![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 71%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,182 questions
Hello @MS Techie
There are a few ways of doing this, either using Activity log alerts or Log Alerts if your Activity logs are sent to a Log Analytics workspace.
Here in my example I've added and removed a lock from a resource.
Using the data generated, it is easy to see the Operation names, that we are interested in and we can follow the steps here to create the activity log alert https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=metric#create-an-activity-log-alert-rule-from-the-activity-log-pane
If the Activity logs are being sent to a Log Analytics workspace, you can run a simple query to find all the "Delete management locks" events
AzureActivity
| where OperationNameValue == "MICROSOFT.AUTHORIZATION/LOCKS/DELETE"
If you want to create an Azure Monitor alert, then you can follow the steps here https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=metric#create-a-new-alert-rule-in-the-azure-portal though if you are using Microsoft Sentinel, for this type of event you may want to alert on it in that product, therefore the steps are found here https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom
Finally it is worth noting that a lock applied to a resource group will apply to resource within that resource group, but the logs will not tell you the details about the resource within the resource group. Therefore depending on how you have applied your locks and scope the alerting, will determine if you get an alert for the storage account or for the parent resource group.
If you want to alert specifically for a storage account, then apply the lock to the storage account and make sure your activity or log alert is scoped to the subscription, resource group if you want the alert to scale / cover multiple resources at once, or just to the storage account if you want it to be specific.
I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.
Kind regards
Alistair
