An Azure service that is used to automate, configure, and install updates across hybrid environments.
The primary goal of a CanNotDelete lock is to prevent accidental or unauthorized deletion of critical resources, even by users with elevated permissions.
- Production databases (Azure SQL, Cosmos DB, PostgreSQL) contain critical business data. A single accidental deletion (e.g., az group delete) can result in irreversible data loss. A resource lock enforces an additional safeguard before deletion.
- Core networking components such as VNets, VPN Gateways, DNS Zones and ExpressRoute circuits are often shared across multiple workloads. Deleting them impacts multiple applications simultaneously. A lock ensures shared infrastructure is not accidentally removed.
- Recovery Services Vaults store Backup data and Restore points. Deleting the vault can lead to permanent loss of recovery capability. A lock ensures business continuity and disaster recovery posture.
- Critical services such as Azure Key Vault, Container Registry and Service Bus are dependencies for automation pipelines. Their deletion breaks deployment pipelines and platform operations. Locks ensure this foundation components remain stable.
- Industries under HIPAA, PCI-DSS, SOC2, or GDPR have legal data retention requirements. A
CanNotDeletelock technically enforces what policy mandates auditors love seeing it in place.
When someone does need to delete a locked resource, they must first manually remove the lock — and that action is recorded in the Azure Activity Log. This gives you a full audit trail of who unlocked what and when, which is invaluable for security and compliance reviews.
Beyond just preventing deletion, here are all the ways you can control what users can do with a Resource Group or Storage Account. Azure to restrict access, modification, and deletion, including:
- Resource Locks (ReadOnly / CanNotDelete): The simplest upgrade from CanNotDelete. Nobody can change or delete anything. Freeze infrastructure during an audit window so auditors see a stable, unchanged environment.
- RBAC (role-based permissions) : Assign built-in roles or create custom roles to surgically control permissions.
- Azure Policy (governance enforcement): Prevents users from creating or modifying resources in a way that violates your rules. Even if a user has Contributor access, they cannot misconfigure a storage account to expose data publicly.
- Network-level restrictions: Lock down the storage account so only trusted networks or IPs can reach it. Even if someone has the storage key, they cannot access data from outside your corporate network or VNet.
- Authentication model hardening (disable shared keys): Removes the ability to access storage via keys or SAS tokens forces proper identity-based access.
To implement, you can refer the below reference document:
- Azure Resource Locks: Lock resources to prevent changes
- Azure RBAC (Role-Based Access Control): Built-in Roles Reference and Create Custom Roles
- Azure Policy: Policy Definition Structure and Built-in Policy Definitions
- Azure Storage Account Security: Storage Account Security Guide, Configure Network Rules and Disable Shared Key Access