Authentication

Ensure a Custom Role is Assigned Permissions for Administering Resource Locks

Risk Level

Informational (4)

Platform(s)
Compliance Frameworks

Description

There is no custom role to administer resource locks. Azure resource locks allow you to protect sensitive resources from accidental changes or deletion. A tightly scoped resource lock administrator role has only the permissions required to manage resource locking and nothing more. In the absence of such a role, users may need to assume the ""Contributor"" or ""Owner"" roles to administer locks, which violates the principle of least privilege.
  • Recommended Mitigation

    Define a tightly scoped custom role for managing resource locks while following the principle of least privilege. The role, and nothing but this role, should then always be used while administering resource locks.