I would like to place a delete lock on an Azure resource group so that the resource group itself can't be deleted -- but there should not be restriction on deletion of any resources residing in the group. The problem is that if I place such a delete lock on the resource group , all the resources within that resource group inherit the lock and then they can't be deleted. Is there a workaround ?
So I had this exact problem, I had users using resource groups and did not want them to be able to delete the actual resource group but still be able to delete the resources inside,
I fixed this by using custom roles, I created a custom role and cloned the contributor role and added a deny assignment to the role
Microsoft.Resources/subscriptions/resourceGroups/delete
I found the reference in additional resource provider operations. This will allow the user to still attempt to delete the group, however they will get an error if they try to. You can also find much more role based access control resources there as well. I hope this helped!