Hello Simona,
Greetings! Welcome to Microsoft Q&A Platform.
Adding to above information, There are two types of ARM resource locks:
CannotDelete Lock: This lock prevents users from deleting a resource but allows reading and modifying its configuration.
ReadOnly Lock: This lock prevents users from deleting or modifying a resource but permits reading its configuration.
refer - https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#considerations-before-applying-your-locks for detailed considerations on locks.
In your case, the CannotDelete lock is preventing you from deleting the endpoint. To enable endpoint elimination while keeping the lock on the storage account, consider the following steps:
Read-Only Lock: If you can work with a Read-Only lock instead of CannotDelete, you’ll be able to read the configuration and delete the endpoint. The ReadOnly lock doesn’t prevent data deletion or modification within the storage account.
Azure CLI or PowerShell: You can configure the lock using either the Azure portal, Azure CLI, or PowerShell.
Azure Portal:
- Navigate to your storage account in the Azure portal.
- Under the Settings section, select Locks.
- Click Add, provide a name for the resource lock, specify the type (Read-Only), and add a note if desired.
Azure CLI:
az lock create --name myLock --resource-name myStorageAccount --resource-group myResourceGroup --resource-type Microsoft.Storage/storageAccounts --lock-type ReadOnly
When a ReadOnly lock is applied, the List Keys operation (used to access account keys) is blocked. Clients with account access keys will need to use Microsoft Managed Identity or other credentials to access blob or queue data within the storage account
To automate the process of deleting the automatically created endpoint while keeping the lock on the storage account, you can use Azure PowerShell or Azure CLI.
Sample commands to delete the endpoint:
Replace with your resource group and storage account names
$resourceGroupName = "your-resource-group-name"
$storageAccountName = "your-storage-account-name"
$endpointName = "your-endpoint-name"
Delete the endpoint
Remove-AzPrivateEndpoint -ResourceGroupName $resourceGroupName -Name $endpointName -PrivateLinkServiceConnections $storageAccountName
This will remove the endpoint associated with the storage account. You can schedule these commands as part of a script or use them in an automation pipeline to achieve the desired automation.
Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.