Disable Locks

Azure resource locks protect important cloud resources from being changed or deleted.

There are two types of locks:

• CanNotDelete: Allows changes but prevents deletion

• ReadOnly: Allows viewing but blocks changes and deletion

If you have set up Azure resource locks, you should enable the Disable Locks setting when integrating Apono with Azure Subscriptions or Management Groups. The Disable Locks setting allows Apono to temporarily remove and later restore locks in order to complete grant or revoke operations on protected resources. To support this, the Apono connector must also be assigned the Tag Contributor role at the appropriate scope, allowing it to add a tag marker to locked resources.

When Disable Locks is enabled, Apono performs the following operations during access provisioning or revocation:

1. Checks the target resource and its parent scopes for existing locks.

2. Adds a tag marker to the resource, if a lock exists.

3. Removes the lock.

4. Grants or revokes access. (Delete-locked resources cannot be granted access.)

5. Reapplies the lock.

If the connector fails after removing a lock but before reapplying it, the tag ensures the lock will be restored upon connector restart.