Many companies use resource locks on Azure to protect against accidental deletion. However, one annoying thing with Resource Locks is that they can by default only be set and removed by the RBAC Owner or User Access Administrator roles
This creates a slight issue as you probably don't want to grant Owner roles to your users. In order to make working with Resource Lock's more accessible, I created a custom RBAC Role that allows the user access to the lock permissions and assigned it at my Management Group scope. My custom role looks like this.
Name : Jubson Resource Lock Administrator
Id : cae29980-9234-46c5-b49b-74f57fb97c54
IsCustom : True
Description : Can apply and remove Azure resource locks
Actions : {Microsoft.Authorization/locks/*}
NotActions : {}
DataActions : {}
NotDataActions : {}
AssignableScopes : {/providers/microsoft.management/managementGroups/Jubson}
I can then assign this role to any security principal that is required in all of my subscriptions. By using the scope of the management group, when I add new subscriptions they automatically inherit this role.
Creating a role is quick and easy. First, get the Reader role, then modify the settings before saving it as a new role.
# Get existing Reader Role
$role = get-azRoleDefinition Reader
# Configure the settings of your new role
$role.Name = "Jubson Resource Lock Administrator"
$role.IsCustom = $true
$role.Description = "Can apply and remove Azure resource locks"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/locks/*")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/providers/microsoft.management/managementGroups/Jubson")
# Create your new role in Azure.
new-AzRoleDefinition -role $role
Just don't forget to change the scope, to your own scope, be that Management Group, Subscription, ResourceGroup, or even Resource. You can only apply a Custom RBAC role to a single management group and that applying to a management group may not be the best idea for you, check the link below.
It can take a few minutes (5-10) before the new role is available.
Once the role is available, you will be able to assign it programmatically or through the portal.
Happy resource locking and unlocking.