top of page
Writer's picturemicah jardine

Resource Lock Administrator - Custom Role

Many companies use resource locks on Azure to protect against accidental deletion. However, one annoying thing with Resource Locks is that they can by default only be set and removed by the RBAC Owner or User Access Administrator roles


This creates a slight issue as you probably don't want to grant Owner roles to your users. In order to make working with Resource Lock's more accessible, I created a custom RBAC Role that allows the user access to the lock permissions and assigned it at my Management Group scope. My custom role looks like this.

Name             : Jubson Resource Lock Administrator
Id               : cae29980-9234-46c5-b49b-74f57fb97c54
IsCustom         : True
Description      : Can apply and remove Azure resource locks
Actions          : {Microsoft.Authorization/locks/*}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/providers/microsoft.management/managementGroups/Jubson}

I can then assign this role to any security principal that is required in all of my subscriptions. By using the scope of the management group, when I add new subscriptions they automatically inherit this role.


Creating a role is quick and easy. First, get the Reader role, then modify the settings before saving it as a new role.

# Get existing Reader Role
$role = get-azRoleDefinition Reader

# Configure the settings of your new role
$role.Name = "Jubson Resource Lock Administrator"
$role.IsCustom = $true
$role.Description = "Can apply and remove Azure resource locks"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/locks/*")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/providers/microsoft.management/managementGroups/Jubson")

# Create your new role in Azure.
new-AzRoleDefinition -role $role

Just don't forget to change the scope, to your own scope, be that Management Group, Subscription, ResourceGroup, or even Resource. You can only apply a Custom RBAC role to a single management group and that applying to a management group may not be the best idea for you, check the link below.


It can take a few minutes (5-10) before the new role is available.

Once the role is available, you will be able to assign it programmatically or through the portal.



Happy resource locking and unlocking.


Links

719 views0 comments

Recent Posts

See All

Simple RBAC Model for Azure & DevOps

Azure RBAC models in Enterprises do not need not be complex. Microsoft recommends having fewer subscriptions and creating granular permissio

©2020 by Micah Jardine - Azure Cloud Blog. Proudly created with Wix.com

bottom of page