Custom role has permission to administer resource locks
iam_custom_role_has_permissions_to_administer_resource_locks
Azure custom RBAC roles include the Microsoft.Authorization/locks/* action, indicating permission to administer management locks at subscription, resource group, or resource scope.
Risk
Absent a scoped custom role for Microsoft.Authorization/locks/*, lock control falls to broad roles (e.g., Owner), weakening least privilege. Locks can be disabled or altered, enabling unauthorized changes or deletion, harming integrity and availability, and reducing separation of duties and accountability.
prowler azure --checks iam_custom_role_has_permissions_to_administer_resource_locks
Recommendation
Define a least-privilege custom role restricted to Microsoft.Authorization/locks/* and assign it to a tightly controlled group at minimal scope. Apply separation of duties, use just-in-time elevation, audit lock changes, and avoid broad roles or pipeline identities managing locks. Layer with defense-in-depth controls.
Remediation
az role definition create --role-definition '{"Name":"<role_name>","Description":"Custom role to administer resource locks","IsCustom":true,"Actions":["Microsoft.Authorization/locks/*"],"NotActions":[],"AssignableScopes":["/subscriptions/<subscription_id>"]}'
- In the Azure portal, go to the target scope (Subscription or Resource group) and open Access control (IAM)
- Click Roles, find your custom role, and select Edit
- Go to Permissions > Add permissions
- Search for "Microsoft.Authorization/locks" and select Microsoft.Authorization/locks/*
- Click Add, then Review + save > Save
Source Code
Resource Type
microsoft.authorization/roledefinitions