StratoLens LogoStratoLens

Data Exclusions

Skip specific management groups, subscriptions, or resource groups during scans, either entirely or for specific data types. Open Settings > Data Exclusions from the left sidebar. This page covers Scope Exclusions, the Diff Ignore List below it has its own documentation.

On This Page

Permissions

Viewing exclusions is available to read-only roles. Adding, editing, and deleting exclusions requires a role with write access to scanner settings.

The Exclusions Table

Every configured exclusion appears as a row. Columns:

Scope
Scope-type icon, display name, and the truncated Azure resource ID.
Excluded Phases
Badges showing which data types are excluded. Reads All Phases when everything is excluded.
Added
Who added the exclusion and when.
Actions
Edit (pencil) and Delete (trash) icons.

Adding an Exclusion

Click Add Exclusion at the top-right of the Scope Exclusions section. A two-panel modal opens.

  1. Pick a scope on the left. Browse the Management Groups → Subscriptions → Resource Groups tree, or search by name. The selected scope echoes below the tree.
  2. Pick what to exclude on the right. Check All Phases to exclude everything, or check individual phases (see below).
  3. Add a reason (optional). A free-text field. Recommended so future reviewers understand the intent.
  4. Click Add Exclusion. The button is disabled until a scope is selected AND at least one phase is chosen.

Already-excluded scopes are flagged

Tree nodes already covered by a parent exclusion show an inline warning (Implicitly excluded by Management Group "X", or This scope is already excluded). Remove or edit the parent exclusion if you need per-scope control.

Phases You Can Exclude

Pick any combination, or use All Phases to exclude everything (current and future).

Entity Discovery

Resources, RBAC assignments, and all properties.

Resource Graph Changes

Change history from Azure Resource Graph.

Activity Logs

Azure activity log events and operations.

Cost Data

Cost Management data and billing information.

Defender Assessments

Microsoft Defender for Cloud security assessments.

Advisor Recommendations

Azure Advisor optimization recommendations.

Performance Metrics

VM and resource performance metrics.

Policy Data

Azure Policy assignments and compliance states.

Entity Discovery is foundational

Excluding Entity Discovery auto-excludes every other phase, the scanner has no inventory to collect data against without it.

Editing and Deleting

Click the pencil icon on any row to reopen the exclusion in edit mode with its scope and phases pre-filled. Click the trash icon to delete, a confirmation dialog appears showing the scope being removed. Deletion can't be undone, but the scope will be included in the next scan so any missing data returns automatically.

Behavior

Management Group exclusions cascade

Excluding a management group excludes every subscription and nested management group beneath it, at any depth.

Exclusions apply on the next scan

New exclusions and edits take effect on the next scan. Existing records for newly-excluded scopes are closed during that scan so the data disappears from StratoLens views. To clear data sooner, trigger a scan manually.

Troubleshooting

I excluded a management group but one of its subscriptions still shows data

What to check

Data collected before the exclusion was added is cleared during the next scan, not instantly. Run a new scan to clear stale data.

The modal says my scope is already excluded

What to check

A parent scope already covers it. Remove or edit the parent exclusion if you want per-scope control, or pick a different child scope.

← Previous: Settings > SchedulesBack to Overview →