Custom Role should be assigned for administering resource locks


Resource lock functionality is a powerful configuration setting for preventing modification/deletion of sensitive resources. A best practice is to create a tightly scoped custom role rather than a broader “owner” or “contributor” role for administering resource locks, to reduce the risk of unintentional damage.

Remediation Steps

Azure Portal

  • Navigate to the subscription or resource group where you want the custom role to be assignable.

  • Select Access control (IAM).

  • Select Add.

  • Select Add custom role.

  • In the Custom Role Name field, enter Resource Lock Administrator.

  • In the Description field, enter Can Administer Resource Locks.

  • For Baseline permissions, select Start from scratch.

  • Click Next.

  • In the Permissions tab, select Add permissions.

  • In the Search for a permission box, type in Microsoft.Authorization/locks to search for permissions.

  • Select the checkbox next to the permission called Microsoft.Authorization/locks.

  • Click Add.

  • Click Review + create.

  • Click Create.

  • Assign the newly created role to the appropriate user.


  • Below is a PowerShell definition for a resource lock administrator role created at an Azure Management group level:

Import-Module Az.Accounts

$role = Get-AzRoleDefinition "User Access Administrator"
$role.Id = $null
$role.Name = "Resource Lock Administrator"
$role.Description = "Can Administer Resource Locks"
$role.Actions.Add("Microsoft.Authorization/locks/*") $role.AssignableScopes.Clear()

* Scope at the Management group level Management group

$role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/ MG-Name")

New-AzRoleDefinition -Role $role
Get-AzureRmRoleDefinition "Resource Lock Administrator"