Common Workflows

1. Configure Analysis Window

• Navigate to Access Control → Access Optimization in the StratoLens sidebar
• Set the Time Window to 90 days (current quarter)
• Leave detection thresholds at defaults (50% stale, 30% over-scoped, 5 sprawl) or adjust based on your organization's policies

2. Review Principal List

• Principal list defaults to sorting by Most Optimizations (highest counts first)
• Start with principals showing high optimization counts
• Red badges indicate critical over-privileged findings

3. Investigate Each Finding

• Click each principal to view the detail panel with specific optimization findings
• Review the Explanation field to understand why it was flagged
• Check the Evidence section (Last Used date, Activity Count, Operation breakdown)
• Click View in Activity Explorer to investigate detailed activity patterns
• Click View in Role Assignments to see all assignments for this principal

4. Document Remediation Decisions

5. Export and Coordinate

• Use the Export button (top-right, if available) to download findings as CSV or JSON for audit documentation
• Coordinate with resource owners and managers to approve remediation plans

6. Execute Remediation

• Execute remediations in Azure Portal (remove assignments, downgrade roles, rescope permissions)
• After remediation, trigger a new StratoLens scan or wait for next scheduled scan (default every 5 minutes)
• Return to Access Optimization to verify optimization findings have disappeared for remediated principals

1. Gather User Information

• Obtain the departing user's User Principal Name (UPN, email address) or Azure AD Object ID from your HR system or identity team

2. Configure Analysis

• Navigate to Access Control → Access Optimization
• Set Time Window to 90 days to detect recent inactivity (user likely hasn't accessed resources since leaving)

3. Locate User

• In the principal list, scroll or search for the specific user by name
• If the user doesn't appear: No optimization findings were detected, but verify in Role Assignments to see all assignments regardless of usage

4. Identify Group-Based Access

• Click the user's row to open the detail panel
• Review each optimization finding, noting:
  • Direct assignments (no "Via Group" field)
  • Group-based assignments (shows "Via Group: [Name]" with nested chain if applicable)
• Pay close attention to assignments showing "via [Group Name]" subtitle

5. Document Group Memberships

• For each group-based assignment, note the group name (e.g., "Engineering Team", "All Employees")
• Check for nested group chains (e.g., "Engineering Team → All Employees")
• Document which groups require user removal

6. Execute Cleanup

• Navigate to Access Control → Role Assignments to verify the complete list of direct assignments
• Create tickets or coordinate with Azure AD administrators to:
  • Remove user from identified Azure AD groups
  • Remove any remaining direct RBAC assignments in Azure Portal
• Verify Azure AD account deactivation/deletion with identity team

7. Verify Completion

• Wait for next StratoLens scan (5 minutes default) or trigger manual scan
• Return to Access Optimization and search for the user again
• Success verification: User should not appear in principal list (no assignments remaining)

1. Configure Critical Role Analysis

• Navigate to Access Control → Access Optimization
• Set Time Window to 365 days for maximum historical analysis (catch infrequent but legitimate RBAC usage)
• Apply filters:
  • Role Type: Select Critical only (focuses on Owner and User Access Administrator)
  • Optimization Type: Select Over-Privileged (shows principals with critical roles but no RBAC operations)

2. Prioritize Findings

• Review the filtered principal list showing only users, groups, and service principals with critical roles but no RBAC activity
• Sort by Most Optimizations to prioritize principals with multiple over-privileged assignments

3. Analyze Operation Patterns

• For each principal, click to open detail panel
• Review the Role badge (Owner or User Access Administrator)
• Check the Operations breakdown to see what operations they do perform:
  • High Create/Update counts → Likely need Contributor (resource management)
  • High Read/Action counts → Likely need custom role or specific resource-level permissions
  • Zero RBAC operations → Confirms over-privileged status
• Click View in Activity Explorer to see detailed operation history

4. Determine Appropriate Role

5. Get Approvals

• For each downgrade decision:
  • Export findings or take screenshots for approval documentation
  • Coordinate with principal's manager to confirm appropriate role level
  • Verify no legitimate RBAC management responsibilities (emergency access, disaster recovery, delegation)

6. Execute Downgrades

• After approvals, execute downgrades in Azure Portal:
  • Remove Owner or User Access Administrator assignment
  • Grant replacement role (Contributor, Reader, custom role)
• Notify affected principals of role change before execution to avoid disruption
• Trigger new StratoLens scan after remediation
• Verify over-privileged findings are resolved for downgraded principals

1. Configure Group Analysis

• Navigate to Access Control → Access Optimization
• Set Time Window to 180 days (6 months) to catch seasonal access patterns
• Set thresholds to match your organization's policies:
  • Stale Threshold: 60% (flag access inactive for more than 108 days in 180-day window)
  • Leave over-scoped and sprawl thresholds at defaults

2. Identify Group-Based Access

• Look for principals showing group-based access in the principal list:
  • Users with "via [Group Name]" subtitle below their name
  • Users showing Users icon (👥) next to subtitle text
• Filter by Optimization Type to focus on specific issues:
  • Unused: Group members with zero activity
  • Stale: Group members with infrequent activity
  • Over-Scoped: Group members using only small portion of group's access scope

3. Review Evidence

• Click each principal to view detailed optimization findings
• For each optimization finding with "Via Group" field:
  • Note the group name (e.g., "DevOps Engineers", "Contractor-Readonly")
  • Check for nested group chains (e.g., "Engineering Team → All Employees")
  • Review evidence:
    • Last Used: When they last accessed resources via this group's permissions
    • Activity Count: How many operations they performed
    • Scope Efficiency: What percentage of the group's access scope they actually use

4. Identify Patterns

5. Determine Root Cause

• For each group with inactive members:
  • Document members with unused/stale access via that group
  • Click View Group in Role Assignments button (if shown) to see group's complete access
  • Determine root cause:
    • User changed roles → Remove from group
    • User on extended leave → Document exception or remove temporarily
    • Group grants excessive access → Consider creating more granular groups

6. Execute Cleanup

• Coordinate with group owners (check Azure AD group ownership):
  • Provide list of users to remove from group
  • Explain evidence (no activity for 180 days, only used 5% of group's scope, etc.)
  • Get approval for removals
• Execute group membership cleanup in Azure AD:
  • Remove inactive users from groups
  • Consider restructuring overly broad groups into role-specific groups
• Wait for next scan (5 minutes) or trigger manual scan
• Verify optimization findings for group-based access are reduced

1. Identify Subscriptions

Source subscription (old)

"Production-Legacy" (Subscription A)

Target subscription (new)

"Production-Current" (Subscription B)

Migration completion date

For time window selection

2. Configure Time Window

• Navigate to Access Control → Access Optimization
• Set Time Window to cover the post-migration period:
  • If migration completed 2 weeks ago → 30 days (includes pre and post migration)
  • If migration completed 2 months ago → 90 days (comprehensive view)

3. Identify Migration Patterns

• In the principal list, look for patterns:
  • Principals with high optimization counts may have access on both old and new subscriptions
  • Unused access findings likely target the old subscription if migration was successful
• Click each principal to view detail panel optimization findings
• For each optimization, review the Subscription field (shown for resource groups and resources)

4. Check for Specific Patterns

5. Determine Cleanup Actions

• For each principal with access to Subscription A:
  • Verify their role on Subscription A (check detail panel)
  • Check if they also have assignments on Subscription B:
    • Navigate to Role Assignments
    • Filter by principal
    • Compare role assignments across subscriptions
  • Determine cleanup action:
    • Same role on both subs → Remove Subscription A assignment (migration complete)
    • Different roles on subs → Verify which is correct for new environment
    • Only Subscription A → May indicate user no longer needs access (workload owner changed)

6. Coordinate and Execute

• Export findings or document principals with Subscription A access to remove:
  • List principal name, role, scope, last activity date
  • Note any exceptions (e.g., decommissioning team needs temporary Subscription A access)
• Coordinate with subscription owner and workload teams:
  • Confirm migration is complete and Subscription A is ready for decommissioning
  • Verify no ongoing dependencies on Subscription A resources
  • Get approval to remove access
• Execute access removal in Azure Portal:
  • Remove role assignments on Subscription A for migrated users
  • Keep a small number of Owners on Subscription A for decommissioning work
  • Document exceptions (e.g., 2-3 administrators with Owner for final cleanup)
• Set a timeline for complete Subscription A decommissioning and final access removal

7. Verify Cleanup

• Trigger new scan after access removal
• Verify optimization findings for Subscription A are reduced or eliminated