Tutorial: Protect new resources with Azure Blueprints resource locks
Article
Important
On July 11, 2026, Blueprints (Preview) will be deprecated. Migrate your existing blueprint definitions and assignments to Template Specs and Deployment Stacks. Blueprint artifacts are to be converted to ARM JSON templates or Bicep files used to define deployment stacks. To learn how to author an artifact as an ARM resource, see:
With Azure Blueprints resource locks, you can protect newly
deployed resources from being tampered with, even by an account with the Owner role. You can add
this protection in the blueprint definitions of resources created by an Azure Resource Manager
template (ARM template) artifact. The Blueprint resource lock is set during blueprint assignment.
In this tutorial, you'll complete these steps:
Create a blueprint definition
Mark your blueprint definition as Published
Assign your blueprint definition to an existing subscription (set resource locks)
Inspect the new resource group
Unassign the blueprint to remove the locks
Prerequisites
If you don't have an Azure subscription, create a free account
before you begin.
Create a blueprint definition
First, create the blueprint definition.
Select All services in the left pane. Search for and select Blueprints.
On the Getting started page on the left, select Create under Create a
blueprint.
Find the Blank Blueprint blueprint sample at the top of the page. Select Start with
blank blueprint.
Enter this information on the Basics tab:
Blueprint name: Provide a name for your copy of the blueprint sample. For this tutorial,
we'll use the name locked-storageaccount.
Blueprint description: Add a description for the blueprint definition. Use For testing
blueprint resource locking on deployed resources.
Definition location: Select the ellipsis button (...) and then select the management group
or subscription to save your blueprint definition to.
Select the Artifacts tab at the top of the page, or select Next: Artifacts at the bottom
of the page.
Add a resource group at the subscription level:
Select the Add artifact row under Subscription.
Select Resource Group under Artifact type.
Set the Artifact display name to RGtoLock.
Leave the Resource Group Name and Location boxes blank, but make sure the check box is
selected on each property to make them dynamic parameters.
Select Add to add the artifact to the blueprint.
Add a template under the resource group:
Select the Add artifact row under the RGtoLock entry.
Select Azure Resource Manager template under Artifact type, set Artifact display
name to StorageAccount, and leave Description blank.
On the Template tab, paste the following ARM template into the editor box. After you paste
in the template, select Add to add the artifact to the blueprint.
Note
This step defines the resources to be deployed that get locked by the Blueprint resource
lock, but doesn't include the Blueprint resource locks. Blueprint resource locks are
set as a parameter of the blueprint assignment.
This step creates the blueprint definition in the selected management group or subscription.
After the Saving blueprint definition succeeded portal notification appears, go to the next
step.
Publish the blueprint definition
Your blueprint definition has now been created in your environment. It's created in Draft mode
and must be published before it can be assigned and deployed.
Select All services in the left pane. Search for and select Blueprints.
Select the Blueprint definitions page on the left. Use the filters to find the
locked-storageaccount blueprint definition, and then select it.
Select Publish blueprint at the top of the page. In the new pane on the right, enter 1.0
as the Version. This property is useful if you make a change later. Enter Change notes,
such as First version published for locking blueprint deployed resources. Then select
Publish at the bottom of the page.
This step makes it possible to assign the blueprint to a subscription. After the blueprint
definition is published, you can still make changes. If you make changes, you need to publish the
definition with a new version value to track differences between versions of the same blueprint
definition.
After the Publishing blueprint definition succeeded portal notification appears, go to the next
step.
Assign the blueprint definition
After the blueprint definition is published, you can assign it to a subscription within the
management group where you saved it. In this step, you provide parameters to make each deployment of
the blueprint definition unique.
Select All services in the left pane. Search for and select Blueprints.
Select the Blueprint definitions page on the left. Use the filters to find the
locked-storageaccount blueprint definition, and then select it.
Select Assign blueprint at the top of the blueprint definition page.
Provide the parameter values for the blueprint assignment:
Basics
Subscriptions: Select one or more of the subscriptions that are in the management group
where you saved your blueprint definition. If you select more than one subscription, an
assignment will be created for each subscription, using the parameters you enter.
Assignment name: The name is pre-populated based on the name of the blueprint
definition. We want this assignment to represent locking the new resource group, so change
the assignment name to assignment-locked-storageaccount-TestingBPLocks.
Location: Select a region in which to create the managed identity. Azure Blueprints uses
this managed identity to deploy all artifacts in the assigned blueprint. To learn more, see
managed identities for Azure resources.
For this tutorial, select East US 2.
Blueprint definition version: Select the published version 1.0 of the blueprint
definition.
This step configures the Blueprint resource lock on the newly deployed resources.
Managed Identity
Use the default option: System assigned. For more information, see
managed identities.
Artifact parameters
The parameters defined in this section apply to the artifact under which they're defined. These
parameters are dynamic parameters because
they're defined during the assignment of the blueprint. For each artifact, set the parameter
value to what you see in the Value column.
Artifact name
Artifact type
Parameter name
Value
Description
RGtoLock resource group
Resource group
Name
TestingBPLocks
Defines the name of the new resource group to apply blueprint locks to.
RGtoLock resource group
Resource group
Location
West US 2
Defines the location of the new resource group to apply blueprint locks to.
StorageAccount
Resource Manager template
storageAccountType (StorageAccount)
Standard_GRS
The storage SKU. The default value is Standard_LRS.
After you've entered all parameters, select Assign at the bottom of the page.
This step deploys the defined resources and configures the selected Lock Assignment. It can take
up to 30 minutes to apply blueprint locks.
After the Assigning blueprint definition succeeded portal notification appears, go to the next
step.
Inspect resources deployed by the assignment
The assignment creates the resource group TestingBPLocks and the storage account deployed by the
ARM template artifact. The new resource group and the selected lock state are shown on the
assignment details page.
Select All services in the left pane. Search for and select Blueprints.
Select the Assigned blueprints page on the left. Use the filters to find the
assignment-locked-storageaccount-TestingBPLocks blueprint assignment, and then select it.
From this page, we can see that the assignment succeeded and that the resources were deployed
with the new blueprint lock state. If the assignment is updated, the Assignment operation
dropdown list shows details about the deployment of each definition version. You can select the
resource group to open the property page.
Select the TestingBPLocks resource group.
Select the Access control (IAM) page on the left. Then select the Role assignments tab.
Here we see that the assignment-locked-storageaccount-TestingBPLocks blueprint assignment has
the Owner role. It has this role because this role was used to deploy and lock the resource
group.
Select the Deny assignments tab.
The blueprint assignment created a
deny assignment on the deployed
resource group to enforce the Read Only blueprint lock mode. The deny assignment prevents
someone with appropriate rights on the Role assignments tab from taking specific actions. The
deny assignment affects All principals.
Select the deny assignment, and then select the Denied Permissions page on the left.
The deny assignment is preventing all operations with the * and Action configuration,
but it allows read access by excluding */read via NotActions.
In the Azure portal breadcrumb, select TestingBPLocks - Access control (IAM). Then select
the Overview page on the left and then the Delete resource group button. Enter the name
TestingBPLocks to confirm the delete and then select Delete at the bottom of the pane.
The portal notification Delete resource group TestingBPLocks failed appears. The error states
that although your account has permission to delete the resource group, access is denied by the
blueprint assignment. Remember that we selected the Read Only blueprint lock mode during
blueprint assignment. The blueprint lock prevents an account with permission, even Owner, from
deleting the resource. For more information, see
blueprints resource locking.
These steps show that our deployed resources are now protected with blueprint locks that prevent
unwanted deletion, even from an account that has permission to delete the resources.
Unassign the blueprint
The last step is to remove the assignment of the blueprint definition. Removing the assignment
doesn't remove the associated artifacts.
Select All services in the left pane. Search for and select Blueprints.
Select the Assigned blueprints page on the left. Use the filters to find the
assignment-locked-storageaccount-TestingBPLocks blueprint assignment, and then select it.
Select Unassign blueprint at the top of the page. Read the warning in the confirmation dialog
box, and then select OK.
When the blueprint assignment is removed, the blueprint locks are also removed. The resources can
once again be deleted by an account with appropriate permissions.
Select Resource groups from the Azure menu, and then select TestingBPLocks.
Select the Access control (IAM) page on the left and then select the Role assignments
tab.
The security for the resource group shows that the blueprint assignment no longer has Owner
access.
After the Removing blueprint assignment succeeded portal notification appears, go to the next
step.
Clean up resources
When you're finished with this tutorial, delete these resources:
Resource group TestingBPLocks
Blueprint definition locked-storageaccount
Next steps
In this tutorial, you've learned how to protect new resources deployed with Azure Blueprints. To
learn more about Azure Blueprints, continue to the blueprint lifecycle article.