Using the Page

Open Access Control > Access Optimization from the left sidebar. The page loads the latest scan with default filters applied and a two-column layout: principals on the left, optimization details for the selected principal on the right.

Default Filters

These apply on first load. Adjust any of them in the header.

Defaults

Principal Types: User, Group (service principals excluded)
Role Types: Critical, Management, Read (Other excluded)
Time Window: 30 days
Thresholds: Stale 50%, over-scoped 30%, excessive sprawl 5 subscriptions

Only flagged principals appear

Principals with no optimization findings are not listed. To see every assignment regardless of usage, open Role Assignments.

Header Controls

On wide screens the filters spread across the header. On narrower screens they collapse into a single Filtersbutton containing the same options. The scan-selection dropdown stays visible in both layouts so you can switch which scan snapshot you're analyzing.

Time Window: 7, 30, 60, 90, 180, or 365 days. Drives every other calculation on the page.
Principal Type: User, Group, Service Principal.
Role Type: Critical, Management, Read, Other.
Optimization Type: Limits the list to specific findings. Only types present in the current scan show up as options.
Thresholds: Adjust stale, over-scoped, and excessive sprawl thresholds. See Settings.
Scan Selection: Choose which scan snapshot to analyze.

Principal List

Each row represents a user, group, or service principal with at least one optimization finding. Sorted by optimization count by default; the sort dropdown also offers alphabetical.

Color-coded badges next to each name show how many findings of each type the principal has, after current filters are applied. The badge counts shift as you change filters.

Badge Colors

Red: Over-Privileged
Amber: Over-Scoped, Excessive Sprawl
Green: Unused
Blue: Stale
Purple: Redundant Assignment

Group-based access

When a user is granted access through a group, their row shows a via [Group Name] subtitle. Multiple groups collapse to via N groups. Nested chains (User → Group A → Group B) are preserved in the detail panel.

Detail Panel

Click a principal to open the detail panel on the right. Each finding appears as a card with the optimization type, the role and scope, evidence, and a recommendation.

Common Card Fields

Entity: The scope where the role is assigned: management group, subscription, resource group, or resource.
Assigned: When the role assignment was created.
Last Used: Most recent activity timestamp from Azure Activity Logs.
Days Inactive: Days since the last activity.
Activity Count: Total operations performed in the time window.
Via Group: Group chain when access is inherited (e.g., Engineering Team → All Employees).
Recommendation: Specific action: remove, downgrade, rescope, or review. Group-based assignments produce group-aware recommendations.

Type-specific fields appear where they apply: an Operations breakdown for Over-Privileged findings, Scope Efficiency for Over-Scoped, and a Redundancy explanation for Redundant Assignments.

Each card includes two buttons that carry the principal and time window forward into deeper investigation:

View in Activity Explorer: Opens Activity Explorer pre-filtered to the principal, time window, and subscription context.
View in Role Assignments: Opens Role Assignments filtered to the principal so you can see every assignment, not just the flagged ones.

Hiding Recommendations

Hide findings you've deliberately decided not to act on so they stop cluttering reviews. You can hide a single recommendation or hide every finding for a principal at once.

A single finding: Click Hide on the recommendation card in the detail panel. Use this when one specific assignment is justified (a break-glass Owner, an intentionally over-scoped service principal) but other findings on the same principal still warrant review.
An entire principal: Click Hide from the principal's row in the list to suppress every finding for that principal. Use this for documented exceptions (a service principal with audited broad access, a CI/CD identity).

The Hide dialog has an optional Reason field. The reason is recorded in the StratoLens activity log for audit, so leave a note future reviewers can rely on.

Hidden items stay hidden across scans. To find them again, check Show hidden in the page header (the toggle only appears once at least one item is hidden). Open a hidden item and click Unhide to bring it back. Unhiding takes effect immediately, no rescan needed.

Hide is shared, not personal

Hiding is tenant-scoped. Anyone with access to your StratoLens instance sees the same hidden state, so coordinate with teammates before hiding findings tied to shared identities.

Hidden findings are excluded from dashboards

The Access Health dashboard widget and any cross-feature counts skip hidden findings. To reconcile a difference between the widget total and this page, turn on Show hidden.

Why Results Change Between Scans

Optimization detection runs against a rolling time window and the latest activity data, so the same assignment can shift status without anyone changing anything in Azure.

An active assignment can become stale as days pass without new activity.
A stale assignment can become active again the next time the principal performs an operation.
Activity logs have a 5-15 minute ingestion delay, so very recent activity may not appear until the next scan.

Stabilize the signal

Focus on findings that persist across multiple scans rather than chasing single-scan noise. Longer time windows (180-365 days) and a higher stale threshold (70%) reduce churn from intermittent legitimate use.

← Back to Overview Next: Optimization Types →