This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 31%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Can a "contributor" create a lock on resource group? If yes, can the owner remove that lock or only the contributor can remove it?
HI Shubham Gattani,
To create or delete management locks, you need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Only the Owner and the User Access Administrator built-in roles can create and delete management locks. You can create a custom role with the required permissions.
ref:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
Hope this helps
Cheers
Luca
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hello, @Shubham Gattani !
@Luca Lionetti has done a great job of identifying the documentation that you'd want to study to supplement your AZ-900 preparation. As this is a fundamentals course, I wanted to include some additional information, address your second question, and provide additional resources.
Where am I seeing this?
Can a "contributor" create a lock on resource group?
No. Only the Owner and the User Access Administrator built-in roles can create and delete management locks. It's possible to create custom roles with access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* which would have the permissions required to create or delete management locks as well.
Can the owner remove a lock or can only the role that created it remove it?
Anyone with the appropriate permissions (like Owner) would be able to remove the lock regardless of who created it. As you become more familiar with creating custom roles you'll discover that permissions are broken down by area (like Microsoft.Authorization/locks/* above) and that built-in roles, like Owner, are a collection of permissions (which you can copy and use as a base for custom roles).
Where can I learn more about locks?
In addition to the official learning path and documentation listed above, there are several free resources available online. One video series that many people have found helpful has been this AZ-900 prep by Adam Marczak which provides useful visuals and breaks information down into bite-sized chunks: