azureazure-resource-lock

Can an owner remove a read-only or non-delete lock in Azure?


I have a doubt about Azure Resource Blocks. By adding a read-only or non-delete lock to a resource, when you hit delete it can not be deleted. So my question is, that lock can be removed by an owner? Is it possible to make it impossible to remove the lock even for the owner?


Solution

  • Who can create or delete locks

    To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.

    Source: Lock resources to prevent unexpected changes - Who can create or delete locks.

    In short: the answer is no.
    Furthermore, owner is the most privileged role in Azure, since it

    Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

    Source: Azure built-in roles - All.

    If you're working according to the Principal of Least Privilege, you should limit the amount of owners of your Azure subscription.

    The Owner role grant full access to manage all resources, including the ability to assign roles in Azure RBAC. You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner.