Ensure Custom Role administrative resource lock is assigned

Risk Level

Informational (4)

Compliance Frameworks


There is no custom role to administer resource locks. Azure resource locks allow you to protect sensitive resources from accidental changes or deletion. A tightly scoped resource lock administrator role has only the permissions required to manage resource locking and nothing more. In the absence of such a role, users may need to assume the ÒContributorÓ or ÒOwnerÓ roles to administer locks, which violates the principle of least privilege.
  • Recommended Mitigation

    Define a tightly scoped custom role for managing resource locks while following the principle of least privilege. The role, and nothing but this role, should then always be used while administering resource locks.