AZ-500: How Do CanNotDelete and ReadOnly Locks Protect Critical Azure Resources?

What Are the Differences Between CanNotDelete and ReadOnly Azure Resource Locks?

Prepare for your AZ-500 exam by learning the two types of Azure resource locks: CanNotDelete and ReadOnly. Understand how these locks protect critical Azure resources from accidental deletion or modification and what actions each lock level permits.

Question

The following are the available types of Azure resource locks: (choose the best answer)

A. CanNotDelete,ReadOnly
B. CanNotDelete,ReadOnly,NoAccess
C. CanNotDelete,NoAccess
D. CanNotDelete

Answer

A. CanNotDelete,ReadOnly

Explanation

The correct answer is A. Azure provides two types of resource locks, CanNotDelete and ReadOnly, to prevent accidental deletion or modification of critical resources.

The two resource lock types are CanNotDelete and ReadOnly.

CanNotDelete Lock

A CanNotDelete lock means that authorized users can still read and modify a resource, but they cannot delete it. This is the most common lock type, used to protect essential resources like production virtual machines or databases from accidental removal. While the resource itself cannot be deleted, its configuration and data can be changed by users who have the necessary permissions through Azure Role-Based Access Control (RBAC).

ReadOnly Lock

The ReadOnly lock is more restrictive. When applied, it prevents authorized users from deleting or modifying a resource. Users can only read the resource’s state and configuration. This lock level is effectively the same as applying an RBAC Reader role to all users for that specific resource. It is used for resources that should not be altered under any circumstances once deployed, such as a finalized network security group or a critical piece of infrastructure.

Lock Scope and Inheritance

Resource locks can be applied at different scopes: subscription, resource group, or individual resource. Locks applied at a parent scope are inherited by all child resources. For example, a ReadOnly lock placed on a resource group will make all resources within that group read-only.

Why Other Options Are Incorrect

The option NoAccess is not a valid resource lock type in Azure. Access control—determining who can see or interact with a resource at all—is managed exclusively through Azure RBAC roles. Resource locks apply to all users, regardless of their RBAC role, to prevent accidental actions. Because NoAccess is not a valid lock, options B and C are incorrect. Option D is incorrect because it is incomplete, as it only lists one of the two available lock types.

Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.