Hi Ens,
Deny policy effect cannot be applied on the resource group to prevent users from deleting the lock as this only works with create/update - PUT/PATCH operation on the resources or resource groups and not on DELETE operations.
Unfortunately, Deny Action cannot be applied here as well as Microsoft.Authorization/locks
are all exempted from denyAction
enforcement to prevent lockout scenarios.
The recommended approach would be to use DINE policy effect to apply locks on the resource group OR limit owner or user access admin permission or any custom role with actions Microsoft.Authorization/*
or Microsoft.Authorization/locks/*
actions to users/groups.