L15. Resource Tags, Locks, and Organizational Controls
Video generating
Check back soon for the video lesson on Resource Tags, Locks, and Organizational Controls
Resource tags and locks are essential governance tools tested on AZ-900. Tags organize resources for cost tracking and automation; locks prevent accidental deletion or modification.
Resource Tags
Resource tags are name-value pairs you attach to Azure resources for organization, cost tracking, and automation. Examples:
- Environment: Production
- Department: Finance
- Project: MigrationQ3
- Owner: team@company.com
- Tags are not inherited: a tag on a resource group does not automatically apply to resources inside it
- You can apply up to 50 tags per resource
- Tags can be enforced via Azure Policy (e.g., require "Department" tag on all VMs)
- Tags appear in cost reports, enabling cost breakdown by team or project
Resource Locks
Resource locks prevent accidental deletion or modification of critical Azure resources, regardless of RBAC permissions. Two lock types:
| Lock Type | Prevents Deletion | Prevents Modification |
|---|---|---|
| CanNotDelete | Yes | No |
| ReadOnly | Yes | Yes |
- Locks can be applied at subscription, resource group, or resource level
- Locks cascade: a lock on a resource group applies to all resources inside it
- Locks override RBAC: even an Owner cannot delete a locked resource without first removing the lock
- Locks must be removed before you can delete or modify the locked resource
Moving Resources
You can move resources between resource groups or subscriptions, but some services have restrictions. After moving:
- The resource's resource ID changes
- The resource group association changes
- Tags and locks move with the resource
Cloud Shell and Azure Portal Tools
- Azure Cloud Shell: browser-based Bash or PowerShell shell for managing Azure without installing tools locally
- Azure PowerShell: cross-platform module for managing Azure from PowerShell
- Azure CLI: cross-platform command-line tool for managing Azure from Bash or any shell
- Azure Mobile App: monitor and manage resources from iOS or Android
| Tool | Purpose | Best For |
|---|---|---|
| Tags | Metadata for organization and cost allocation | Billing, automation, filtering |
| CanNotDelete lock | Prevent deletion only | Resources that need modification |
| ReadOnly lock | Prevent all changes | Configuration-sensitive resources |
- ✓Resource tags are name-value pairs for organization and cost allocation; up to 50 per resource
- ✓Tags are NOT inherited: a tag on a resource group does not automatically apply to resources inside it
- ✓CanNotDelete lock prevents deletion but allows modification; ReadOnly lock prevents both
- ✓Locks override RBAC: an Owner cannot delete a locked resource without removing the lock first
- ✓Locks cascade: a lock on a resource group applies to all child resources within it
1. A company applies a "Department: Finance" tag to a resource group containing 10 VMs. Which VMs automatically have this tag?
2. A security team wants to ensure a production Azure Key Vault cannot be deleted accidentally, but administrators must still be able to update secrets in it. Which lock type should be applied?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.