Can a "contributor" create a lock on resource group?

Shubham Gattani 20 Reputation points
2023-05-10T13:28:15.39+00:00

Can a "contributor" create a lock on resource group? If yes, can the owner remove that lock or only the contributor can remove it?

Azure Training
Azure Training
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Training: Instruction to develop new skills.
1,309 questions
0 comments No comments
{count} votes

Accepted answer
  1. Luca Lionetti 3,136 Reputation points
    2023-05-10T13:52:57.53+00:00

    HI Shubham Gattani,

    To create or delete management locks, you need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Only the Owner and the User Access Administrator built-in roles can create and delete management locks. You can create a custom role with the required permissions.

    ref:

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

    Hope this helps

    Cheers

    Luca

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. kobulloc-MSFT 26,131 Reputation points Microsoft Employee
    2023-05-19T00:10:49.4733333+00:00

    Hello, @Shubham Gattani !

    @Luca Lionetti has done a great job of identifying the documentation that you'd want to study to supplement your AZ-900 preparation. As this is a fundamentals course, I wanted to include some additional information, address your second question, and provide additional resources.

    Where am I seeing this?

    Can a "contributor" create a lock on resource group?

    No. Only the Owner and the User Access Administrator built-in roles can create and delete management locks. It's possible to create custom roles with access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* which would have the permissions required to create or delete management locks as well.

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#who-can-create-or-delete-locks

    Can the owner remove a lock or can only the role that created it remove it?

    Anyone with the appropriate permissions (like Owner) would be able to remove the lock regardless of who created it. As you become more familiar with creating custom roles you'll discover that permissions are broken down by area (like Microsoft.Authorization/locks/* above) and that built-in roles, like Owner, are a collection of permissions (which you can copy and use as a base for custom roles).

    Where can I learn more about locks?

    In addition to the official learning path and documentation listed above, there are several free resources available online. One video series that many people have found helpful has been this AZ-900 prep by Adam Marczak which provides useful visuals and breaks information down into bite-sized chunks:

    https://www.youtube.com/watch?v=eDH20Ve0eI0

    0 comments No comments