This chapter covers two essential Azure governance tools: resource locks and tags. Resource locks protect your Azure resources from accidental deletion or modification, while tags help you organize and manage resources by attaching metadata. Together, they form a critical part of Azure's governance and cost management capabilities. On the AZ-900 exam, this objective (3.2) falls under the 'Azure Management Governance' domain, which typically accounts for about 10-15% of the total questions. Understanding the difference between locks and tags, their inheritance, and how to apply them is key to scoring well.
Jump to a section
Imagine you own a large safety deposit box at a bank. This box holds your most important documents: your house deed, will, and passport. You have a key, and your spouse has a key. The bank manager also has a master key. Now, you want to make sure that no one — not even your spouse or the manager — can accidentally remove or change the house deed. So you put a special red sticker on the deed that says 'DO NOT REMOVE OR CHANGE — LOCKED.' This red sticker is a 'Delete Lock' (CanNotDelete). Even if someone has a key, the bank’s policy says they must respect the sticker. If they try to take the deed, the bank system checks the sticker and blocks the action. Similarly, you might put a blue sticker that says 'DO NOT CHANGE' (ReadOnly) on your will — anyone can read it, but they cannot modify it. These stickers are like Azure resource locks. They don't prevent access via the key (permissions), but they enforce an extra rule that overrides permissions. Tags are like colored tabs you stick on each document folder — 'Important', 'Tax Year 2024', 'To Review' — to help you organize and find things quickly. But these tabs don't affect who can open the box; they just help with sorting and billing. In Azure, resource locks prevent accidental deletion or modification at the subscription, resource group, or resource level. They are inherited by child resources. Tags are metadata key-value pairs that help with organization, cost tracking, and automation, but they do not control access. The key insight: locks are about protection (preventing actions), while tags are about organization (labeling). Both are governance tools, but they serve different purposes and can be used together.
What Are Azure Resource Locks and Tags?
Azure Resource Locks are a governance feature that prevents accidental deletion or modification of Azure resources. They act as an override for any permissions — even if a user has Contributor or Owner role, a lock can block their ability to delete or modify a resource. Locks are applied at the subscription, resource group, or individual resource level and are inherited by child resources. Tags, on the other hand, are metadata key-value pairs that you attach to resources to logically organize them. Tags are used for cost reporting, resource grouping, automation, and policy enforcement. They do not affect access control.
How Resource Locks Work — Step by Step Mechanism
When you apply a lock to a resource, Azure's Resource Manager checks the lock before executing any operation. The lock is evaluated after Azure RBAC (Role-Based Access Control) but before the operation is performed. The process works as follows:
A user makes a request to delete or modify a resource via Azure Portal, CLI, PowerShell, or API.
Azure RBAC first checks if the user has permission to perform the action (e.g., Contributor role can delete).
If RBAC allows, Azure then checks for any locks applied to the resource, its resource group, or subscription.
If a lock exists that prohibits the action, the request is denied with an error message like: 'The resource you are trying to delete is protected by a lock.'
Locks are inherited. For example, if you apply a CanNotDelete lock to a resource group, all resources within that group inherit that lock. You cannot delete any resource in that group unless you remove the lock first. However, you can still modify the resources (e.g., change configuration) unless a ReadOnly lock is applied.
Types of Resource Locks
Azure provides two types of locks:
CanNotDelete: Authorized users can still read and modify the resource, but they cannot delete it. This is the most common lock used to prevent accidental deletion of critical resources.
ReadOnly: Authorized users can only read the resource. They cannot delete or modify it. This lock is more restrictive and is useful for resources that should remain static, such as a production database or a configuration file.
There is no 'Delete' lock that only prevents deletion but allows modification; that's exactly what CanNotDelete does. ReadOnly is stricter.
How Tags Work — Mechanism and Use Cases
Tags are simple key-value pairs. For example: Environment: Production, CostCenter: 12345, Owner: Alice. You can apply tags to most Azure resources, resource groups, and subscriptions. Tags are not inherited by default, but you can use Azure Policy to enforce inheritance. Tags are stored as metadata and are visible in the Azure Portal, CLI, and via API. They are used for:
Cost Management: Tag resources by cost center, project, or environment to track spending in Azure Cost Management.
Organization: Group resources by department, application, or lifecycle stage.
Automation: Use tags to trigger actions via Azure Automation, Logic Apps, or Functions.
Policy Enforcement: Azure Policy can require specific tags on resources, e.g., all resources must have a 'CostCenter' tag.
Tags have limits: each resource can have up to 50 tag name-value pairs. Tag names are case-insensitive but case-preserving. Tag values are case-sensitive.
Comparison to On-Premises Equivalent
In an on-premises data center, there is no built-in equivalent to resource locks. You might use physical security (locked server racks) or administrative procedures (change management) to prevent accidental deletion. But these are not automated or enforced by the infrastructure. Tags are similar to labeling systems in ITIL or CMDBs, where you assign metadata to assets. However, in Azure, tags are native and can drive automated cost allocation and policy, which is much harder to achieve on-premises.
Azure Portal and CLI Touchpoints
To manage locks in the Azure Portal:
Navigate to the resource, resource group, or subscription.
Under 'Settings', select 'Locks'.
Click 'Add' and choose the lock type and name.
To manage tags in the Azure Portal:
Navigate to the resource, resource group, or subscription.
Under 'Overview' or 'Tags', click 'Tags'.
Add key-value pairs and save.
Using Azure CLI:
# Apply a CanNotDelete lock to a resource group
az lock create --name LockRG --lock-type CanNotDelete --resource-group MyResourceGroup
# Apply a ReadOnly lock to a storage account
az lock create --name LockStorage --lock-type ReadOnly --resource-group MyResourceGroup --resource-name mystorageaccount --resource-type Microsoft.Storage/storageAccounts
# List all locks
az lock list
# Add a tag to a resource group
az tag create --resource-id /subscriptions/.../resourceGroups/MyResourceGroup --tags Environment=Production CostCenter=12345Using PowerShell:
# Apply a CanNotDelete lock
New-AzResourceLock -LockName LockRG -LockLevel CanNotDelete -ResourceGroupName MyResourceGroup
# Apply a ReadOnly lock
New-AzResourceLock -LockName LockStorage -LockLevel ReadOnly -ResourceGroupName MyResourceGroup -ResourceName mystorageaccount -ResourceType Microsoft.Storage/storageAccounts
# Add tags
Set-AzResourceGroup -Name MyResourceGroup -Tag @{Environment='Production'; CostCenter='12345'}Business Scenarios
Production Database Protection: A company has a critical SQL database. They apply a CanNotDelete lock at the resource level. Even if an admin accidentally tries to delete it, the lock prevents the action. Tags like Environment: Production and CostCenter: IT help track costs.
Compliance Tagging: A healthcare organization must tag all resources with DataSensitivity: PHI. Azure Policy enforces this tag. Resources without the tag are non-compliant and can be reported.
Subscription-Wide ReadOnly Lock: During a security audit, an organization applies a ReadOnly lock at the subscription level to prevent any changes. After the audit, the lock is removed.
Identify Resources to Protect
First, determine which Azure resources are critical and should not be accidentally deleted or modified. Common candidates are production databases, virtual machines, storage accounts with critical data, and networking resources like virtual networks. Also, consider resources that are expensive to recreate or have compliance requirements. For tags, identify what metadata is important for your organization, such as cost center, environment, or owner. This step is done with stakeholders from finance, operations, and compliance teams. In the Azure portal, you can review resources in your subscription and decide on a lock strategy. Remember, locks are applied at the resource, resource group, or subscription level. For maximum protection, apply locks at higher levels (resource group or subscription) so they inherit to all child resources.
Choose Lock Type: CanNotDelete or ReadOnly
Decide which type of lock to apply. CanNotDelete allows read and modify but prevents deletion. Use this for resources that need ongoing changes but must not be deleted. ReadOnly prevents both deletion and modification. Use this for resources that should remain static, like a configuration file or a read-only database replica. On the exam, remember that ReadOnly is more restrictive. Also, note that ReadOnly locks affect all operations that create or update, including Azure Backup and Azure Site Recovery operations. For example, backup policies might fail because they need to write to the vault. Test the lock in a non-production environment first. In the Azure portal, when adding a lock, you select the lock type from a dropdown.
Apply the Lock via Portal, CLI, or PowerShell
Apply the lock at the desired scope. In the portal, go to the resource, resource group, or subscription, then under 'Settings' click 'Locks' and 'Add'. Provide a name (e.g., 'ProductionLock') and select the type. The lock takes effect immediately. Using CLI or PowerShell, you can script the application across multiple resources. For example, to apply a CanNotDelete lock to all storage accounts in a resource group, you can loop through them. Locks are stored in Azure Resource Manager as a separate resource type (Microsoft.Authorization/locks). They are not part of the resource itself. This means you can view all locks in a subscription using the 'Locks' blade or CLI command `az lock list`.
Verify Lock Inheritance and Effect
After applying the lock, test that it works as expected. Try to delete a resource in the protected scope. You should receive an error message. For ReadOnly locks, try to modify the resource (e.g., change a VM size) and confirm it fails. Remember that locks are inherited. If you apply a lock at the resource group level, all resources in that group inherit it. However, you can apply a different lock at a lower level that overrides the inherited lock? No, locks are additive — the most restrictive lock applies. For example, if a resource group has a CanNotDelete lock, and you apply a ReadOnly lock on a specific resource, the resource becomes ReadOnly. If you apply a CanNotDelete lock on a resource within a resource group that has a ReadOnly lock, the resource is still ReadOnly because ReadOnly is more restrictive. This is a common exam trick.
Apply and Manage Tags for Organization
Tags are applied similarly but do not affect access. In the portal, under 'Tags' on a resource, add key-value pairs. Tags are not inherited by default. To enforce inheritance, use Azure Policy. For example, a policy can add a 'CostCenter' tag from the resource group to all resources. Tags have a limit of 50 per resource. Use consistent naming conventions (e.g., 'Environment', 'Project', 'CostCenter'). Tags are case-sensitive for values but case-insensitive for names. You can bulk edit tags using the portal's 'Tag Editor' or via CLI. For cost management, ensure tags are applied to all resources. Azure Cost Management can then group costs by tag. Also, tags can be used to trigger automation, such as shutting down VMs with a 'ShutdownTime' tag.
Scenario 1: Preventing Accidental Deletion of a Production Database
A mid-sized e-commerce company runs its customer database on Azure SQL Database. One night, a junior DBA accidentally tries to delete the database while cleaning up test resources. Without a lock, the database would be gone, causing hours of downtime and potential data loss. The company applies a CanNotDelete lock on the resource group containing the database. Now, any delete attempt fails with an error. Additionally, they tag the resource group with Environment: Production and CostCenter: ECommerce. This helps the finance team track costs. If the lock were not applied, the accidental deletion could have cost the company thousands in lost revenue. The lock also prevents automated scripts from deleting the resource. The team also applies a ReadOnly lock on a configuration file stored in Azure Blob Storage to prevent accidental modification. A common mistake is applying the lock at the wrong level — if they applied it only to the database resource, new resources added to the group would be unprotected. So they apply it at the resource group level for inheritance.
Scenario 2: Tagging for Cost Allocation in a Large Enterprise
A multinational corporation has hundreds of Azure subscriptions. The finance team needs to allocate costs to different departments and projects. They mandate that all resources must have tags: Department, Project, and CostCenter. Using Azure Policy, they enforce that any new resource without these tags is denied creation or flagged as non-compliant. They also use Azure Cost Management to generate reports grouped by these tags. Without tags, the finance team would have to manually track costs, leading to inaccuracies and disputes. A common issue is that tags are not applied consistently. For example, some teams use 'Dept' while others use 'Department'. To solve this, they create a policy that requires specific tag names. They also use a remediation task to add missing tags. The scale of this operation requires automation; they use Azure CLI scripts to apply tags to existing resources. The cost of not tagging is poor visibility and potential budget overruns.
Scenario 3: ReadOnly Lock During Security Audit
A financial services company is undergoing a security audit. To ensure no changes are made to the production environment during the audit, they apply a ReadOnly lock at the subscription level. This prevents any modifications or deletions across all resources. After the audit, they remove the lock. However, during the audit, they realize that Azure Backup jobs fail because they need to write to the Recovery Services vault. They had to temporarily remove the lock for backups. This is a real-world challenge: ReadOnly locks can break dependent services. Best practice is to test locks in a non-production environment first. They also tag resources with AuditStatus: InProgress to track which resources are under audit. This scenario highlights that locks are powerful but must be used carefully.
What AZ-900 Tests on This Objective
Objective 3.2: 'Describe the purpose of resource locks and tags.' The exam will ask you to:
Identify the two types of resource locks: CanNotDelete and ReadOnly.
Understand that locks are inherited and can be applied at subscription, resource group, or resource level.
Know that locks override RBAC permissions — even an Owner cannot delete a resource with a CanNotDelete lock.
Recognize that tags are metadata key-value pairs used for organization, cost management, and automation.
Understand that tags are not inherited by default, but can be enforced via Azure Policy.
Know the tag limit: 50 per resource.
Common Wrong Answers and Why Candidates Choose Them
'Tags can be used to restrict access.' Candidates confuse tags with RBAC or locks. Tags are metadata only; they do not control access.
'A ReadOnly lock prevents deletion but allows modification.' This is backwards. ReadOnly prevents both modification and deletion. CanNotDelete prevents deletion only.
'Locks are applied at the resource level only.' Locks can be applied at subscription, resource group, and resource levels. Many candidates forget the higher scopes.
'Tags are inherited by child resources.' Tags are not inherited by default. This is a common misconception. Azure Policy can enforce inheritance, but it is not automatic.
'You can delete a resource if you are the Owner, even with a lock.' Locks override RBAC. Even an Owner cannot delete a resource with a CanNotDelete lock without first removing the lock.
Specific Terms and Values That Appear Verbatim
'CanNotDelete' and 'ReadOnly' are the exact lock type names.
'Resource lock' is the official term.
'Tag' is the official term for key-value pairs.
The limit '50 tags per resource' is frequently tested.
The phrase 'Locks are inherited' appears in exam questions.
Edge Cases and Tricky Distinctions
Lock inheritance with conflicting types: If a resource group has a CanNotDelete lock, and a resource within it has a ReadOnly lock, the resource is ReadOnly (more restrictive wins). If the resource group has a ReadOnly lock and the resource has a CanNotDelete lock, the resource remains ReadOnly. The most restrictive lock applies.
Locks and Azure Policy: Locks are not policies. Azure Policy evaluates compliance and can enforce tags, but locks are a separate feature that directly blocks operations.
Locks and Azure Backup: ReadOnly locks can cause backup failures because backup services need to write to the vault. Know this as a potential side effect.
Tags and resource groups: You can apply tags to a resource group, but they are not automatically inherited by resources unless a policy enforces it.
Memory Trick or Decision Tree
For lock types: 'CanNotDelete' = 'Cannot delete but can modify'. 'ReadOnly' = 'Cannot delete or modify'. Think: 'ReadOnly' is stricter. For scope: higher level locks protect more. Use the mnemonic 'S-R-R' for scope: Subscription, Resource group, Resource. For tags: 'Tags are for tagging, not locking.' If a question asks about preventing deletion, think locks. If it asks about cost tracking, think tags. Decision tree: Is the goal to prevent accidental deletion? → Use CanNotDelete lock. To prevent any changes? → Use ReadOnly lock. To organize or track costs? → Use tags.
Resource locks have two types: CanNotDelete (prevents deletion) and ReadOnly (prevents deletion and modification).
Locks can be applied at subscription, resource group, or resource level and are inherited by child resources.
Locks override RBAC permissions — even an Owner cannot delete a resource with a CanNotDelete lock without removing the lock first.
Tags are metadata key-value pairs with a limit of 50 per resource.
Tags are not inherited by default; use Azure Policy to enforce inheritance.
Tags are used for cost management, organization, and automation, not for access control.
The most restrictive lock applies when locks are applied at multiple scopes (e.g., ReadOnly wins over CanNotDelete).
ReadOnly locks can break Azure Backup and other services that need to write to the resource.
These come up on the exam all the time. Here's how to tell them apart.
Resource Locks
Prevent accidental deletion or modification of resources.
Two types: CanNotDelete and ReadOnly.
Override RBAC permissions — even Owners are blocked.
Inherited from parent scope to child resources.
Cannot be used for cost tracking or organization.
Tags
Metadata key-value pairs for organization and cost tracking.
No types — just key-value pairs.
Do not affect access control or permissions.
Not inherited by default; can be enforced via Azure Policy.
Used for cost management, automation, and resource grouping.
Mistake
Resource locks are a type of Azure Policy.
Correct
Resource locks are a separate feature from Azure Policy. Locks block operations at the resource manager level, while policies evaluate compliance and can enforce rules (like requiring tags) but do not directly block deletion or modification. Locks override RBAC; policies do not.
Mistake
Tags are inherited by child resources automatically.
Correct
Tags are not inherited by default. If you tag a resource group, the resources inside it do not automatically get those tags. You must use Azure Policy or scripts to propagate tags. This is a common exam trap.
Mistake
A ReadOnly lock allows deletion if you have Contributor role.
Correct
No. A ReadOnly lock prevents both deletion and modification, regardless of RBAC role. Even an Owner cannot delete a resource with a ReadOnly lock without removing the lock first.
Mistake
You can apply an unlimited number of tags per resource.
Correct
Azure limits each resource to 50 tag name-value pairs. This is a hard limit. If you need more, consider using a different metadata strategy.
Mistake
Locks can be applied to individual resources only, not to resource groups or subscriptions.
Correct
Locks can be applied at the subscription, resource group, or resource level. Applying at a higher level inherits to all child resources. This is a key concept for the exam.
CanNotDelete locks prevent deletion but allow modification and reading. ReadOnly locks prevent both deletion and modification, allowing only read operations. ReadOnly is more restrictive. On the exam, remember that ReadOnly locks block all write operations, including those by Azure services like Backup.
No. Resource locks override RBAC permissions. Even an Owner cannot delete a resource with a CanNotDelete lock. You must first remove the lock. This is a key exam point: locks are a separate layer of protection above RBAC.
No, tags are not inherited by default. If you tag a resource group, the resources inside it do not automatically get those tags. You must use Azure Policy or custom scripts to propagate tags. This is a common misconception tested on the exam.
The storage account becomes read-only. Users can read data but cannot modify or delete the account or its data. However, note that ReadOnly locks may affect Azure Backup and other services that need to write to the storage account. For example, backup jobs might fail because they cannot write to the vault.
Each Azure resource can have up to 50 tag name-value pairs. This is a hard limit. If you need more, consider using a different metadata strategy or combining tags.
No. Tags are metadata only and do not affect access control. Access is controlled by Azure RBAC. Tags are used for organization, cost management, and automation. Do not confuse tags with locks or RBAC.
Resource locks can be applied at the subscription, resource group, or individual resource level. Locks are inherited by child resources. For example, a lock on a resource group applies to all resources in that group. A lock on a subscription applies to all resource groups and resources within that subscription.
You've just covered Azure Resource Locks and Tags — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?