Owner** and **User Access Administrator** are granted those actions.
35
34
36
35
## Managed Applications and locks
@@ -53,7 +52,12 @@ To delete everything for the service, including the locked infrastructure resour
If you lock the resource group created by Azure Backup Service, backups will start to fail. The service supports a maximum of 18 restore points. With a **CanNotDelete** lock, the backup service is unable to clean up restore points. For more information, see [Frequently asked questions-Back up Azure VMs](../../backup/backup-azure-vm-backup-faq.md).
0 commit comments