Safeguarding Your Azure Resources - Resource Group Locking Instructions

chirag darji 131

Is there any possibility that user cannot delete resource group but they can be delete resources under the resources group. It means it is possible to lock accidentals delete on resource group but not in resource in Azure.

Ex:

I have test resource group, under the resource group i have resource like compute, network etc.

The user can delete resource like compute, network etc. But he can't delete entire test resource group.

how can I do using CLI or GUI

Tasadduq Burney 8,361 Reputation points MVP

2023-12-21T11:17:37.0533333+00:00
Here are the general steps:

Using Azure Portal:

Navigate to the Resource Group you want to lock.

In the left-hand menu, under "Settings," select "Locks."

Click on "Add" to add a new lock.

Provide a name and choose the lock type: "Delete."

Set the scope to the resource group.

Save the lock.

Using Azure CLI: Use the Azure CLI command to create a lock on the resource group:

az lock create --name <lock-name> --lock-type CanNotDelete --resource-group <resource-group-name>

By default, the lock at the resource group level won't affect the individual resources within it. Users will be able to delete the resources even when the resource group is locked.
chirag darji 131 Reputation points

2023-12-21T13:39:37.25+00:00
Hi @Tasadduq Burney

Navigate to the Resource Group you want to lock.

In the left-hand menu, under "Settings," select "Locks."

Click on "Add" to add a new lock.

Provide a name and choose the lock type: "Delete."

Set the scope to the resource group.

Save the lock.

I follow these steps, but the user can delete Entire Resource. and I want allow user can delete only resource under resource group not entire resource group.
SadiqhAhmed-MSFT 37,921 Reputation points Microsoft Employee

2023-12-21T17:11:29.3266667+00:00
Hello @chirag darji Thank you for posting your question. I undetstand that you want to enable a lock at the resource level with which the user can delete a resource but not the entire resource group.

Yes, it is possible to lock accidental deletion of a resource group in Azure, but not for individual resources within the resource group. When you apply a lock to a resource group, it prevents all users from deleting the entire resource group, including all resources within it. However, it does not prevent users from deleting individual resources within the resource group. If you want to prevent accidental deletion of individual resources, you need to apply a lock to each resource separately.

To apply a lock to an individual resource in Azure, you can follow these steps from Azure Portal:

Go to the Azure portal and navigate to the resource you want to lock.

Click on the "Locks" option in the left-hand menu.

Click on the "+ Add" button to create a new lock.

Enter a name and description for the lock.

Select the lock type you want to apply. There are two types of locks: "CanNotDelete" and "ReadOnly". The "CanNotDelete" lock prevents users from deleting the resource, while the "ReadOnly" lock prevents users from modifying the resource.

Click on the "OK" button to create the lock.

From CLI:

To apply a lock to an individual resource using Azure CLI, you can use the az lock create command. Here's an example command to create a "CanNotDelete" lock on a virtual machine:

az lock create --name MyLock --lock-type CanNotDelete --resource-group MyResourceGroup --resource-name MyVirtualMachine --resource-type Microsoft.Compute/virtualMachines

Once the lock is applied, it will prevent users from deleting or modifying the resource, depending on the lock type you selected. Note that you will need to apply a lock to each individual resource you want to protect, as locks are not inherited from resource groups or other parent resources.

Hope this helps. Feel free to write back to us if there are any challenges or if you have any questions.

If the response helped, do "Accept Answer" and up-vote it
SadiqhAhmed-MSFT 37,921 Reputation points Microsoft Employee

2023-12-26T06:50:32.9566667+00:00

@chirag darji Just checking in to see if you got a chance to see my response and if it helped, I would request you to "Accept Answer and Upvote" so that the relevancy of this post will improve when anyone in the community search for a similar query.
SadiqhAhmed-MSFT 37,921 Reputation points Microsoft Employee

2023-12-27T07:30:12.19+00:00

@chirag darji We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
chirag darji 131 Reputation points

2023-12-28T04:39:48.1866667+00:00

Hello,

I appreciate your explanation, but my goal is to prevent accidental deletion of a resource group itself, while still allowing users to delete individual resources within that group.

For instance:

I have a resource group named "Test."

Within the "Test" resource group, there are various resources such as a Function App, Virtual Network, and Storage Account.

I have assigned Contributor access to an IAM user.

The desired outcome is that the IAM user can delete specific resources like the Function App, Virtual Network, and Storage Account, but they should be restricted from deleting the entire "Test" resource group.

Is there a way to achieve this?

Thank you.
TP 76,601 Reputation points

2023-12-28T04:48:52.4566667+00:00

@chirag darji The two techniques I detailed below do achieve your goal as you have described it. Please test them and reply back with your results. If you are unsure about how to implement them please add a comment below my answer and I will assist further.

Thank you.

Accepted answer

TP 76,601 Reputation points

2023-12-22T11:03:25.6433333+00:00

Hi,

From my understanding, you would like users to be able to delete individual resources within a resource group, but not the resource group itself. Please correct me if my understanding is wrong.

Two potential techniques to achieve your goal:

Create "Dummy" resource with Delete lock--with this technique you create one resource inside the group and apply a Delete lock to it. You want to use a resource that doesn't have an associated cost and that you don't plan to use. Having this resource inside of the group will prevent the group itself from being deleted, but will not prevent the other resources in the group from being deleted.

For example, say you have a Resource Group named "test-group". Inside of this group you create a Proximity Placement Group (PPG) named "delete-lock-ppg". On the Locks blade of the PPG, you create a new lock named "delete-lock" and select Delete for the lock type.

Once you have the above in place if you attempt to delete the resource group it will fail, however, if you attempt to delete other resources (besides the PPG) in the group it will succeed.

RBAC permissions--with this technique you assign users only Reader role to the resource group, and a higher Role, such as Contributor, to the resources within the group. This will allow users to delete individual resources within the group, but will block them if they attempt to delete the group itself, since they only have Read permission.

Downside of RBAC technique is having to assign permissions to all the individual resources in the group. Additionally, they would only have read rights to the group which may not be what you need since it would block some operations such as deploying new resources.

Please click Accept Answer and upvote if the above was helpful. If something is unclear or you need more details add a comment below.

Thanks.

-TP
Please sign in to rate this answer.
chirag darji 131 Reputation points

2023-12-28T05:25:18.6233333+00:00

Hi @TP,

I'm unsure about how to implement them please assist me for implements.

TP 76,601 Reputation points

2023-12-28T05:55:00.4666667+00:00

@chirag darji For first technique: in the portal, create a Proximity Placement Group named "delete-lock-ppg" in your Test resource group. You can use link below to get the process started:

https://portal.azure.com/#create/Microsoft.ProximityPlacementGroup

Fill out similar to below:

Click Review + create, then Create button.

Browse to the new delete-lock-ppg and click on Locks blade. Click Add, enter delete-lock for the Name, select Delete for Lock type, then click OK, similar to below:

The delete lock should show up in the list, as shown below:

After completing the above if you attempt to delete the entire resource group, you should receive an error due to the above lock. If you attempt to delete an individual resource in the group such as a Function app, VNet, Storage account, etc., you should be able to delete it.

Please test the above steps using a group that contains test resources you do not care about in case you make a mistake.

Thanks
Sign in to comment

1 additional answer

Jane Shen 0 Reputation points

2024-03-07T18:38:20.56+00:00

I'm totally confused.
I thought you apply a lock on the resource group level, then it inherits to the resources (which means you can not delete any resources within the resource group).
But I don't know why you said user can still delete individual resources.
Please sign in to rate this answer.
chirag darji 131 Reputation points

2024-03-08T04:55:58.3333333+00:00

HI @Jane Shan ,
This is business need to user can able to delete resources within a resource group. But they can delete entire resource group.
Sign in to comment