Resource Locks and Tags

Quick Answer: Resource Locks prevent accidental deletion (CanNotDelete) or modification (ReadOnly) of Azure resources. Tags are key-value pairs for organizing resources. Locks are inherited; tags are NOT inherited.

Resource Locks

Resource Locks prevent accidental deletion or modification of critical Azure resources. Even users with Owner permissions cannot delete a locked resource without first removing the lock.

Lock Types

Lock Behavior

• Locks can be applied at the subscription, resource group, or resource level
• Locks are inherited — a lock on a resource group applies to ALL resources within it
• A lock on a subscription applies to all resource groups and resources in the subscription
• To delete a locked resource, you must first remove the lock, then delete the resource
• Multiple locks can exist on a resource — the most restrictive lock wins

On the Exam: Even the Owner role cannot delete a resource with a CanNotDelete lock without first removing the lock. Locks are designed to prevent accidental changes, not to replace RBAC security.

When to Use Resource Locks

Resource Tags

Tags are key-value pairs that you attach to Azure resources, resource groups, and subscriptions to logically organize them.

Tag Structure

Tags consist of a name (key) and a value:

Important Tag Rules

Tag Use Cases

Enforcing Tags with Azure Policy

Since tags are not inherited, use Azure Policy to ensure consistent tagging:

• Require a tag on resources — Deny creation of resources without a specific tag
• Require a tag on resource groups — Deny creation of resource groups without a tag
• Inherit a tag from the resource group — Automatically copy a tag from the resource group to new resources

On the Exam: Tags are NOT inherited from resource groups to resources. This is a frequently tested fact. Use Azure Policy with the "Inherit a tag from the resource group" policy to enforce tag inheritance.