Optimization Types

Access Optimization detects six distinct issues. Each one combines a clear definition, an evidence trail, and a recommendation, so you can decide whether to act or document an exception.

Unused Access

A role assignment with zero activity in the selected time window. Prime candidate for removal during access reviews.

StratoLens queries Azure Activity Logs for any operations performed by the principal in the time window. Zero entries means the assignment is flagged.

Read-only roles never flag as unused

Azure Activity Logs only capture write operations (create, update, delete, RBAC changes). Read operations are not logged by the Azure platform, so Reader-style roles can't be evaluated for usage. This is an Azure constraint, not a StratoLens limitation. If a user with a read-only role appears unused, treat the finding as not applicable and document the exception.

Stale Access

Access that was used at some point but hasn't been used recently enough. The threshold is a percentage of the time window, default 50%.

How the threshold reads

With a 30-day window and the default 50% threshold, the cutoff is 15 days. If the principal's last activity was 20 days ago, the assignment is stale (20 > 15). Lower the threshold to flag more aggressively, raise it to focus on clearly abandoned access.

Over-Privileged Access

A user holds Owner or User Access Administrator but has performed zero RBAC operations in the time window. The role grants powerful permission-management capabilities the principal isn't exercising.

The detail panel's Operations breakdown is the deciding evidence: high Create/Update counts with zero RBAC operations usually means Contributor would suffice.

Legitimate critical-role exceptions

Over-privileged is a prompt to review, not a verdict. Common cases where you should keep the role and document the exception:

Break-glass / disaster recovery: Owner held for emergency use that hasn't fired yet.
Quarterly responsibilities: RBAC management happens once a quarter; expand the time window to 365 days to confirm.
Pending project starts: Owner granted ahead of work that hasn't begun. Set a reminder to recheck.

Over-Scoped Access

The principal has activity on less than the configured percentage of the entities in the assignment's scope. Default threshold is 30%.

Scope efficiency uses real entity counts from the latest scan, not estimates. The detail panel shows the fraction (e.g., 15% (3 of 20 scopes)) so you can verify the math against what you expect.

Scope efficiency calculation

Contributor on a subscription with 200 resources, but the principal only operates on 15 of them, gives 7.5% scope efficiency. With the default 30% threshold, that's flagged. Recommendation: rescope to the resource group containing the 15 active resources.

If the entity count looks wrong

Scope efficiency uses the most recent scan's inventory. If new resources were created after the last scan, they aren't counted yet. Wait for the next scheduled scan (default every 8 hours) or trigger one manually before relying on a borderline finding.

Excessive Role Sprawl

The same role assigned across more subscriptions than the configured threshold (default 5+). Often a sign that broad access was granted for convenience and could be consolidated to a management group, or that some of the assignments are no longer needed.

Sprawl is a pattern worth reviewing, not a verdict. Some users in large enterprises legitimately need wide access. Investigate before removing.

Redundant Assignment

A role assignment that grants permissions the principal already has from elsewhere. Three patterns get flagged:

Hierarchy Inheritance: Same role at parent and child scope. Example: Contributor on a subscription plus Contributor on a resource group inside it.
Role Supersession: Two roles on the same scope where one fully includes the other. Example: Owner plus Contributor on the same resource group.
Group Overlap: A direct assignment plus a group-based assignment for the same role and scope.

Multi-redundancy is normal

A single assignment can be redundant in more than one way at once (for example, hierarchy inheritance and role supersession together). The detail panel lists every redundancy that applies, so prioritize the broadest cleanup first.

Nested groups get a softer recommendation

When redundancy involves nested Azure AD groups, the recommendation is to review rather than remove. Group nesting is often intentional, so removing a member or restructuring the group hierarchy may be the right call instead.

Group Member Resolution

When a role is assigned to an Azure AD group, StratoLens resolves the group's members so each user appears individually with a via [Group Name] attribution. Nested groups are followed automatically and shown as a chain (e.g., SeniorEngineers → AppTeam).

This matters most for offboarding and audits, where you need to answer "which individual users actually have access?" without manually inspecting every group in Azure AD.

Requires Microsoft Graph permissions

Without Microsoft Graph permissions for group, user, and application reads, the page still flags assignments granted to groups but cannot expand them to individual members. The via [Group Name] attribution and nested chains will not appear.

Have an Azure AD administrator grant and admin-consent the required permissions on the StratoLens enterprise application; results appear in subsequent scans.

Azure Platform Limitations

Most caveats here come from Azure itself rather than StratoLens. Knowing them up front prevents surprise findings.

Read operations not logged: Azure only writes create/update/delete/RBAC events to Activity Logs. Read-only role usage cannot be verified.
Activity log ingestion delay: Up to 15 minutes between an operation occurring and appearing in optimization analysis.
Custom critical roles: Over-Privileged detection only fires on the built-in Owner and User Access Administrator roles. Custom roles with equivalent permissions are not flagged.
Cross-tenant assignments: Only assignments inside the tenant where StratoLens is deployed are analyzed. Azure Lighthouse and B2B guest assignments across tenants are not included.
Service principal correlation: Some service principals using certificate-based auth may not correlate cleanly between activity logs and assignments. Investigate manually if a service principal's activity looks lower than expected.
Management group access: Hierarchy-inheritance redundancy detection requires Reader at the root management group. Without it, only redundancy within accessible branches is detected.

← Previous: Using the Page Next: Settings →