• Notes
  • Resource groups
  • Resource providers
  • Locks
• Tasks
  • Register provider
  • Move resources
  • Create lock
• Sources

• App Service SSL certificates need to be deleted from each App Service before moving it to a new resource group.
• VNet peering has to be disabled before moving a VNet, and a VNet can only be moved within the same subscription.

A resource group is a container that holds related resources for an Azure solution.

• A resource may only be contained within a single resource group.
• A resource group may not contain another resource group.
• Resources from different resource groups can interact with one another.
• Resource groups can be used to scope both access control and policy.
• Finally, a resource group is created in a location, which specifies where its metadata is stored.

The type is composed of a resource provider which is associated with a particular Azure Service, followed by a slash and the resource type (plural): i.e. Microsoft.Storage/storageAccounts.

• Microsoft.Network
  • Microsoft.Network/NetworkWatchers
  • Microsoft.Network/publicIPAddresses
• Microsoft.Storage
  • Microsoft.Storage/storageAccounts
• Microsoft.Web
  • Microsoft.Web/sites

Azure resource locks are used to apply restrictions across all users and roles and can be applied at subscription, resource group, or resource scopes.

• CanNotDelete
• ReadOnly effectively restricts all authorized users to the permissions granted by the Reader role
  • Storage account keys of a locked storage account cannot be listed because the list keys operation is handled through a POST request
  • Visual Studio Server Explorer will not be able to display files for a locked App Service resource, because that interaction requires write access
  • VMs in a locked resource group will not be able to be started or restarted, because those operations require a POST request

All child resources of the scope at which a lock is applied inherit the lock. A CanNotDelete lock applied to a DNS A record would also prevent the deletion of the DNS zone that the record resides in, as well as the resource group the zone resides in.

Of the builtin roles, only two have access to the Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions required to create or delete locks:

• Owner
• User Access Administrator

Resource locks apply to the management plane of Azure, specifically operations sent to https://management.azure.com

Managed applications create two resource groups to implement locks:

• One resource group to contain an overview of the service, which isn't locked
• Another resource group containing the infrastructure for the service, which is locked

Register resource provider in subscription

az provider register --namespace 'Microsoft.PolicyInsights'

Sources:

• Move resources to a new resource group or subscription

• Some services have limitations or requirements when moving resources between groups (:point_right: Move operation support for resources)

• Source and destination subscriptions must be within the same AAD tenant

• Destination subscription must be registered for the resource provider of the resource being moved

• Account moving the resources must have at least the following permissions:

  • Microsoft.Resources/subscriptions/resourceGroups/moveResources/action
  • Microsoft.Resources/subscriptions/resourceGroups/write

$webapp = Get-AzResource -ResourceGroupName OldRG -ResourceName ExampleSite
$plan = Get-AzResource -ResourceGroupName OldRG -ResourceName ExamplePlan

Move-AzResource -DestinationResourceGroupName NewRG -ResourceId $webapp.ResourceId, $plan.ResourceId

webapp=$(az resource show -g OldRG -n ExampleSite --resource-type "Microsoft.Web/sites" --query id --output tsv)
plan=$(az resource show -g OldRG -n ExamplePlan --resource-type "Microsoft.Web/serverfarms" --query id --output tsv)

az resource move --destination-group newgroup --ids $webapp $plan

New-AzResourceLock -ResourceGroupName $rg -ResourceName $r -LockLevel CanNotDelete -ResourceType Microsoft.Web/sites -LockName LockSite

Resource group

New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName $rg

az lock create --resource-group $rg --resource-name $r --lock-type CanNotDelete --resource-type Microsoft.Web/sites --name LockSite

Resource group

az lock create --name LockGroup --lock-type CanNotDelete --resource-group $rg

Display lock

Get-AzResourceLock -ResourceName $r -ResourceType Microsoft.Web/sites -ResourceGroupName $rg

az lock list --resource-group $rg --resource-name $r --namespace Microsoft.Web --resource-type sites --parent ""

Delete lock

$lockId = (Get-AzResourceLock -ResourceGroupName $rg -ResourceName $r -ResourceType Microsoft.Web/sites).LockId

Remove-AzResourceLock -LockId $lockId

lockid=$(az lock show --name LockSite --resource-group $rg --resource-type Microsoft.Web/sites --resource-name $r --output tsv --query id)
az lock delete --ids $lockid

• Manage Azure Resource Manager resource groups by using Azure PowerShell
• Manage Azure Resource Manager resource groups by using Azure CLI
• Resource providers
• Lock resources to prevent unexpected changes
• AZ-103: 1.3, p. 76