StratoLens LogoStratoLens

Access Optimization

Access Optimization flags Azure RBAC assignments that look out of step with how a principal actually uses Azure. It correlates role assignments with up to 365 days of activity logs and recommends specific remediations: remove, downgrade, rescope, or consolidate.

What You'll Learn

  • Navigate the principal list and detail panel
  • Read the six optimization types and their evidence
  • Tune detection thresholds for your environment
  • Run quarterly audits, offboarding checks, and group cleanup

Prerequisites

The StratoLens managed identity needs Reader on every subscription and management group you want analyzed. Group-based assignments only resolve to individual members when Microsoft Graph permissions are also granted, see Optimization Types > Group Resolution.

Key Capabilities

Six Optimization Types

Unused, stale, over-privileged, over-scoped, excessive sprawl, and redundant assignments. Each finding includes evidence and a specific remediation recommendation.

Activity-Backed Findings

Correlates assignments against up to 365 days of Azure Activity Logs, so recommendations are grounded in observed usage rather than role names alone.

Group Member Resolution

Resolves Azure AD group assignments down to the individual users granted access through them, including nested group chains.

Targeted Filtering

Filter by principal type (user, group, service principal), role type (critical, management, read, other), and optimization type to focus reviews.

Cross-Feature Investigation

Jump from a finding into Activity Explorer or Role Assignments with the principal and time window already applied.

Documentation Sections

Start with Using the Page for a tour, or jump straight to the section you need.

Using the Page

Open Access Optimization, read the principal list, and work the detail panel.

Read: Using the Page →

Optimization Types

The six findings, what they detect, and how to read the evidence.

Read: Optimization Types →

Settings

Time window, stale threshold, over-scoped threshold, and excessive sprawl threshold.

Read: Settings →

Workflows

Quarterly audits, user offboarding, critical-role enforcement, group cleanup, and migration cleanup.

Read: Workflows →

Related Features

  • Role Assignments — complete RBAC inventory without the activity-based filtering. Use it when you need every assignment, not just flagged ones.
  • Activity Explorer — operation-level evidence behind every finding. Detail-panel buttons jump here pre-filtered.

Want to learn more about what Access Optimization can do?

Check out the feature page for benefits, use cases, and highlights.

View Feature Page