![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 69%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
872 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 2%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Hi Ens,
Deny policy effect cannot be applied on the resource group to prevent users from deleting the lock as this only works with create/update - PUT/PATCH operation on the resources or resource groups and not on DELETE operations.
Unfortunately, Deny Action cannot be applied here as well as Microsoft.Authorization/locks are all exempted from denyAction enforcement to prevent lockout scenarios.
The recommended approach would be to use DINE policy effect to apply locks on the resource group OR limit owner or user access admin permission or any custom role with actions Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions to users/groups.