Microsoft.Authorization locks

Bicep resource definition

The locks resource type is an extension resource, which means you can apply it to another resource.

Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in Bicep.

The locks resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/locks resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Authorization/locks@2020-05-01' = {
  name: 'string'
  scope: resourceSymbolicName
  properties: {
    level: 'string'
    notes: 'string'
    owners: [
      {
        applicationId: 'string'
      }
    ]
  }
}

Property values

locks

Name Description Value
name The resource name string (required)

Character limit: 1-90

Valid characters:
Alphanumerics, periods, underscores, hyphens, and parenthesis.

Can't end in period.
scope Use when creating an extension resource at a scope that is different than the deployment scope. Target resource

For Bicep, set this property to the symbolic name of the resource to apply the extension resource.
properties The properties of the lock. ManagementLockProperties (required)

ManagementLockProperties

Name Description Value
level The level of the lock. Possible values are: NotSpecified, CanNotDelete, ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. 'CanNotDelete'
'NotSpecified'
'ReadOnly' (required)
notes Notes about the lock. Maximum of 512 characters. string
owners The owners of the lock. ManagementLockOwner[]

ManagementLockOwner

Name Description Value
applicationId The application ID of the lock owner. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Azure Container Registry with Policies and Diagnostics

Deploy to Azure
Azure Container Registry with Policies and Diagnostics (bicep)
Azure Data Factory with Git and managed vnet configuration

Deploy to Azure
This template creates Azure Data Factory with Git configuration and managed virtual network.
Log Analytics workspace with solutions and data sources

Deploy to Azure
Deploys a Log Analytics workspace with specified solutions and data sources
Create Key Vault with logging enabled

Deploy to Azure
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Application Gateway with WAF and firewall policy

Deploy to Azure
This template creates an Application Gateway with WAF configured along with a firewall policy
Create a Network Watcher

Deploy to Azure
This template creates a Network Watcher resource.
Network Security Group with diagnostic logs

Deploy to Azure
This template creates a Network Security Group with diagnostic logs and a resource lock
Route table with routes

Deploy to Azure
This template creates a Route Table with routes
Virtual Network with diagnostic logs

Deploy to Azure
This template creates a Virtual Network with diagnostic logs and allows optional features to be added to each subnet
Create Recovery Services Vault with backup policies

Deploy to Azure
This template creates a Recovery Services Vault with backup policies and configure optional features such system identity, backup storage type, cross region restore and diagnostics logs and a delete lock.
Create a resourceGroup, apply a lock and RBAC

Deploy to Azure
This template is a subscription level template that will create a resourceGroup, apply a lock the the resourceGroup and assign contributor permssions to the supplied principalId. Currently, this template cannot be deployed via the Azure Portal.

ARM template resource definition

The locks resource type is an extension resource, which means you can apply it to another resource.

Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in ARM templates.

The locks resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/locks resource, add the following JSON to your template.

{
  "type": "Microsoft.Authorization/locks",
  "apiVersion": "2020-05-01",
  "name": "string",
  "scope": "string",
  "properties": {
    "level": "string",
    "notes": "string",
    "owners": [
      {
        "applicationId": "string"
      }
    ]
  }
}

Property values

locks

Name Description Value
type The resource type 'Microsoft.Authorization/locks'
apiVersion The resource api version '2020-05-01'
name The resource name string (required)

Character limit: 1-90

Valid characters:
Alphanumerics, periods, underscores, hyphens, and parenthesis.

Can't end in period.
scope Use when creating an extension resource at a scope that is different than the deployment scope. Target resource

For JSON, set the value to the full name of the resource to apply the extension resource to.
properties The properties of the lock. ManagementLockProperties (required)

ManagementLockProperties

Name Description Value
level The level of the lock. Possible values are: NotSpecified, CanNotDelete, ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. 'CanNotDelete'
'NotSpecified'
'ReadOnly' (required)
notes Notes about the lock. Maximum of 512 characters. string
owners The owners of the lock. ManagementLockOwner[]

ManagementLockOwner

Name Description Value
applicationId The application ID of the lock owner. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Azure Container Registry with Policies and Diagnostics

Deploy to Azure
Azure Container Registry with Policies and Diagnostics (bicep)
Azure Data Factory with Git and managed vnet configuration

Deploy to Azure
This template creates Azure Data Factory with Git configuration and managed virtual network.
Log Analytics workspace with solutions and data sources

Deploy to Azure
Deploys a Log Analytics workspace with specified solutions and data sources
Create Key Vault with logging enabled

Deploy to Azure
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Application Gateway with WAF and firewall policy

Deploy to Azure
This template creates an Application Gateway with WAF configured along with a firewall policy
Create a Network Watcher

Deploy to Azure
This template creates a Network Watcher resource.
Network Security Group with diagnostic logs

Deploy to Azure
This template creates a Network Security Group with diagnostic logs and a resource lock
Route table with routes

Deploy to Azure
This template creates a Route Table with routes
Virtual Network with diagnostic logs

Deploy to Azure
This template creates a Virtual Network with diagnostic logs and allows optional features to be added to each subnet
Create Recovery Services Vault with backup policies

Deploy to Azure
This template creates a Recovery Services Vault with backup policies and configure optional features such system identity, backup storage type, cross region restore and diagnostics logs and a delete lock.
Create a resourceGroup, apply a lock and RBAC

Deploy to Azure
This template is a subscription level template that will create a resourceGroup, apply a lock the the resourceGroup and assign contributor permssions to the supplied principalId. Currently, this template cannot be deployed via the Azure Portal.

Terraform (AzAPI provider) resource definition

The locks resource type is an extension resource, which means you can apply it to another resource.

Use the parent_id property on this resource to set the scope for this resource.

The locks resource type can be deployed with operations that target:

  • Resource groups
  • Subscriptions

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Authorization/locks resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Authorization/locks@2020-05-01"
  name = "string"
  parent_id = "string"
  body = jsonencode({
    properties = {
      level = "string"
      notes = "string"
      owners = [
        {
          applicationId = "string"
        }
      ]
    }
  })
}

Property values

locks

Name Description Value
type The resource type "Microsoft.Authorization/locks@2020-05-01"
name The resource name string (required)

Character limit: 1-90

Valid characters:
Alphanumerics, periods, underscores, hyphens, and parenthesis.

Can't end in period.
parent_id The ID of the resource to apply this extension resource to. string (required)
properties The properties of the lock. ManagementLockProperties (required)

ManagementLockProperties

Name Description Value
level The level of the lock. Possible values are: NotSpecified, CanNotDelete, ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. "CanNotDelete"
"NotSpecified"
"ReadOnly" (required)
notes Notes about the lock. Maximum of 512 characters. string
owners The owners of the lock. ManagementLockOwner[]

ManagementLockOwner

Name Description Value
applicationId The application ID of the lock owner. string