Why Azure provides multiple delete locks on a virtual machine?

Question

As we know that we can apply a lock to prevent the accidental deletion of a VM in azure. To delete it - we have to un-assign/delete the lock first. But Why azure provides multiple delete locks on the same resource? even a single lock will work as same as multiple locks.

Below is an example image -

Answer 1

I tried this to seek an answer.

Entity A puts a Delete lock for a reason. Entity B puts a (second) Delete lock for another reason.

After a while, when Entity A is happy that he/she no longer needs the lock, he/she will remove it. However, Entity B still has a reason to keep the resource locked from being deleted.

Tried this today. Thanks for bringing up this scenario. Hope the answer helps.

Answer 2

Probably some resource will need a 'Delete' acceptance from different Admin groups, hence the multiple locks?

If it's a critical resource, the the first lock can be a general, inherited one and the second lock can be from a higher admin group.

Answer 3

You can set the lock level to CanNotDelete or ReadOnly. For your question that why Azure provides multiple delete locks on the same resource. I think the main reason is that you could directly set a lock on a subscription, resource group, or resource level in a resource UI instead of going back to set the lock in each resource UI.

For example, you can set a resource group level Delete lock by selecting resource group on virtual machine locks UI, all resources within that resource group inherit the same lock.

When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.

Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources