Create Azure resource locks
- Management locks help you prevent accidental deletion or modification of your Azure resources
- You can manage these locks from within the Azure portal
- To view, add, or delete locks, go to the RESOURCE MANAGEMENT section of any resource's settings blade
- When you apply a lock at a parent scope, all resources within that scope inherit the same lock
Configure resource-level access policies
- Azure Policy is a service in Azure that you use to create, assign, and manage policies
- Unlike RBAC, Azure Policy is a default allow and explicit deny system
- Azure Policy has several permissions, known as operations, in two resource providers:
- Microsoft.Authorization
- Microsoft.PolicyInsights
- Several built-in roles grant permission to Azure Policy resources
- If none of the built-in roles have the required permissions, you can create a custom role
Configure subscription-level policies in Azure Policy
- An Azure subscription is a logical unit of Azure services that is linked to an Azure account
- Azure management groups provide a level of scope above subscriptions
- Management groups enable:
- Organizational alignment for your Azure subscriptions through custom hierarchies and grouping
- Targeting of policies and spend budgets across subscriptions and inheritance down the hierarchies
- Compliance and cost reporting by organization (business/teams)
- All subscriptions within a management group automatically inherit the conditions applied to the management group
Oldest comments (1)