Protect Azure Quantum resources with Azure Resource Manager (ARM) locks
Article
Microsoft recommends locking all of your Azure Quantum workspaces and linked storage accounts with an Azure Resource Manager (ARM) resource lock to prevent accidental or malicious deletion. For example, professors might want to restrict students from modifying provider SKUs, but still enable them to use notebooks and submit jobs.
There are two types of ARM resource locks:
A CannotDelete lock prevents users from deleting a resource, but permits reading and modifying its configuration.
A ReadOnly lock prevents users from modifying a resource's configuration (including deleting it), but permits reading its configuration.
For more information about resource locks, see Lock resources to prevent unexpected changes.
The following table shows the recommended resource lock configurations to deploy for an Azure Quantum workspace.
Resource
Lock type
Notes
Workspace
Delete
Prevents the workspace from being deleted.
Workspace
Read-only
Prevents any modifications to the workspace, including additions or deletions of providers, while still allowing users to create and delete notebooks and submit jobs. To modify providers when this lock is set, you need to remove the resource lock, make your changes, then redeploy the lock.
Storage account
Delete
Prevents the storage account from being deleted.
The following configurations should be avoided:
Important
Setting the following ARM locks may cause your workspace to function incorrectly.
Resource
Lock type
Notes
Storage account
Read-only
Setting a Read-only resource lock on the storage account can cause failures with workspace creation, the Jupyter Notebooks interface, and submitting and fetching jobs.
Parent subscription of the workspace or the parent resource group of the workspace or storage account
Read-only
When a resource lock is applied to a parent resource, all resources under that parent inherit the same lock, including resources created at a later date. For more granular control, resource locks should be applied directly at the resource level.
Prerequisites
You must be an Owner or User Access Administrator of a resource to apply ARM resource locks. For more information, see Azure built-in roles.
Command-line deployment
You will need either Azure PowerShell or Azure CLI to deploy the lock. If you use Azure CLI, you must have the latest version. For the installation instructions, see:
If you haven't used Azure CLI with Azure Quantum before, follow the steps in the Environment setup section to add the quantum extension and register the Azure Quantum namespace.
Sign in to Azure
After installing either Azure CLI or Azure PowerShell, make sure you sign in for the first time. Choose one of the following tabs and run the corresponding command line commands to sign in to Azure:
If you have multiple Azure subscriptions, select the subscription with the resources that you want to lock. Replace SubscriptionName with your subscription name or subscription ID. For example,
Azure CLI
az account set --subscription"Azure subscription 1"
Azure PowerShell
Connect-AzAccount
If you have multiple Azure subscriptions, select the subscription with the resources that you want to lock. Replace SubscriptionName with your subscription name or subscription ID. For example,
Azure PowerShell
Set-AzContext"Azure subscription 1"
Create an ARM resource lock
When you deploy a resource lock, you specify a name for the lock, the type of lock, and additional information about the resource. This information can be copied and pasted from the resource's home page in the Azure Quantum portal.