Use Azure CLI for resource lock operations on Azure Cosmos DB for Table tables


The script in this article demonstrates performing resource lock operations for a API for Table table.


To enable resource locking, the Azure Cosmos DB account must have the disableKeyBasedMetadataWriteAccess property enabled. This property prevents any changes to resources from clients that connect via account keys, such as the Azure Cosmos DB Table SDK, Azure Storage Table SDK, or Azure portal. For more information, see Preventing changes from SDKs.


  • You need an Azure Cosmos DB for Table account, database, and table created. If you don't have an Azure subscription, create an Azure free account before you begin.


    To create or delete resource locks, you must have the Owner role in your Azure subscription.

  • This script requires Azure CLI version 2.12.1 or later.

    • You can run the script in the Bash environment in Azure Cloud Shell. When Cloud Shell opens, make sure Bash appears in the environment field at the upper left of the shell window. Cloud Shell always has the latest version of Azure CLI.

      Launch Cloud Shell in a new window

      Cloud Shell is automatically authenticated under the account you used to sign in to the Azure portal. You can use az account set to sign in with a different subscription, replacing <subscriptionId> with your Azure subscription ID.

      subscription="<subscriptionId>" # add subscription here
      az account set -s $subscription # ...or use 'az login'
    • If you prefer, you can install Azure CLI to run the script locally. Run az version to find the Azure CLI version and dependent libraries that are installed, and run az upgrade if you need to upgrade. If prompted, install Azure CLI extensions. If you're running Windows or macOS, consider running Azure CLI in a Docker container.

      If you're using a local installation, sign in to Azure by running az login and following the prompts. For other sign-in options, see Sign in with the Azure CLI.

Sample script

The following script uses Azure CLI az lock commands to manipulate resource locks on your Azure Cosmos DB for Table table. The script needs the resourceGroup, account name, and table name for the Azure Cosmos DB account and table you created.

  • az lock create creates a CanNotDelete resource lock on the table.
  • az lock list lists all the lock information for your Azure Cosmos DB Table account.
  • az lock delete uses az lock show to get the id of the lock on your table, and then uses the lockid property to delete the lock.
# Resource lock operations for a Table API table

# Subscription owner permissions required for this script

# Run this script after running
# ""

# Variable block
# Use values from prerequisite script or from your environment
# resourceGroup="your resource group name"
# account="your account name"
# table="your table name"

lockType='CanNotDelete' # CanNotDelete or ReadOnly

# Create a delete lock on table
echo "Creating $lockType lock on $table"
az lock create --name $tableLock --resource-group $resourceGroup --resource-type $tableResourceType --lock-type $lockType --parent $tableParent --resource $table 

# List all locks on a Cosmos account
echo "Listing locks on $account"
az lock list --resource-group $resourceGroup --resource-name $account --namespace Microsoft.DocumentDB --resource-type databaseAccounts

# Delete lock on table
echo "Deleting $tableLock on $table"
lockid=$(az lock show --name $tableLock --resource-group $resourceGroup --resource-type $tableResourceType --resource $table --parent $tableParent --output tsv --query id)
az lock delete --ids $lockid

Clean up resources

If you no longer need the resources you created, use the az group delete command to delete the resource group and all resources it contains. These resources include the Azure Cosmos DB account and table. The resources might take a while to delete.

az group delete --name $resourceGroup

Next steps