Uploaded by☁ Hicham KADIRI ☁
6,779 views

[Azure Governance] Lesson 2 : Azure Locks

This document provides an overview of Azure locks, highlighting their importance in governance by protecting subscriptions, resource groups, and resources from accidental deletion. It explains the types of locks (cannot delete and read-only), their inheritance properties, and the necessary permissions for implementation, contrasting them with Azure RBAC which manages user access. Additionally, it offers guidance on creating and applying locks using various tools like the Azure portal, PowerShell, and Azure CLI.

Technology
Related topics:
Microsoft Azure
In this document
Powered by AI

Introduction to Azure governance model and importance of locks, including objectives of assessing Azure locks.

Refresher on Azure governance concepts relevant to implementing locks.

Importance of Azure locks for protecting subscriptions and resources from accidental changes or deletions.

Critical information about lockable objects and types of locks: CanNotDelete and Read-Only.

Explanation of how locks are inherited from parent scopes, affecting resources within that scope.

Required permissions to manage Azure locks, emphasizing the roles with necessary access.

Comparison of Azure Locks and Azure Role-Based Access Control (RBAC) and their distinct functions.

Various tools (GUI and CLI) for creating and applying Azure locks, with steps outlined for using the Azure portal.

Using AzureRM module cmdlets to create and apply locks, with examples provided.

How to utilize Azure CLI for creating Azure locks, detailing the command structure.

Contact information for further queries and conclusion of the presentation.

Embed presentation

Downloaded 106 times
Module 2 Azure Locks Azure Free Training Azure Governance Model By Hicham KADIRI January 20, 2018 A K&K Group Company
Contoso Ltd. About me Microsoft MVP • Windows Expert-IT Pro (2014-2015) • Cloud and Datacenter Management (2016) • Enterprise Mobility /RDS (2017) • CDCM /Azure (2018) Founder @BecomeITExpert.com Co-Founder @K&K Group Think {Cloud /DevOps /Security} IT Author (+10 eBooks) • RDS 2012 R2 and 2016 Pocket Consultant • RDS & OS Security & Hardening guide • Azure CLI 2.0 Pocket Consultant • GPO, PowerShell, AppLocker … Lead Cloud Architect /Az Expert • Working for several large companies and international group including Thales, Areva, Rabobank, Gemalto, Vinci, CE, BP…etc IT Blogger • hichamkadiri.wordpress.com • AskTheCloudExpert.wordpress.com • ~2millions views ☺ /hicham_kadiri /in/hichamkadiri TechNet Contributor (Top 0,5%) • MTFC (Microsoft Technical French Contributor) • MCC (Microsoft Community Contributor) Hicham KADIRI (aka #HK)
Document Objectives • Reminder about Azure Governance • Explains the importance of Locks in the Microsoft Azure environment • Keys items You Should Know • Azure Locks vs Azure RBAC • Required rights for Azure Locks • Azure GUI & CLI Tools you can use to create and Apply Azure Locks • DEMO : HowTo Lock your Azure Subscriptions, RG and Resources
Contoso Ltd. Reminder about Azure Governance #HK
Contoso Ltd. #HK
Contoso Ltd. Azure Locks Why it’s important ? #HK
Contoso Ltd. Microsoft Azure Locks What is it and Why it’s important ? • Azure Locks are an amazing way to protect your subscriptions, resource groups and Azure resources. • They ensure that what we have implemented is not changed, or worse, accidentally deleted. Important Note Azure Lock does not replace Azure RBAC. Cf next Slide ! #HK
Contoso Ltd. Azure Locks Keys items You Should Know #HK
Contoso Ltd. Microsoft Azure Locks What You Should Know : Lockable Objects • You can Lock : • Subscription • Resource Group • Resource #HK
Contoso Ltd. Microsoft Azure Locks What You Should Know : Lock Types • There are two Lock Types : • CanNotDelete ▪ You can “Read & Modify” the Resource ▪ You can’t Delete the Resource • Read-Only ▪ You can Read Resource Properties/Infos ▪ You can’t Delete or Modify Resource ▪ Important Note: ▪ Could have undesired results ! #HK
Contoso Ltd. Microsoft Azure Locks What You Should Know : Inheritance • When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence. #HK Resource Group inherits Locks from Subscriptions Resource (eg : Azure VM) inherits Locks from Subscriptions and Resource Groups
Contoso Ltd. Microsoft Azure Locks Hierarchy (ex) #HK
Contoso Ltd. Azure Locks Required « Rights » #HK
Contoso Ltd. Microsoft Azure Locks Required “Rights” • To create or delete management locks, you must have access to the following actions : • Microsoft.Authorization/* • Or Microsoft.Authorization/Locks/* Note Of the built-in roles, only Owner and User Access Administrator are granted those actions. #HK
Contoso Ltd. Difference between Azure Locks & Azure RBAC #HK
Contoso Ltd. Difference between Azure Locks vs Azure RBAC • Azure Role-Based Access Control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Azure RBAC helps you manage access for users, groups, service principals. • Unlike Role-Based Access Control, you use Azure Locks to apply a restriction across all users and roles. • Useful Link • Visit the following link to read more about Azure RBAC : https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/ #HK
Contoso Ltd. Azure GUI & CLI Tools you can use To create and apply Locks #HK
Contoso Ltd. Azure GUI & CLI Tools you can use To create and apply Azure Locks • Azure Locks can be created and applied using different GUI & CLI Tools : • GUI : ▪ Azure Portal • CLI ▪ Windows PowerShell (using AzureRM Module) ▪ Azure CLI 2.0 #HK
Contoso Ltd. HowTo Lock Your Azure Subscriptions, RG and Resources #HK
Contoso Ltd. Create & Apply your Azure Locks using Azure Portal
Contoso Ltd. HowTo #1 Lock your Az Subscriptions, RG and Resources via Azure Portal • Connect to Azure Portal • https://portal.azure.com • Go to Subscriptions blade and select the Subscription you want to Lock • Then click on “Resource Locks” • Click “Add” and add your Azure Lock • You have to enter the following infos : ▪ Lock Name ▪ Lock Type : ▪ Delete ▪ Read-only ▪ Notes (Lock Description) #HK
Contoso Ltd. Important Note Lock your Az Subscriptions, RG and Resources via Azure Portal • If you want to create and apply Locks to Resource Groups or a specific Azure Resource, just Select your RG ou Azure Resource to lock and then, click on “Locks”. Finally click “Add” and enter the following infos : • Lock Name • Lock Type ▪ Delete ▪ Read-Only • Lock Notes (description) #HK
Contoso Ltd. Create & Apply your Azure Locks using AzureRM Module
Contoso Ltd. Important Note Lock your Az Subscriptions, RG and Resources via Azure Portal • The New-AzureRmResourceLock Cmd-let is used to create a new Azure Lock. • In the following example, a new Lock will be created and applied to hk-confident-rg resource group #HK
Contoso Ltd. Important Note Lock your Az Subscriptions, RG and Resources via AzureRM Module • If you want to create and apply Locks to a specific Azure Resource, you have to add –ResourceType parameter • In the following example, a new Azure Lock will be created and applied to “hk-prod-website” resource. This is an Azure WebSite, a “Microsoft.web/sites” resource type is specified/used : #HK New-AzureRmResourceLock -LockName « hk-prod-website-lock" -LockLevel CanNotDelete -LockNotes "This Lock prevents accidental deletion of HK-Web-Prod-WebSite resource" -ResourceName « hk- prod-website" -ResourceType "microsoft.web/sites"
Contoso Ltd. Create & Apply your Azure Locks using Azure CLI 2.0
Contoso Ltd. HowTo #3 Lock your Az Subscriptions, RG and Resources via Azure CLI • The Az Lock Create Command is used to create a new Azure Lock. • In the following example, a new Lock will be created and applied to hk-confident-rg resource group #HK
Contoso Ltd. Do you have any Azure Project (Design/Architecture/Migration)? If yes, feel free to contact us Your Contacts Hicham KADIRI Lead Cloud Architect /Azure Advisor & Microsoft MVP hicham.kadiri@k-nd-k-group.com +33 (0)6 52 97 72 84 Mohsine CHOUGDALI Key Account Manager mohsine.chougdali@k-nd-k-group.com +33 6 66 26 55 15 A K&K Group Company
Contoso Ltd. #HK o_O /hicham_kadiri /in/hichamkadiri Subscribe to my Blog hichamkadiri.wordpress.com
Contoso Ltd. End of Lesson Hope this Helps ☺

More Related Content

PDF
[Azure Governance] Lesson 4 : Azure Policy
by☁ Hicham KADIRI ☁
 
PDF
Azure governance v4.0
byMarcos Oikawa
 
PPTX
Webinar: Simplifying the Enterprise Hybrid Cloud with Azure Stack HCI
byStorage Switzerland
 
PPTX
Azure Networking (1).pptx
byRazith2
 
PPTX
Azure container instances
byKarthikeyan VK
 
PPTX
Azure Cost Management
byStefano Tempesta
 
PPTX
Govern your Azure environment through Azure Policy
byMicrosoft Tech Community
 
PPTX
Azure governance
bygirish goudar
 
[Azure Governance] Lesson 4 : Azure Policy
by☁ Hicham KADIRI ☁
 
Azure governance v4.0
byMarcos Oikawa
 
Webinar: Simplifying the Enterprise Hybrid Cloud with Azure Stack HCI
byStorage Switzerland
 
Azure Networking (1).pptx
byRazith2
 
Azure container instances
byKarthikeyan VK
 
Azure Cost Management
byStefano Tempesta
 
Govern your Azure environment through Azure Policy
byMicrosoft Tech Community
 
Azure governance
bygirish goudar
 

What's hot

PDF
[Azure Governance] Lesson 1 : Azure Naming Convention
by☁ Hicham KADIRI ☁
 
PDF
Microsoft Azure Security Overview
byAlert Logic
 
PPTX
Azure Fundamentals || AZ-900
bythisiswali
 
PPTX
Introduction to Azure monitor
byPraveen Nair
 
PDF
AZ-900 Azure Fundamentals.pdf
byssuser5813861
 
PPTX
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
byNicholas Vossburg
 
PDF
Azure Security Overview
byDavid J Rosenthal
 
PDF
Migrate to Microsoft Azure with Confidence
byDavid J Rosenthal
 
PDF
AWS Basics .pdf
byperamdevi06
 
PPTX
Migrating On-Premises Workloads with Azure Migrate
byDinusha Kumarasiri
 
PPTX
Azure Identity and access management
byDinusha Kumarasiri
 
PDF
Best Practices with Azure Kubernetes Services
byQAware GmbH
 
PPTX
Azure virtual network
byLalit Rawat
 
PPTX
Azure security and Compliance
byKarina Matos
 
PDF
Azure 101
byKorry Lavoie
 
PDF
Azure cloud migration simplified
byGirlo
 
PPTX
Azure Governance
byBenjamin Hüpeden
 
PDF
Azure DDoS Protection Standard
byarnaudlh
 
PPTX
Windows Azure Virtual Machines
byClint Edmonson
 
PPTX
AWS Monitoring & Logging
byJason Poley
 
[Azure Governance] Lesson 1 : Azure Naming Convention
by☁ Hicham KADIRI ☁
 
Microsoft Azure Security Overview
byAlert Logic
 
Azure Fundamentals || AZ-900
bythisiswali
 
Introduction to Azure monitor
byPraveen Nair
 
AZ-900 Azure Fundamentals.pdf
byssuser5813861
 
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
byNicholas Vossburg
 
Azure Security Overview
byDavid J Rosenthal
 
Migrate to Microsoft Azure with Confidence
byDavid J Rosenthal
 
AWS Basics .pdf
byperamdevi06
 
Migrating On-Premises Workloads with Azure Migrate
byDinusha Kumarasiri
 
Azure Identity and access management
byDinusha Kumarasiri
 
Best Practices with Azure Kubernetes Services
byQAware GmbH
 
Azure virtual network
byLalit Rawat
 
Azure security and Compliance
byKarina Matos
 
Azure 101
byKorry Lavoie
 
Azure cloud migration simplified
byGirlo
 
Azure Governance
byBenjamin Hüpeden
 
Azure DDoS Protection Standard
byarnaudlh
 
Windows Azure Virtual Machines
byClint Edmonson
 
AWS Monitoring & Logging
byJason Poley
 

Recently uploaded

PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 

[Azure Governance] Lesson 2 : Azure Locks

  • 1.
    Module 2 Azure Locks Azure FreeTraining Azure Governance Model By Hicham KADIRI January 20, 2018 A K&K Group Company
  • 2.
    Contoso Ltd. About me MicrosoftMVP • Windows Expert-IT Pro (2014-2015) • Cloud and Datacenter Management (2016) • Enterprise Mobility /RDS (2017) • CDCM /Azure (2018) Founder @BecomeITExpert.com Co-Founder @K&K Group Think {Cloud /DevOps /Security} IT Author (+10 eBooks) • RDS 2012 R2 and 2016 Pocket Consultant • RDS & OS Security & Hardening guide • Azure CLI 2.0 Pocket Consultant • GPO, PowerShell, AppLocker … Lead Cloud Architect /Az Expert • Working for several large companies and international group including Thales, Areva, Rabobank, Gemalto, Vinci, CE, BP…etc IT Blogger • hichamkadiri.wordpress.com • AskTheCloudExpert.wordpress.com • ~2millions views ☺ /hicham_kadiri /in/hichamkadiri TechNet Contributor (Top 0,5%) • MTFC (Microsoft Technical French Contributor) • MCC (Microsoft Community Contributor) Hicham KADIRI (aka #HK)
  • 3.
    Document Objectives • Reminderabout Azure Governance • Explains the importance of Locks in the Microsoft Azure environment • Keys items You Should Know • Azure Locks vs Azure RBAC • Required rights for Azure Locks • Azure GUI & CLI Tools you can use to create and Apply Azure Locks • DEMO : HowTo Lock your Azure Subscriptions, RG and Resources
  • 4.
  • 5.
  • 6.
    Contoso Ltd. Azure Locks Whyit’s important ? #HK
  • 7.
    Contoso Ltd. Microsoft AzureLocks What is it and Why it’s important ? • Azure Locks are an amazing way to protect your subscriptions, resource groups and Azure resources. • They ensure that what we have implemented is not changed, or worse, accidentally deleted. Important Note Azure Lock does not replace Azure RBAC. Cf next Slide ! #HK
  • 8.
    Contoso Ltd. Azure Locks Keysitems You Should Know #HK
  • 9.
    Contoso Ltd. Microsoft AzureLocks What You Should Know : Lockable Objects • You can Lock : • Subscription • Resource Group • Resource #HK
  • 10.
    Contoso Ltd. Microsoft AzureLocks What You Should Know : Lock Types • There are two Lock Types : • CanNotDelete ▪ You can “Read & Modify” the Resource ▪ You can’t Delete the Resource • Read-Only ▪ You can Read Resource Properties/Infos ▪ You can’t Delete or Modify Resource ▪ Important Note: ▪ Could have undesired results ! #HK
  • 11.
    Contoso Ltd. Microsoft AzureLocks What You Should Know : Inheritance • When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence. #HK Resource Group inherits Locks from Subscriptions Resource (eg : Azure VM) inherits Locks from Subscriptions and Resource Groups
  • 12.
    Contoso Ltd. Microsoft AzureLocks Hierarchy (ex) #HK
  • 13.
  • 14.
    Contoso Ltd. Microsoft AzureLocks Required “Rights” • To create or delete management locks, you must have access to the following actions : • Microsoft.Authorization/* • Or Microsoft.Authorization/Locks/* Note Of the built-in roles, only Owner and User Access Administrator are granted those actions. #HK
  • 15.
  • 16.
    Contoso Ltd. Difference between AzureLocks vs Azure RBAC • Azure Role-Based Access Control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Azure RBAC helps you manage access for users, groups, service principals. • Unlike Role-Based Access Control, you use Azure Locks to apply a restriction across all users and roles. • Useful Link • Visit the following link to read more about Azure RBAC : https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/ #HK
  • 17.
    Contoso Ltd. Azure GUI& CLI Tools you can use To create and apply Locks #HK
  • 18.
    Contoso Ltd. Azure GUI& CLI Tools you can use To create and apply Azure Locks • Azure Locks can be created and applied using different GUI & CLI Tools : • GUI : ▪ Azure Portal • CLI ▪ Windows PowerShell (using AzureRM Module) ▪ Azure CLI 2.0 #HK
  • 19.
    Contoso Ltd. HowTo Lock YourAzure Subscriptions, RG and Resources #HK
  • 20.
    Contoso Ltd. Create &Apply your Azure Locks using Azure Portal
  • 21.
    Contoso Ltd. HowTo #1 Lockyour Az Subscriptions, RG and Resources via Azure Portal • Connect to Azure Portal • https://portal.azure.com • Go to Subscriptions blade and select the Subscription you want to Lock • Then click on “Resource Locks” • Click “Add” and add your Azure Lock • You have to enter the following infos : ▪ Lock Name ▪ Lock Type : ▪ Delete ▪ Read-only ▪ Notes (Lock Description) #HK
  • 22.
    Contoso Ltd. Important Note Lockyour Az Subscriptions, RG and Resources via Azure Portal • If you want to create and apply Locks to Resource Groups or a specific Azure Resource, just Select your RG ou Azure Resource to lock and then, click on “Locks”. Finally click “Add” and enter the following infos : • Lock Name • Lock Type ▪ Delete ▪ Read-Only • Lock Notes (description) #HK
  • 23.
    Contoso Ltd. Create &Apply your Azure Locks using AzureRM Module
  • 24.
    Contoso Ltd. Important Note Lockyour Az Subscriptions, RG and Resources via Azure Portal • The New-AzureRmResourceLock Cmd-let is used to create a new Azure Lock. • In the following example, a new Lock will be created and applied to hk-confident-rg resource group #HK
  • 25.
    Contoso Ltd. Important Note Lockyour Az Subscriptions, RG and Resources via AzureRM Module • If you want to create and apply Locks to a specific Azure Resource, you have to add –ResourceType parameter • In the following example, a new Azure Lock will be created and applied to “hk-prod-website” resource. This is an Azure WebSite, a “Microsoft.web/sites” resource type is specified/used : #HK New-AzureRmResourceLock -LockName « hk-prod-website-lock" -LockLevel CanNotDelete -LockNotes "This Lock prevents accidental deletion of HK-Web-Prod-WebSite resource" -ResourceName « hk- prod-website" -ResourceType "microsoft.web/sites"
  • 26.
    Contoso Ltd. Create &Apply your Azure Locks using Azure CLI 2.0
  • 27.
    Contoso Ltd. HowTo #3 Lockyour Az Subscriptions, RG and Resources via Azure CLI • The Az Lock Create Command is used to create a new Azure Lock. • In the following example, a new Lock will be created and applied to hk-confident-rg resource group #HK
  • 28.
    Contoso Ltd. Do youhave any Azure Project (Design/Architecture/Migration)? If yes, feel free to contact us Your Contacts Hicham KADIRI Lead Cloud Architect /Azure Advisor & Microsoft MVP [email protected] +33 (0)6 52 97 72 84 Mohsine CHOUGDALI Key Account Manager [email protected] +33 6 66 26 55 15 A K&K Group Company
  • 29.
  • 30.
    Contoso Ltd. End ofLesson Hope this Helps ☺