az-lock

Create a read-only subscription level lock

$ az lock create [[-n|--name]] [lock_name] [[-t|--lock-type]] ReadOnly

$ az lock create [[-n|--name]] [lock_name] [[-g|--resource-group]] [group_name] [[-t|--lock-type]] ReadOnly

$ az lock delete [[-n|--name]] [lock_name]

$ az lock delete [[-n|--name]] [lock_name] [[-g|--resource-group]] [group_name]

$ az lock list

$ az lock show [[-n|--name]] [lock_name]

az lock <create|delete|list|show|update> [options]

--debug
    Increase logging verbosity to show all debug logs.

--help -h
    Show this help message and exit.

--only-show-errors
    Only show errors, suppressing warnings.

--output -o
    Output format (json|jsonc|table|tsv|yaml|yamlc).

--query
    JMESPath query string for output filtering.

--subscription
    Name or ID of Azure subscription.

--verbose
    Increase logging verbosity (use --debug for full logs).

--ids
    Space-delimited resource IDs (for delete/list operations).

--lock-type
    Lock type for create/update: CanNotDelete or ReadOnly.

--name -n
    Name of the management lock.

--notes
    Notes/description for the lock.

--parent
    Parent resource ID for nested resources.

--resource
    Full Azure resource ID for the lock target.

--resource-group -g
    Name or ID of the resource group.

--resource-type
    Provider namespace + resource type (e.g., Microsoft.Storage/storageAccounts).

--scope
    Subscription, RG, or resource scope for the lock.

The az lock command, part of the Azure Command-Line Interface (CLI), enables creation, deletion, listing, viewing, and updating of management locks on Azure resources. Locks safeguard critical infrastructure by restricting operations: CanNotDelete prevents deletion while allowing modifications, and ReadOnly blocks both reads and writes to enforce protection.

Locks apply at various scopes—subscription, resource group, or individual resource— and inherit down the hierarchy. This is vital for compliance, production stability, and preventing accidental changes during deployments. For instance, apply a lock via az lock create --name ProdLock --lock-type ReadOnly --resource-group myProductionRG, or target a specific VM with --resource /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vm}.

Integrates seamlessly with Azure Resource Manager (ARM), supports JSON querying for automation, and works cross-platform on Linux, macOS, Windows. Requires authentication via az login. Ideal for CI/CD pipelines, Terraform safeguards, and governance policies. Usage examples include scripting bulk operations with --ids or filtering lists with --query. Note that role-based access control (RBAC) permissions like Microsoft.Authorization/locks/* are needed.

Requires Azure CLI 2.0+ and az login. Needs RBAC permissions (e.g., Owner role). Locks block operations for all users without Owner/Microsoft.Authorization/locks/* permissions. Not for local filesystems—Azure RM only. Inherited locks combine restrictively.

create: Create new lock.
delete: Remove lock by name/IDs.
list: List locks at scope.
show: Display lock details.
update: Modify lock name/notes/type.

az lock create --name CriticalLock --lock-type CanNotDelete --resource-group prod-rg
List: az lock list --resource-group prod-rg

Introduced in Azure CLI 2.0.28 (2018) as part of Resource Manager enhancements. Evolved with CLI v2.x for better scripting and ARM integration. Actively maintained by Microsoft for Azure governance.

az account(1), az group(1), az resource(1)