Azure Resource Group - Managing Access and Permissions

B

ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

When you apply a ReadOnly lock to a resource group, it prevents all users from deleting or modifying any resource within that resource group. This lock restricts all operations that might affect the resources' state but allows reading the resources.

Given that the question states that you have applied a ReadOnly lock to RG1 and you have a virtual machine (VM1) running Windows Server 2016, and its disk files are stored in an Azure Storage account named storageaccount1, the following actions are possible from the Azure portal:

A. Generate an automation script for RG1 - This is possible because generating an automation script does not modify any resource within the resource group. An automation script can be created by clicking on the "Automation script" option under the "Settings" tab of the resource group.

B. View the keys of storageaccount1 - This is not possible because viewing the keys of a storage account requires modifying the storage account's configuration, which is not allowed when a ReadOnly lock is applied to the resource group.

C. Upload a blob to storageaccount1 - This is not possible because uploading a blob to a storage account requires modifying the storage account's configuration, which is not allowed when a ReadOnly lock is applied to the resource group.

D. Start VM1 - This is not possible because starting a VM modifies the VM's state, which is not allowed when a ReadOnly lock is applied to the resource group.

In conclusion, the only action possible from the Azure portal with a ReadOnly lock applied to a resource group is generating an automation script.