Remediation
From Azure Portal
- In the Azure portal, open a subscription or resource group where you want the custom role to be assigned.
- Select
Access control (IAM). - Click
Add. - Select
Add custom role. - In the
Custom Role Namefield enterResource Lock Administrator. - In the
Descriptionfield enterCan Administer Resource Locks. - For
Baseline permissionsselectStart from scratch - Select
Next. - Click
Add permissions. - In the
Search for a permissionbox, typeMicrosoft.Authorization/locks. - Click on the result.
- Check the box next to
Permission. - Click
Add. - Click
Review + create. - Click
Create. - Click
OK. - Click
+ Add. - Click
Add role assignment. - In the
Search by role name, description, permission, or IDbox, typeResource Lock Administrator. - Select the role.
- Click
Next. - Click
+ Select members. - Select appropriate members.
- Click
Select. - Click
Review + assign. - Click
Review + assignagain. - Repeat steps 1-26 for each subscription or resource group requiring remediation.
From PowerShell
Below is a power shell definition for a resource lock administrator role created at an Azure Management group level:
Import-Module Az.Accounts Connect-AzAccount $role = Get-AzRoleDefinition "User Access Administrator" $role.Id = $null $role.Name = "Resource Lock Administrator" $role.Description = "Can Administer Resource Locks" $role.Actions.Clear() $role.Actions.Add("Microsoft.Authorization/locks/*") $role.AssignableScopes.Clear() * Scope at the Management group level Management group $role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/MG-Name") New-AzRoleDefinition -Role $role Get-AzureRmRoleDefinition "Resource Lock Administrator"