Create resource lock for a Azure Cosmos DB Table API table using Azure CLI

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code.

If you choose to install and use the CLI locally, this topic requires that you are running the Azure CLI version 2.9.1 or later. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI.


Resource locks do not work for changes made by users connecting Cosmos DB Table SDK, Azure Storage Table SDK, any tools that connect via account keys, or the Azure Portal unless the Cosmos DB account is first locked with the disableKeyBasedMetadataWriteAccess property enabled. To learn more about how to enable this property see, Preventing changes from SDKs.

Sample script

# Reference: az cosmosdb |
# --------------------------------------------------
# Resource lock operations for a Table API table


lockType='CanNotDelete' # CanNotDelete or ReadOnly

# Create a delete lock on table
az lock create --name $tableLockName \
    --resource-group $resourceGroupName \
    --resource-type $tableResourceType \
    --lock-type $lockType \
    --parent $tableParent \
    --resource $tableName

# List all locks on a Cosmos account
az lock list --resource-group $resourceGroupName \
    --resource-name $accountName \
    --namespace Microsoft.DocumentDB \
    --resource-type databaseAccounts

# Delete lock on table
lockid=$(az lock show --name $tableLockName \
        --resource-group $resourceGroupName \
        --resource-type $tableResourceType \
        --resource $tableName --parent $tableParent \
        --output tsv --query id)
az lock delete --ids $lockid

Script explanation

This script uses the following commands. Each command in the table links to command specific documentation.

Command Notes
az lock create Creates a lock.
az lock list List lock information.
az lock show Show properties of a lock.
az lock delete Deletes a lock.

Next steps

-Lock resources to prevent unexpected changes

-Azure Cosmos DB CLI documentation.

-Azure Cosmos DB CLI GitHub Repository.