Resource Locks
Locks that prevent accidental deletion or modification of critical resources.
Resource locks are an Azure governance feature applied at the subscription, resource group, or individual resource scope to prevent unintended changes or deletions. The two lock types are CanNotDelete, which allows reads and modifications but blocks deletion, and ReadOnly, which restricts a resource to read operations only — preventing both modifications and deletions regardless of a user’s Azure role-based access control (RBAC) permissions. The key exam nuance is that locks supersede RBAC: even an Owner cannot delete a CanNotDelete-locked resource without first removing the lock. Unlike Azure Policy, which governs how resources are created or modified, locks act as a hard stop on actions against existing resources.
PlayPrepHQ study notes are written and reviewed against primary exam sources. How we create & review content →