Show Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message. Digital signatures (combined with other measures) can offer non-repudiation when it comes to online transactions, where it is crucial to ensure that a party to a contract or a communication can't deny the authenticity of their signature on a document or sending the communication in the first place. In this context, non-repudiation refers to the ability to ensure that a party to a contract or a communication must accept the authenticity of their signature on a document or the sending of a message.
Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Lock your resources to protect your infrastructure
In this articleAs an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly.
Unlike role-based access control (RBAC), you use management locks to apply a restriction across all users and roles. To learn about setting permissions for users and roles, see Azure RBAC. Lock inheritanceWhen you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the same parent lock. The most restrictive lock in the inheritance takes precedence. Extension resources inherit locks from the resource they're applied to. For example, Microsoft.Insights/diagnosticSettings is an extension resource type. If you apply a diagnostic setting to a storage blob, and lock the storage account, you're unable to delete the diagnostic setting. This inheritance makes sense because the full resource ID of the diagnostic setting is:
Which matches the scope of the resource ID of the resource that is locked:
If you have a Delete lock on a resource and attempt to delete its resource group, the feature blocks the whole delete operation. Even if the resource group or other resources in the resource group are unlocked, the deletion doesn't happen. You never have a partial deletion. When you cancel an Azure subscription:
Understand scope of locksNote Locks only apply to control plane Azure operations and not to data plane operations. Azure control plane operations go to The distinction means locks protect a resource from changes, but they don't restrict how a resource performs its functions. A ReadOnly lock, for example, on an SQL Database logical server, protects it from deletions or modifications. It allows you to create, update, or delete data in the
server database. Data plane operations allow data transactions. These requests don't go to Considerations before applying your locksApplying locks can lead to unexpected results. Some operations, which don't seem to modify a resource, require blocked actions. Locks prevent the POST method from sending data to the Azure Resource Manager (ARM) API. Some common examples of blocked operations are:
Who can create or delete locksTo create or delete management locks, you need access to
Managed applications and locksSome Azure services, such as Azure Databricks, use managed applications to implement the service. In that case, the service creates two resource groups. One is an unlocked resource group that contains a service overview. The other is a locked resource group that contains the service infrastructure. If you try to delete the infrastructure resource group, you get an error stating that the resource group is locked. If you try to delete the lock for the infrastructure resource group, you get an error stating that the lock can't be deleted because a system application owns it. Instead, delete the service, which also deletes the infrastructure resource group. For managed applications, choose the service you deployed. Notice the service includes a link for a Managed Resource Group. That resource group holds the infrastructure and is locked. You can only delete it indirectly. To delete everything for the service, including the locked infrastructure resource group, choose Delete for the service. Configure locksPortalIn the left navigation panel, the subscription lock feature's name is Resource locks, while the resource group lock feature's name is Locks.
TemplateWhen using an ARM template or Bicep file to deploy a lock, it's good to understand how the deployment scope and the lock scope work together. To apply a lock at the deployment scope, such as locking a resource group or a subscription, leave the scope property unset. When locking a resource, within the deployment scope, set the scope property on the lock. The following template applies a lock to the resource group it's deployed to. Notice there isn't a scope property on the lock resource because the lock scope matches the deployment scope. Deploy this template at the resource group level.
To create a resource group and lock it, deploy the following template at the subscription level.
The main Bicep file creates a resource group and uses a module to create the lock.
The module uses a Bicep file named lockRg.bicep that adds the resource group lock.
When applying a lock to a resource within the resource group, add the scope property. Set the scope to the name of the resource to lock. The following example shows a template that creates an app service plan, a website, and a lock on the website. The lock's scope is set to the website.
Azure PowerShellYou lock deployed resources with Azure PowerShell by using the New-AzResourceLock command. To lock a resource, provide the name of the resource, its resource type, and its resource group name.
To lock a resource group, provide the name of the resource group.
To get information about a lock, use Get-AzResourceLock. To get all the locks in your subscription, use:
To get all locks for a resource, use:
To get all locks for a resource group, use:
To delete a lock for a resource, use:
To delete a lock for a resource group, use:
Azure CLIYou lock deployed resources with Azure CLI by using the az lock create command. To lock a resource, provide the name of the resource, its resource type, and its resource group name.
To lock a resource group, provide the name of the resource group.
To get information about a lock, use az lock list. To get all the locks in your subscription, use:
To get all locks for a resource, use:
To get all locks for a resource group, use:
To delete a lock for a resource, use:
To delete a lock for a resource group, use:
REST APIYou can lock deployed resources with the REST API for management locks. The REST API lets you create and delete locks and retrieve information about existing locks. To create a lock, run:
The scope could be a subscription, resource group, or resource. The lock name can be whatever you want to call it. For the API version, use 2016-09-01. In the request, include a JSON object that specifies the lock properties.
Next steps
FeedbackSubmit and view feedback for |