Protect Azure Quantum resources with Azure Resource Manager (ARM) locks
Microsoft recommends locking all of your Azure Quantum workspaces and linked storage accounts with an Azure Resource Manager (ARM) resource lock to prevent accidental or malicious deletion. For example, professors might want to restrict students from modifying provider SKUs, but still enable them to use notebooks and submit jobs.
There are two types of ARM resource locks:
- A CannotDelete lock prevents users from deleting a resource, but permits reading and modifying its configuration.
- A ReadOnly lock prevents users from modifying a resource's configuration (including deleting it), but permits reading its configuration. For more information about resource locks, see Lock resources to prevent unexpected changes.
Note
If you already use an ARM or Bicep template to manage your Azure Quantum workspaces, you can add the procedures in this article to your existing templates.
Recommended lock configurations
The following table shows the recommended resource lock configurations to deploy for an Azure Quantum workspace.
| Resource | Lock type | Notes |
|---|---|---|
| Workspace | Delete | Prevents the workspace from being deleted. |
| Workspace | Read-only | Prevents any modifications to the workspace, including additions or deletions of providers, while still allowing users to create and delete notebooks and submit jobs. To modify providers when this lock is set, you need to remove the resource lock, make your changes, then redeploy the lock. |
| Storage account | Delete | Prevents the storage account from being deleted. |
The following configurations should be avoided:
Important
Setting the following ARM locks may cause your workspace to function incorrectly.
| Resource | Lock type | Notes |
|---|---|---|
| Storage account | Read-only | Setting a Read-only resource lock on the storage account can cause failures with workspace creation, the Jupyter Notebooks interface, and submitting and fetching jobs. |
| Parent subscription of the workspace or the parent resource group of the workspace or storage account | Read-only | When a resource lock is applied to a parent resource, all resources under that parent inherit the same lock, including resources created at a later date. For more granular control, resource locks should be applied directly at the resource level. |
Prerequisites
You must be an Owner or User Access Administrator of a resource to apply ARM resource locks. For more information, see Azure built-in roles.
Command-line deployment
You will need either Azure PowerShell or Azure CLI to deploy the lock. If you use Azure CLI, you must have the latest version. For the installation instructions, see:
Important
If you haven't used Azure CLI with Azure Quantum before, follow the steps in the Environment setup section to add the quantum extension and register the Azure Quantum namespace.
Sign in to Azure
After installing either Azure CLI or Azure PowerShell, make sure you sign in for the first time. Choose one of the following tabs and run the corresponding command line commands to sign in to Azure:
az login
If you have multiple Azure subscriptions, select the subscription with the resources that you want to lock. Replace SubscriptionName with your subscription name or subscription ID. For example,
az account set --subscription "Azure subscription 1"
Create an ARM resource lock
When you deploy a resource lock, you specify a name for the lock, the type of lock, and additional information about the resource. This information can be copied and pasted from the resource's home page in the Azure Quantum portal.
az lock create \
--name <lock> \
--resource-group <resource-group> \
--resource <workspace> \
--lock-type CanNotDelete \
--resource-type Microsoft.Quantum/workspaces
- name: A descriptive name for the lock
- resource-group: The name of the parent resource group.
- resource: The name of the resource to apply the lock to.
- lock-type: The type of lock to apply, either CanNotDelete or ReadOnly.
- resource-type: The type of the target resource.
For example, to create a CanNotDelete lock on a workspace:
az lock create \
--name ArmLockWkspDelete \
--resource-group armlocks-resgrp \
--resource armlocks-wksp \
--lock-type CanNotDelete \
--resource-type Microsoft.Quantum/workspaces
If successful, Azure returns the lock configuration in JSON format:
{
"id": "/subscriptions/<ID>/resourcegroups/armlocks-resgrp/providers/Microsoft.Quantum/workspaces/armlocks-wksp/providers/Microsoft.Authorization/locks/ArmLockWkspDelete",
"level": "CanNotDelete",
"name": "ArmLockWkspDelete",
"notes": null,
"owners": null,
"resourceGroup": "armlocks-resgrp",
"type": "Microsoft.Authorization/locks"
}
To create a ReadOnly lock on a workspace:
az lock create \
--name ArmLockWkspRead \
--resource-group armlocks-resgrp \
--resource armlocks-wksp \
--lock-type ReadOnly \
--resource-type Microsoft.Quantum/workspaces
{
"id": "/subscriptions/<ID>/resourcegroups/armlocks-resgrp/providers/Microsoft.Quantum/workspaces/armlocks-wksp/providers/Microsoft.Authorization/locks/ArmLockWkspRead",
"level": "ReadOnly",
"name": "ArmLockWkspRead",
"notes": null,
"owners": null,
"resourceGroup": "armlocks-resgrp",
"type": "Microsoft.Authorization/locks"
}
To create a CanNotDelete lock on a storage account:
az lock create \
--name ArmLockStoreDelete \
--resource-group armlocks-resgrp \
--resource armlocksstorage \--lock-type CanNotDelete \
--resource-type Microsoft.Storage/storageAccounts
{
"id": "/subscriptions/<ID>/resourcegroups/armlocks-resgrp/providers/Microsoft.Storage/storageAccounts/armlocksstorage/providers/Microsoft.Authorization/locks/ArmLockStoreDelete",
"level": "CanNotDelete",
"name": "ArmLockStoreDelete",
"notes": null,
"owners": null,
"resourceGroup": "armlocks-resgrp",
"type": "Microsoft.Authorization/locks"
}
Viewing and deleting locks
To view or delete locks:
For more information, see the az lock reference.
View all locks in a subscription
az lock list
View all locks in a workspace
az lock list \
--resource-group armlocks-resgrp \
--resource-name armlocks-wksp \
--resource-type Microsoft.Quantum/workspaces
View all locks for all resources in a resource group
az lock list --resource-group armlocks-resgrp
View the properties of a single lock
az lock show \
--name ArmLockStoreDelete \
--resource-group armlocks-resgrp \
--resource-name armlocksstorage \
--resource-type Microsoft.Storage/storageAccounts
Delete a lock
az lock delete \
--name ArmLockStoreDelete \
--resource-group armlocks-resgrp \
--resource-name armlocksstorage \
--resource-type Microsoft.Storage/storageAccounts
If the deletion is successful, Azure does not return a message. To verify the deletion, you can run az lock list.