Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Resource Locks for Azure DNS Zones

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your production or mission critical Azure DNS zones have resource locks enabled so that non-admin users are not able to delete or modify your DNS zones in order to help prevent accidental and malicious changes or resource deletion.

Security

Azure resource locks enable you to restrict operations on production Azure DNS zones where modifying or deleting a resource would have a significant negative impact on the entire system. As an Azure account administrator, it may be necessary to lock an important cloud resource in order to prevent other users within your organization from mistakenly deleting or modifying the resource. A resource lock can have one of the following types:

Audit

To determine if your production Azure DNS zones have resource locks configured, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and DNS zone for Value, then choose Apply to list the Azure DNS zones available in the selected subscription.

05 Click on the name (link) of the Azure DNS zone that you want to examine.

06 In the resource navigation panel, under Settings, select Locks to access the resource locks configured for the selected DNS zone.

07 On the Locks page, check for any resource locks configured for the selected DNS zone. If there are no resource locks listed on this page and the following message is displayed: This resource has no locks., the selected Azure DNS zone does not use resource locks. If one or more resource locks are configured, check the Lock type column to identify the lock type (level) used for the resource. If your DNS zone does not use the correct lock level, the resource locks configuration is not compliant.

08 Repeat steps no. 5 – 7 for each Azure DNS zone created within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network dns zone list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure DNS zone available in the selected subscription: 

az network dns zone list
	--query '[*].id'

05 The command output should return the requested DNS zone identifiers (IDs): 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/client.trendmicro.com"
]

06 Run lock list command (Windows/macOS/Linux) with the ID of the Azure DNS zone that you want to examine as the identifier parameter and custom output filters to describe the name and the level of the resource lock set for the selected DNS zone: 

az lock list
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com"
	--query '[*].{"name":name,"level":level}'

07 Based on the resource lock configuration, the command output should return one of the following:

  1. If the lock list command output returns an empty array (i.e., []), as shown in the example below, the selected Azure DNS zone does not use resource locks: 
    []
  2. If the command output returns the name and the level of the resource lock but the lock level is not the required one, as shown in the example below, where the "ReadOnly" lock is expected, the resource locks configuration for the selected Azure DNS zone is not compliant: 
    [
	{
		"level": "CanNotDelete",
		"name": "cc-dns-delete-lock"
	}
]

08 Repeat steps no. 6 and 7 for each Azure DNS zone created within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable resource locks for your production or mission critical Microsoft Azure DNS zones, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and DNS zone for Value, then choose Apply to list the Azure DNS zones available in the selected subscription.

05 Click on the name (link) of the Azure DNS zone that you want to lock down.

06 In the resource navigation panel, under Settings, select Locks.

07 On the Locks configuration page, perform the following actions:

  1. If the resource lock is not properly configured, choose the non-compliant resource lock that you want to remove, and choose Delete to delete the lock.
  2. Choose Add from the top menu and perform the following operations to create a new, compliant resource lock:
    1. Provide a name for the new resource lock in the Lock name box.
    2. Select the appropriate type (level) of lock restriction from the Lock type dropdown list. Use Read-only when you need authorized users to read the resource, without being able to update or delete the resource. Select Delete when you need authorized users to read and update the resource, without being able to delete the resource.
  3. For Notes, provide a short description of the implemented lock restriction.
  4. Click OK to create and apply the resource lock.

08 Repeat steps no. 5 - 7 for each Azure DNS zone that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 If the resource lock is not properly configured for your Azure DNS zone, run lock delete command (Windows/macOS/Linux) with the ID of the DNS zone that you want to configure as the identifier parameter, to remove the non-compliant resource lock from the selected DNS zone (the command does not produce an output): 

az lock delete
	--name cc-dns-delete-lock
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com"

05 Run lock create command (Windows/macOS/Linux) with the ID of the Azure DNS zone that you want to lock down as the identifier parameter, to enable resource locks for the selected DNS zone. As an example, the following command request creates a "ReadOnly" resource lock. This lock level allows authorized users to read the resource, without being able to update or delete the resource: 

az lock create
	--name cc-dns-read-only-lock
	--lock-type ReadOnly
	--resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com"

06 The command output should return the information available for the new resource lock: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com/providers/Microsoft.Authorization/locks/cc-read-only-lock",
	"level": "ReadOnly",
	"name": "cc-dns-read-only-lock",
	"notes": null,
	"owners": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Authorization/locks"
}

07 Repeat steps no. 4 - 6 for each Azure DNS zone that you want to configure, deployed in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 18, 2025

Related DNS rules