Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Resource Locks

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your production or mission critical Azure AI Foundry instances have resource locks enabled so that non-admin users are not able to delete or modify your instances in order to help prevent accidental and malicious changes or resource deletion.

Security

Azure resource locks enable you to restrict operations on production Azure AI Foundry instances where modifying or deleting a resource would have a significant negative impact on the entire system. As an Azure account administrator, it may be necessary to lock an important cloud resource in order to prevent other users within your organization from mistakenly deleting or modifying the resource. A resource lock can have one of the following types:

Audit

To determine if your production AI Foundry instances have resource locks configured, perform the following operations:

Azure Portal (Azure Console) does not currently support checking for resource locks on Azure AI Foundry instances.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure AI Services (AI Foundry) instance available within the current subscription: 

az cognitiveservices account list
	--output table
	--query '[?(kind==`AIServices`)].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AI Foundry instance identifiers: 

Name                               ResourceGroup
-------------------------------    ------------------------------
cc-project5-ai-service-instance    cloud-shell-storage-westeurope
cc-project5-ai-foundry-instance    cloud-shell-storage-westeurope

06 Run lock list command (Windows/macOS/Linux) with the name of the Azure AI Foundry instance that you want to examine as the identifier parameter and custom output filters to describe the name and the level of the resource lock set for the selected instance: 

az lock list
	--resource-name "cc-project5-ai-service-instance"
	--resource-group "cloud-shell-storage-westeurope"
	--resource-type "Microsoft.CognitiveServices/accounts"
	--query '[*].{"name":name,"level":level}'

07 Based on the resource lock configuration, the command output should return one of the following:

  1. If the lock list command output returns an empty array (i.e., []), as shown in the example below, the selected Azure AI Foundry instance does not use resource locks: 
    []
  2. If the command output returns the name and the level of the resource lock but the lock level is not the required one, as shown in the example below, where the "ReadOnly" lock is expected, the resource locks configuration for the selected Azure AI Foundry instance is not compliant: 
    [
	{
		"level": "CanNotDelete",
		"name": "cc-project5-ai-instance-lock"
	}
]

Remediation / Resolution

To enable resource locks for your production or mission critical Microsoft Azure AI Foundry instances, perform the following operations:

Azure Portal (Azure Console) does not currently support enabling resource locks for Azure AI Foundry instances.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure AI Services (AI Foundry) instance available within the current subscription: 

az cognitiveservices account list
	--output table
	--query '[?(kind==`AIServices`)].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AI Foundry instance identifiers: 

Name                               ResourceGroup
-------------------------------    ------------------------------
cc-project5-ai-service-instance    cloud-shell-storage-westeurope
cc-project5-ai-foundry-instance    cloud-shell-storage-westeurope

06 If the resource lock is not properly configured for your Azure AI Foundry instance, run lock delete command (Windows/macOS/Linux) with the name of the AI Foundry instance that you want to configure as the identifier parameter, to remove the non-compliant resource lock from the selected instance (the command does not produce an output): 

az lock delete
	--name cc-project5-ai-instance-lock
	--resource-name "cc-project5-ai-service-instance"
	--resource-group "cloud-shell-storage-westeurope"
	--resource-type "Microsoft.CognitiveServices/accounts"

07 Run lock create command (Windows/macOS/Linux) with the name of the AI Foundry instance that you want to lock down as the identifier parameter, to enable resource locks for the selected instance. As an example, the following command request creates a "ReadOnly" resource lock. This lock level allows authorized users to read the resource, without being able to update or delete the resource: 

az lock create
	--name "cc-ai-instance-read-only-lock"
	--lock-type ReadOnly
	--resource-name "cc-project5-ai-service-instance"
	--resource-group "cloud-shell-storage-westeurope"
	--resource-type "Microsoft.CognitiveServices/accounts"

08 The command output should return the information available for the new resource lock: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/cc-project5-ai-service-instance/providers/Microsoft.Authorization/locks/cc-ai-instance-read-only-lock",
	"level": "ReadOnly",
	"name": "cc-ai-instance-read-only-lock",
	"notes": null,
	"owners": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Authorization/locks"
}

References

Publication date Sep 10, 2025

Related AIFoundry rules