鎖定資源以防止非預期的變更Lock resources to prevent unexpected changes

身為系統管理員,您可能需要鎖定訂用帳戶、資源群組或資源,以防止組織中的其他使用者不小心刪除或修改重要資源。As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. 您可以將鎖定層級設定為 CanNotDeleteReadOnlyYou can set the lock level to CanNotDelete or ReadOnly. 在入口網站中,鎖定分別名為 [刪除] 和 [唯讀] 。In the portal, the locks are called Delete and Read-only respectively.

  • CanNotDelete 表示經過授權的使用者仍然可以讀取和修改資源,但無法刪除資源。CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
  • ReadOnly 表示經過授權的使用者可以讀取資源,但無法刪除或更新資源。ReadOnly means authorized users can read a resource, but they can't delete or update the resource. 套用這個鎖定類似於限制所有經過授權使用者的權限是由「讀取者」 角色所授與。Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

注意

本文已更新為使用新的 Azure PowerShell Az 模組。This article has been updated to use the new Azure PowerShell Az module. AzureRM 模組在至少 2020 年 12 月之前都還會持續收到錯誤 (Bug) 修正,因此您仍然可以持續使用。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要深入了解新的 Az 模組和 AzureRM 的相容性,請參閱新的 Azure PowerShell Az 模組簡介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 如需 Az 模組安裝指示,請參閱安裝 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

如何套用鎖定How locks are applied

當您在父範圍套用鎖定時,該範圍內的所有資源都會都繼承相同的鎖定。When you apply a lock at a parent scope, all resources within that scope inherit the same lock. 甚至您稍後新增的資源都會繼承父項的鎖定。Even resources you add later inherit the lock from the parent. 繼承中限制最嚴格的鎖定優先順序最高。The most restrictive lock in the inheritance takes precedence.

不同於角色型存取控制,您可以使用管理鎖定來對所有使用者和角色套用限制。Unlike role-based access control, you use management locks to apply a restriction across all users and roles. 如要了解使用者和角色的設定權限,請參閱 Azure 角色型存取控制To learn about setting permissions for users and roles, see Azure Role-based Access Control.

Resource Manager 鎖定只會套用於管理平面發生的作業,亦即要傳送至 https://management.azure.com 的作業。Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to https://management.azure.com. 鎖定並不會限制資源執行自己函式的方式。The locks don't restrict how resources perform their own functions. 限制資源的變更,但沒有限制資源的作業。Resource changes are restricted, but resource operations aren't restricted. 例如,SQL Database 上的唯讀鎖定會防止您刪除或修改資料庫。For example, a ReadOnly lock on a SQL Database prevents you from deleting or modifying the database. 它不會防止您建立、更新或刪除資料庫中的資料。It doesn't prevent you from creating, updating, or deleting data in the database. 已允許資料交易,因為這些作業不傳送至https://management.azure.comData transactions are permitted because those operations aren't sent to https://management.azure.com.

套用ReadOnly會導致無法預期的結果中,因為某些似乎修改資源的作業實際上需要封鎖之鎖定的動作。Applying ReadOnly can lead to unexpected results because some operations that don't seem to modify the resource actually require actions that are blocked by the lock. ReadOnly鎖定可以套用至資源或包含資源的資源群組。The ReadOnly lock can be applied to the resource or to the resource group containing the resource. 一些常見的範例,會被封鎖的作業ReadOnly鎖定是:Some common examples of the operations that are blocked by a ReadOnly lock are:

  • A ReadOnly儲存體帳戶上的鎖定會防止所有使用者列出金鑰。A ReadOnly lock on a storage account prevents all users from listing the keys. 清單金鑰作業是透過 POST 要求進行處理,因為傳回的金鑰可用於寫入作業。The list keys operation is handled through a POST request because the returned keys are available for write operations.

  • App Service 資源上的唯讀鎖定會防止 Visual Studio 伺服器總管顯示該資源的檔案,因為該互動需要寫入存取權。A ReadOnly lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires write access.

  • A ReadOnly包含虛擬機器的資源群組鎖定可防止所有使用者啟動或重新啟動虛擬機器。A ReadOnly lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. 這些作業需要 POST 要求。These operations require a POST request.

誰可以建立或刪除鎖定嗎Who can create or delete locks

若要建立或刪除管理鎖定,您必須擁有 Microsoft.Authorization/*Microsoft.Authorization/locks/* 動作的存取權。To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. 在內建角色中,只有 擁有者使用者存取管理員 被授與這些動作的存取權。Of the built-in roles, only Owner and User Access Administrator are granted those actions.

受管理的應用程式和鎖定Managed Applications and locks

使用某些 Azure 服務,例如 Azure Databricks受控應用程式實作服務。Some Azure services, such as Azure Databricks, use managed applications to implement the service. 在此情況下,服務會建立兩個資源群組。In that case, the service creates two resource groups. 一個資源群組包含服務的概觀,並不會遭到鎖定。One resource group contains an overview of the service and isn't locked. 另一個資源群組包含服務的基礎結構,並已被鎖定。The other resource group contains the infrastructure for the service and is locked.

如果您嘗試刪除的基礎結構資源群組,您會收到錯誤指出 已鎖定的資源群組。If you try to delete the infrastructure resource group, you get an error stating that the resource group is locked. 如果您嘗試刪除的基礎結構資源群組的鎖定,您會收到錯誤指出無法刪除鎖定,因為它屬於系統應用程式。If you try to delete the lock for the infrastructure resource group, you get an error stating that the lock can't be deleted because it's owned by a system application.

相反地,刪除服務,這也會刪除基礎結構資源群組。Instead, delete the service, which also deletes the infrastructure resource group.

對於受管理的應用程式,選取您部署的服務。For managed applications, select the service you deployed.

選取服務

請注意,服務包含的連結受管理的資源群組Notice the service includes a link for a Managed Resource Group. 該資源群組會保留在基礎結構,並已被鎖定。That resource group holds the infrastructure and is locked. 它無法直接刪除。It can't be directly deleted.

顯示受管理的群組

若要刪除所有項目服務,包括鎖定的基礎結構資源群組中,選取刪除服務。To delete everything for the service, including the locked infrastructure resource group, select Delete for the service.

刪除服務

入口網站Portal

  1. 在您想要鎖定之資源、資源群組或訂用帳戶的 [設定] 刀鋒視窗中,選取 [鎖定] 。In the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks.

    選取鎖定

  2. 若要新增鎖定,請選取 [新增] 。To add a lock, select Add. 如果您想要在父層級建立鎖定,請選取父系。If you want to create a lock at a parent level, select the parent. 目前選取的資源會從父系繼承鎖定。The currently selected resource inherits the lock from the parent. 例如,您可以鎖定資源群組以將鎖定套用到其所有資源。For example, you could lock the resource group to apply a lock to all its resources.

    新增鎖定

  3. 提供鎖定的名稱和鎖定層級。Give the lock a name and lock level. 您可以視需要新增描述鎖定的附註。Optionally, you can add notes that describe the lock.

    設定鎖定

  4. 若要刪除鎖定,請從可用的選項中選取省略符號和 [刪除] 。To delete the lock, select the ellipsis and Delete from the available options.

    刪除鎖定

範本Template

當使用 Resource Manager 範本部署鎖定,您可以使用不同的值名稱和鎖定類型視範圍而定。When using a Resource Manager template to deploy a lock, you use different values for the name and type depending on the scope of the lock.

套用鎖定時資源,使用下列格式:When applying a lock to a resource, use the following formats:

  • name - {resourceName}/Microsoft.Authorization/{lockName}name - {resourceName}/Microsoft.Authorization/{lockName}
  • type - {resourceProviderNamespace}/{resourceType}/providers/lockstype - {resourceProviderNamespace}/{resourceType}/providers/locks

套用鎖定時資源群組或是訂用帳戶,使用下列格式:When applying a lock to a resource group or subscription, use the following formats:

  • name - {lockName}name - {lockName}
  • type - Microsoft.Authorization/lockstype - Microsoft.Authorization/locks

下列範例示範建立應用程式服務方案的範本、網站和網站上的鎖定。The following example shows a template that creates an app service plan, a web site, and a lock on the web site. 鎖定的資源類型為要鎖定之資源的資源類型和 /providers/locksThe resource type of the lock is the resource type of the resource to lock and /providers/locks. 鎖定名稱的建立方式是串連資源名稱與 /Microsoft.Authorization/ 和鎖定的名稱。The name of the lock is created by concatenating the resource name with /Microsoft.Authorization/ and the name of the lock.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "hostingPlanName": {
            "type": "string"
        }
    },
    "variables": {
        "siteName": "[concat('ExampleSite', uniqueString(resourceGroup().id))]"
    },
    "resources": [
        {
            "apiVersion": "2016-09-01",
            "type": "Microsoft.Web/serverfarms",
            "name": "[parameters('hostingPlanName')]",
            "location": "[resourceGroup().location]",
            "sku": {
                "tier": "Free",
                "name": "f1",
                "capacity": 0
            },
            "properties": {
                "targetWorkerCount": 1
            }
        },
        {
            "apiVersion": "2016-08-01",
            "name": "[variables('siteName')]",
            "type": "Microsoft.Web/sites",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
            ],
            "properties": {
                "serverFarmId": "[parameters('hostingPlanName')]"
            }
        },
        {
            "type": "Microsoft.Web/sites/providers/locks",
            "apiVersion": "2016-09-01",
            "name": "[concat(variables('siteName'), '/Microsoft.Authorization/siteLock')]",
            "dependsOn": [
                "[resourceId('Microsoft.Web/sites', variables('siteName'))]"
            ],
            "properties": {
                "level": "CanNotDelete",
                "notes": "Site should not be deleted."
            }
        }
    ]
}

資源群組上設定鎖定的範例,請參閱 < 建立資源群組,並將其鎖定For an example of setting a lock on a resource group, see Create a resource group and lock it.

PowerShellPowerShell

您可以使用 Azure PowerShell 以 New-AzResourceLock 命令鎖定已部署的資源。You lock deployed resources with Azure PowerShell by using the New-AzResourceLock command.

若要鎖定資源,請提供資源的名稱、其資源類型,以及其資源群組名稱。To lock a resource, provide the name of the resource, its resource type, and its resource group name.

New-AzResourceLock -LockLevel CanNotDelete -LockName LockSite -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

若要鎖定資源群組,請提供資源群組的名稱。To lock a resource group, provide the name of the resource group.

New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName exampleresourcegroup

若要取得鎖定的相關資訊,請使用Get AzResourceLockTo get information about a lock, use Get-AzResourceLock. 若要取得訂用帳戶中的所有鎖定,請使用︰To get all the locks in your subscription, use:

Get-AzResourceLock

若要取得資源的所有鎖定,請使用︰To get all locks for a resource, use:

Get-AzResourceLock -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

若要取得資源群組的所有鎖定,請使用︰To get all locks for a resource group, use:

Get-AzResourceLock -ResourceGroupName exampleresourcegroup

若要將鎖定刪除,請使用:To delete a lock, use:

$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup -ResourceName examplesite -ResourceType Microsoft.Web/sites).LockId
Remove-AzResourceLock -LockId $lockId

Azure CLIAzure CLI

您可使用 az lock create 命令,透過 Azure CLI 來鎖定已部署的資源。You lock deployed resources with Azure CLI by using the az lock create command.

若要鎖定資源,請提供資源的名稱、其資源類型,以及其資源群組名稱。To lock a resource, provide the name of the resource, its resource type, and its resource group name.

az lock create --name LockSite --lock-type CanNotDelete --resource-group exampleresourcegroup --resource-name examplesite --resource-type Microsoft.Web/sites

若要鎖定資源群組,請提供資源群組的名稱。To lock a resource group, provide the name of the resource group.

az lock create --name LockGroup --lock-type CanNotDelete --resource-group exampleresourcegroup

若要取得鎖定的相關資訊,請使用 az lock listTo get information about a lock, use az lock list. 若要取得訂用帳戶中的所有鎖定,請使用︰To get all the locks in your subscription, use:

az lock list

若要取得資源的所有鎖定,請使用︰To get all locks for a resource, use:

az lock list --resource-group exampleresourcegroup --resource-name examplesite --namespace Microsoft.Web --resource-type sites --parent ""

若要取得資源群組的所有鎖定,請使用︰To get all locks for a resource group, use:

az lock list --resource-group exampleresourcegroup

若要將鎖定刪除,請使用:To delete a lock, use:

lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --resource-type Microsoft.Web/sites --resource-name examplesite --output tsv --query id)
az lock delete --ids $lockid

REST APIREST API

您可以使用管理鎖定的 REST API,來鎖定已部署的資源。You can lock deployed resources with the REST API for management locks. 此 REST API 可讓您建立及刪除鎖定,以及抓取現有鎖定的相關資訊。The REST API enables you to create and delete locks, and retrieve information about existing locks.

若要建立鎖定,請執行:To create a lock, run:

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/locks/{lock-name}?api-version={api-version}

範圍可以是訂用帳戶、資源群組或資源。The scope could be a subscription, resource group, or resource. lock-name 是您想要命名鎖定的任何名稱。The lock-name is whatever you want to call the lock. 對於 api-version,請使用2016年-09-01For api-version, use 2016-09-01.

在要求中,包含指定鎖定屬性的 JSON 物件。In the request, include a JSON object that specifies the properties for the lock.

{
  "properties": {
    "level": "CanNotDelete",
    "notes": "Optional text notes."
  }
} 

後續步驟Next steps