Cyber Intelligence
Azure Management and Governance · 30-35% of exam

L15. Resource Tags, Locks, and Organizational Controls

Video generating

Check back soon for the video lesson on Resource Tags, Locks, and Organizational Controls

Resource tags and locks are essential governance tools tested on AZ-900. Tags organize resources for cost tracking and automation; locks prevent accidental deletion or modification.

Resource Tags

Resource tags are name-value pairs you attach to Azure resources for organization, cost tracking, and automation. Examples:

  • Environment: Production
  • Department: Finance
  • Project: MigrationQ3
  • Owner: team@company.com
Key facts for AZ-900:
  • Tags are not inherited: a tag on a resource group does not automatically apply to resources inside it
  • You can apply up to 50 tags per resource
  • Tags can be enforced via Azure Policy (e.g., require "Department" tag on all VMs)
  • Tags appear in cost reports, enabling cost breakdown by team or project
Use tags for: cost allocation, automation targeting, compliance filtering, resource inventory.

Resource Locks

Resource locks prevent accidental deletion or modification of critical Azure resources, regardless of RBAC permissions. Two lock types:

Lock TypePrevents DeletionPrevents Modification
CanNotDeleteYesNo
ReadOnlyYesYes
Key facts:
  • Locks can be applied at subscription, resource group, or resource level
  • Locks cascade: a lock on a resource group applies to all resources inside it
  • Locks override RBAC: even an Owner cannot delete a locked resource without first removing the lock
  • Locks must be removed before you can delete or modify the locked resource
Use CanNotDelete for: production databases, key vaults, and networking resources you want to allow modification but not deletion. Use ReadOnly for: resources where any change would be disruptive (e.g., a production configuration that must not change).

Moving Resources

You can move resources between resource groups or subscriptions, but some services have restrictions. After moving:

  • The resource's resource ID changes
  • The resource group association changes
  • Tags and locks move with the resource

Cloud Shell and Azure Portal Tools

  • Azure Cloud Shell: browser-based Bash or PowerShell shell for managing Azure without installing tools locally
  • Azure PowerShell: cross-platform module for managing Azure from PowerShell
  • Azure CLI: cross-platform command-line tool for managing Azure from Bash or any shell
  • Azure Mobile App: monitor and manage resources from iOS or Android
ToolPurposeBest For
TagsMetadata for organization and cost allocationBilling, automation, filtering
CanNotDelete lockPrevent deletion onlyResources that need modification
ReadOnly lockPrevent all changesConfiguration-sensitive resources
Exam tip: Locks override RBAC permissions. Even the subscription Owner cannot delete a locked resource without removing the lock first.

Exam Focus Points
  • Resource tags are name-value pairs for organization and cost allocation; up to 50 per resource
  • Tags are NOT inherited: a tag on a resource group does not automatically apply to resources inside it
  • CanNotDelete lock prevents deletion but allows modification; ReadOnly lock prevents both
  • Locks override RBAC: an Owner cannot delete a locked resource without removing the lock first
  • Locks cascade: a lock on a resource group applies to all child resources within it
Knowledge Check

1. A company applies a "Department: Finance" tag to a resource group containing 10 VMs. Which VMs automatically have this tag?

2. A security team wants to ensure a production Azure Key Vault cannot be deleted accidentally, but administrators must still be able to update secrets in it. Which lock type should be applied?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.

Start AZ-900 prep free10-day free trial available