You have an Azure Storage account containing critical compliance archives.

You apply a 'ReadOnly' resource lock to the Storage account at the Azure Resource Manager (ARM) level.

What is the effect of this lock on the data within the Storage account?

Azure Resource Locks (CanNotDelete and ReadOnly) apply only to the management plane (Azure Resource Manager). They prevent accidental deletion or modification of the resource's configuration. However, they do NOT restrict data-plane operations. Therefore, a user with the appropriate data-plane permissions (e.g., Storage Blob Data Contributor) can still read, write, and delete blobs inside the locked storage account. To make the data itself immutable, you must use Blob Storage Immutability Policies (WORM).