StratoLens LogoStratoLens

User & Group Access

Day-to-day administration of who has StratoLens access. Open Settings > Users from the left sidebar. The page is titled User Management and is only visible to administrators.

On This Page

Permissions

Opening this page requires the View Users admin permission. Granting, editing, and revoking each require their own additional permissions. All four are part of the built-in Administrator role.

The Grants Table

The top section of the page lists every active grant. Each row is one user or group with one role and one scope.

Name
Display name with a user icon (blue) or group icon (green) prefix.
Roles
Color-coded role badge. Administrator is red, Manager amber, Operator cyan, Viewer blue, Cost Analyst green, Resource Viewer gray, custom roles purple.
Scope
Full Access (gray) for unrestricted grants and all Administrator grants; Restricted (amber) for grants limited to specific subscriptions or management groups.
Granted By
The administrator who created the grant.
Created
The date the grant was created.

Filter the table with the type selector (All Types / Users Only / Groups Only) or the role selector. The search box matches user and group display names.

One grant per identity

Each user or group can have only one grant. To change someone's role or scope, edit their existing grant rather than adding a new one.

Granting Access

Click Add Access at the top right of the grants section to open the Grant Access dialog.

  1. Search Entra ID by typing at least 2 characters and pressing Enter. Use the Both / Users / Groups filter next to the search box to narrow results.
  2. Pick a role from the dropdown. Roles are grouped under Built-in Roles and Custom Roles. The role defaults to Viewer. Click the info icon to view the role's permissions.
  3. (Optional) Configure a scope. See Scope Restrictions below.
  4. Click Add on the row of the user or group you want to grant.

Already-granted entries are greyed out

If a user or group already has a grant, their row appears greyed out with the Add button disabled. Find the existing row in the grants table and edit it instead.

Create a custom role inline

If you have role-management permission, the + button next to the role dropdown opens the Create Custom Role dialog without leaving the grant flow. See Custom Roles.

Scope Restrictions

The Data Access Scope section appears in both the Grant Access dialog and the edit modal. It controls which Azure subscriptions and management groups the grant's data is filtered to.

Toggle off (default)
The grant has Full Access to every scanned subscription.
Toggle on
The grant is restricted to the listed subscriptions and/or management groups. Click Edit Scopes to open the Azure hierarchy picker and check the items you want to include.

Management groups include everything below them

Selecting a management group includes every nested management group and subscription, current and future. New subscriptions added to that management group will appear in scope without any update to the grant.

Scopes are inclusive only

Listing two subscriptions means "this grant sees only those two," not "this grant sees everything except those two." If the toggle is on but no scopes are selected, the Add or Save button stays disabled, an empty scope would mean "sees nothing."

Administrator role disables scope

Picking the Administrator role disables the scope toggle and forces Full Access. Administrators always see everything, scopes can't be applied to them.

Editing a Grant

Click the info icon on any row to open the Access Management modal. Change the role, change the scope, or both.

  1. Pick a new role in the Role Assignment section. Each grant can hold one role at a time.
  2. Adjust the Data Access Scope the same way as in the grant flow.
  3. Click Save. The button only enables once something has actually changed.

Switching to Administrator clears the scope

If you change the role to Administrator, the scope is automatically cleared and the toggle is disabled. Administrators always have Full Access.

You can't edit your own grant

An administrator can't change their own role or scope from this dialog. Both fields are shown read-only. To change your own access, ask another administrator.

Revoking Access

Click the trash icon on any row to open the Remove Access dialog. Confirm to revoke the grant immediately.

You can't revoke your own access

The trash icon on your own row is disabled. If you need to revoke your own grant, ask another administrator to do it.

Revoking does not delete history

Revoking only removes the grant. Audit log entries the user generated while they had access stay intact.

How Grants Combine

Direct and group grants stack

If a user has a direct grant and is also in a group with its own grant, they get the union of both roles and scopes. See Effective Permissions for the full rules.

Troubleshooting

A user I just granted Viewer can't see anything

What to check

Confirm StratoLens has scanned at least one subscription. If the grant has a scope restriction, confirm the subscriptions in scope are subscriptions that have actually been scanned.

I can't see the User Management page myself

What to check

Your account doesn't have the View Users admin permission. Ask another administrator to grant it, or check whether your Administrator grant has been changed to a less-privileged role.

← Previous: ConceptsNext: Custom Roles →