Lock resources to prevent unexpected changes

I'm attempting to lock a folder in Azure to prevent anyone deleting it. I am setting the lock level to CanNotDelete. I'm wondering if I set this on the parent folder does the sub folders inherit this lock level so they too can not be deleted

Solution 1:

I'm wondering if I set this on the parent folder does the sub folders inherit this lock level so they too can not be deleted.

Let's say, we create a storage account in this resource group, apply CanNotDelete to this group, then we can't delete this storage account, but we can delete the blobs in this storage account.

By default, when you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.

Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to https://management.azure.com. The locks do not restrict how resources perform their own functions. Resource changes are restricted, but resource operations are not restricted.

For example, a ReadOnly lock on a SQL Database prevents you from deleting or modifying the database, but it does not prevent you from creating, updating, or deleting data in the database. Data transactions are permitted because those operations are not sent to https://management.azure.com.

More information about how locks are applied, please refer to this article.