Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Microsoft.Authorization locks
Bicep resource definition
The locks resource type can be deployed with operations that target:
- Tenant - See tenant deployment commands* Management groups - See management group deployment commands* Subscription - See subscription deployment commands* Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/locks resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Authorization/locks@2020-05-01' = {
scope: resourceSymbolicName or scope
name: 'string'
properties: {
level: 'string'
notes: 'string'
owners: [
{
applicationId: 'string'
}
]
}
}
Property Values
Microsoft.Authorization/locks
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| properties | The properties of the lock. | ManagementLockProperties (required) |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
ManagementLockOwner
| Name | Description | Value |
|---|---|---|
| applicationId | The application ID of the lock owner. | string |
ManagementLockProperties
| Name | Description | Value |
|---|---|---|
| level | The level of the lock. Possible values are: NotSpecified, CanNotDelete, ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. | 'CanNotDelete' 'NotSpecified' 'ReadOnly' (required) |
| notes | Notes about the lock. Maximum of 512 characters. | string |
| owners | The owners of the lock. | ManagementLockOwner[] |
Usage Examples
Bicep Samples
A basic example of deploying Management Lock which is scoped to a Subscription, Resource Group or Resource.
param resourceName string = 'acctest0001'
param location string = 'westeurope'
resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2022-07-01' = {
name: resourceName
location: location
sku: {
name: 'Basic'
tier: 'Regional'
}
properties: {
ddosSettings: {
protectionMode: 'VirtualNetworkInherited'
}
idleTimeoutInMinutes: 30
publicIPAddressVersion: 'IPv4'
publicIPAllocationMethod: 'Static'
}
}
resource lock 'Microsoft.Authorization/locks@2020-05-01' = {
name: resourceName
scope: publicIPAddress
properties: {
level: 'CanNotDelete'
notes: ''
}
}
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Application Gateway with WAF and firewall policy | This template creates an Application Gateway with WAF configured along with a firewall policy |
| Azure Container Registry with Policies and Diagnostics | Azure Container Registry with Policies and Diagnostics (bicep) |
| Azure Data Factory with Git and managed vnet configuration | This template creates Azure Data Factory with Git configuration and managed virtual network. |
| Azure Game Developer Virtual Machine | Azure Game Developer Virtual Machine includes Licencsed Engines like Unreal. |
| Create a Network Watcher | This template creates a Network Watcher resource. |
| Create a resourceGroup, apply a lock and RBAC | This template is a subscription level template that will create a resourceGroup, apply a lock the the resourceGroup and assign contributor permssions to the supplied principalId. Currently, this template cannot be deployed via the Azure Portal. |
| Create Key Vault with logging enabled | This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources. |
| Create Recovery Services Vault with backup policies | This template creates a Recovery Services Vault with backup policies and configure optional features such system identity, backup storage type, cross region restore and diagnostics logs and a delete lock. |
| Log Analytics workspace with solutions and data sources | Deploys a Log Analytics workspace with specified solutions and data sources |
| Network Security Group with diagnostic logs | This template creates a Network Security Group with diagnostic logs and a resource lock |
| Route table with routes | This template creates a Route Table with routes |
| Virtual Network with diagnostic logs | This template creates a Virtual Network with diagnostic logs and allows optional features to be added to each subnet |
ARM template resource definition
The locks resource type can be deployed with operations that target:
- Tenant - See tenant deployment commands* Management groups - See management group deployment commands* Subscription - See subscription deployment commands* Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/locks resource, add the following JSON to your template.
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2020-05-01",
"name": "string",
"properties": {
"level": "string",
"notes": "string",
"owners": [
{
"applicationId": "string"
}
]
}
}
Property Values
Microsoft.Authorization/locks
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2020-05-01' |
| name | The resource name | string (required) |
| properties | The properties of the lock. | ManagementLockProperties (required) |
| type | The resource type | 'Microsoft.Authorization/locks' |
ManagementLockOwner
| Name | Description | Value |
|---|---|---|
| applicationId | The application ID of the lock owner. | string |
ManagementLockProperties
| Name | Description | Value |
|---|---|---|
| level | The level of the lock. Possible values are: NotSpecified, CanNotDelete, ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. | 'CanNotDelete' 'NotSpecified' 'ReadOnly' (required) |
| notes | Notes about the lock. Maximum of 512 characters. | string |
| owners | The owners of the lock. | ManagementLockOwner[] |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| Application Gateway with WAF and firewall policy 👁 Deploy to Azure |
This template creates an Application Gateway with WAF configured along with a firewall policy |
| Azure Container Registry with Policies and Diagnostics 👁 Deploy to Azure |
Azure Container Registry with Policies and Diagnostics (bicep) |
| Azure Data Factory with Git and managed vnet configuration 👁 Deploy to Azure |
This template creates Azure Data Factory with Git configuration and managed virtual network. |
| Azure Game Developer Virtual Machine 👁 Deploy to Azure |
Azure Game Developer Virtual Machine includes Licencsed Engines like Unreal. |
| Create a Network Watcher 👁 Deploy to Azure |
This template creates a Network Watcher resource. |
| Create a resourceGroup, apply a lock and RBAC 👁 Deploy to Azure |
This template is a subscription level template that will create a resourceGroup, apply a lock the the resourceGroup and assign contributor permssions to the supplied principalId. Currently, this template cannot be deployed via the Azure Portal. |
| Create Key Vault with logging enabled 👁 Deploy to Azure |
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources. |
| Create Recovery Services Vault with backup policies 👁 Deploy to Azure |
This template creates a Recovery Services Vault with backup policies and configure optional features such system identity, backup storage type, cross region restore and diagnostics logs and a delete lock. |
| Log Analytics workspace with solutions and data sources 👁 Deploy to Azure |
Deploys a Log Analytics workspace with specified solutions and data sources |
| Network Security Group with diagnostic logs 👁 Deploy to Azure |
This template creates a Network Security Group with diagnostic logs and a resource lock |
| Route table with routes 👁 Deploy to Azure |
This template creates a Route Table with routes |
| Virtual Network with diagnostic logs 👁 Deploy to Azure |
This template creates a Virtual Network with diagnostic logs and allows optional features to be added to each subnet |
Terraform (AzAPI provider) resource definition
The locks resource type can be deployed with operations that target:
- Tenant* Management groups* Subscription* Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/locks resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Authorization/locks@2020-05-01"
name = "string"
parent_id = "string"
body = {
properties = {
level = "string"
notes = "string"
owners = [
{
applicationId = "string"
}
]
}
}
}
Property Values
Microsoft.Authorization/locks
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | The properties of the lock. | ManagementLockProperties (required) |
| type | The resource type | "Microsoft.Authorization/locks@2020-05-01" |
ManagementLockOwner
| Name | Description | Value |
|---|---|---|
| applicationId | The application ID of the lock owner. | string |
ManagementLockProperties
| Name | Description | Value |
|---|---|---|
| level | The level of the lock. Possible values are: NotSpecified, CanNotDelete, ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. | 'CanNotDelete' 'NotSpecified' 'ReadOnly' (required) |
| notes | Notes about the lock. Maximum of 512 characters. | string |
| owners | The owners of the lock. | ManagementLockOwner[] |
Usage Examples
Terraform Samples
A basic example of deploying Management Lock which is scoped to a Subscription, Resource Group or Resource.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "publicIPAddress" {
type = "Microsoft.Network/publicIPAddresses@2022-07-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
properties = {
ddosSettings = {
protectionMode = "VirtualNetworkInherited"
}
idleTimeoutInMinutes = 30
publicIPAddressVersion = "IPv4"
publicIPAllocationMethod = "Static"
}
sku = {
name = "Basic"
tier = "Regional"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "lock" {
type = "Microsoft.Authorization/locks@2020-05-01"
parent_id = azapi_resource.publicIPAddress.id
name = var.resource_name
body = {
properties = {
level = "CanNotDelete"
notes = ""
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
Feedback
Was this page helpful?