from new Azure Portal, I selected a Virtual machine and then I am able to create Multilple resource locks of type - Delete.
How does these Multiple resource locks of same type works/helps , when all of these lock does the same thing ?
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource. More information please refer to this link.
How does these Multiple resource locks of same type works/helps , when
all of these lock does the same thing ?
You could create VMs in the same group and lock the resource group.
Related
We are using a storageclass in Kubernetes to dynamically provision azure file shares with pvc claims (https://learn.microsoft.com/en-us/azure/aks/azure-files-dynamic-pv?source=recommendations)
We use recovery service vault to backup these file shares (https://learn.microsoft.com/en-us/azure/backup/azure-file-share-backup-overview?WT.mc_id=Portal-Microsoft_Azure_Support#key-benefits-of-azure-file-share-backup).
Azure Backup locks the storage account associated with the file shares against deletion in Resource Group scope. The lock is called "AzureBackupProtectionLock" and it protects storage accouunts registered with a Recovery Services vault to guard against deletion of backups.
That seems fair, however this lock on resource group scope is blocking us from upgrading the AKS version. The screenshot with error is attached
Any idea how to prevent this behaviour ? Thanks :)
This error may occur if your resource group lock as applied as Read only access When a resource is marked as read-only, it can only be accessed; it cannot be update or deleted. By implementing this lock, all authorized users will only be granted the privileges offered by the Reader role.
Please check this Considerations before applying your locks To resolve this issue make sure to delete our locks in your resource group as below:
Go to azure portal -> your resource group ->under setting locks -> delete
You need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* operations in order to add or remove management locks. Only Owner and User Access Administrator have access to those activities among the built-in roles.
Reference: Lock your resources to protect your infrastructure
I have a client that can only give me full access to one or two resource groups.
I need to deliver some prescripted terraform resources that contain the need for a service principal.
Can you lock an SP to a resource group? The subscription itself is a production subscription so they want to know if you can tie down using role base access just to that group.
Or should I be create a MI account?
Can you lock an SP to a resource group?
You most certainly can. Azure Role-based access control is very granular and you can apply access control at any level (management group, subscription, resource group or even at individual resource).
Please see this for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps.
I saw that it's possible in azure to move resources from one subscription in another(forex- DataFactory V2, Kv, SA,Az functions)
What happens to the roles for example- a group with various members had permissions added on to resources before moving it? Do we need to add them again since the resourceID changes?
You need to assign the roles again, if you move the resource to another subscription, the roles added in Access control (IAM) will not be existing anymore.
Do a test for you:
I want to move azure resource group from one azure account to otherazure account. Can any one help me how to move this to other account?
If my understanding of your question is correct. You're intending to move Resource Group from one account/subscription to another Azure Subscription/owner. If this is the case, you can move resources from a source group to a target group in a different subscription.
There are some important steps to do before moving a resource. By verifying these conditions, you can avoid errors. Currently, not all resources in Azure support move. For a list of resources that support move, see Move operation support for resources.
Kindly verfiy and validate the move as outlined in this document- https://learn.microsoft.com/azure/azure-resource-manager/management/move-resource-group-and-subscription#validate-move before initiating the move process.
Note: Moving a resource only moves it to a new resource group or subscription. It doesn't change the location of the resource.
I have applied deletion lock on my subscription level so that all the resource will get the locks, while revoked the access from virtual machines, azure deletion lock is preventing the IAM role deletion, Is there any way to fix it?
the only way to fix it - remove the lock, delete the assignment, reestablish the lock. Assignment is really just another resource in the ARM model. nothing you can do about it.