Microsoft Azure Fundamentals AZ-900 Practice Question

Azure Resource Locks provide a simple, broad safeguard against accidental deletion or modification. You can apply a Delete (CanNotDelete) or Read-only lock at the subscription, resource-group, or individual-resource scope, and the lock overrides Role-Based Access Control (RBAC) permissions-no user can perform the blocked action until the lock is removed.

RBAC limits what actions an identity can perform, but if a user (for example, an Owner or Contributor) already has delete or write permissions, RBAC alone will not stop that user from removing or changing the resource.

Azure Policy is primarily a governance tool. By authoring custom policies with the Deny or DenyAction effects you can indeed block specific create, update, or delete requests, but doing so requires granular policy definitions and is not intended as a quick, blanket safeguard like a lock.

Moving resources to another subscription does not itself restrict modifications; the resources remain subject to the permissions and policies in the destination subscription.