Fix Azure Resource Group Lock Errors
When working with Azure Resource Group, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with lock and shows the exact fix.
A Common Mistake
Not applying a resource lock to a critical resource group, allowing accidental deletion or modification of production resources.
The incorrect command:
az group create --name rg-prod --location eastus
# No resource lock applied
Error output:
Resource group created without locks.
A developer runs:
az group delete --name rg-prod --yes
All production resources are deleted permanently. There is no recovery. Without a CanNotDelete or ReadOnly lock, resources can be modified or deleted by any user with sufficient permissions.
The Correct Approach
The right way to configure lock in Azure Resource Group:
az group create --name rg-prod --location eastus && az lock create --name prevent-deletion --lock-type CanNotDelete --resource-group rg-prod
Successful result:
Resource group created with CanNotDelete lock.
az group delete --name rg-prod --yes
ERROR: The resource group 'rg-prod' is locked and cannot be deleted.
The lock prevents accidental deletion. Locks can be removed by users with Owner role.
How to Prevent This
Apply CanNotDelete lock to production resource groups. Use ReadOnly lock for critical configuration resources. Locks apply to all resources within the group. Locks can be inherited from subscription or management group. Document lock status in runbooks. Audit locks with az lock list.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro