Settings
Four settings control what gets flagged. Adjust them in the page header (or under Filters on smaller screens). Changes recompute findings against the current scan immediately.
Time Window
The lookback period analyzed against activity logs. Drives every other detection on the page: stale, unused, over-privileged, and over-scoped all reference this window.
Defaults
- Default
- 30 days
- Options
- 7, 30, 60, 90, 180, 365 days
Recommended Settings
7-30 days
Offboarding and rapid post-change verification.
90 days
Quarterly audits aligned with most compliance cycles.
180-365 days
Annual reviews, seasonal access patterns, and Owner-role exception checks.
Stale Threshold
Percentage of the time window that must elapse since the last activity for an assignment to be flagged stale. Higher values flag only clearly abandoned access; lower values flag aggressively at the first sign of inactivity.
Defaults
- Default
- 50%
- Range
- 1-100%
How the math reads
A 365-day window with the threshold at 70% flags assignments where the last activity was more than 255 days ago (365 × 0.70). That focuses reviews on access inactive for the bulk of the year while letting quarterly or seasonal usage pass.
Recommended Settings
30-40%
Aggressive. High-security environments needing frequent validation.
50-60%
Balanced. Default for most organizations.
70-80%
Conservative. Reduces noise from intermittent legitimate use.
Over-Scoped Threshold
Minimum scope efficiency before an assignment is considered appropriately scoped. Scope efficiency is the percentage of entities in the assignment's scope that the principal has actually operated on.
Defaults
- Default
- 30%
- Range
- 1-100%
How the math reads
Contributor on a subscription with 100 resources, with activity on 25 of them, is 25% scope efficiency. At the default 30% threshold, that's flagged. At a 20% threshold, it isn't.
Recommended Settings
10-20%
Aggressive. Large environments with hundreds of resources per subscription.
30-40%
Balanced. Default for most organizations.
50-60%
Conservative. Only flags clearly narrow activity.
Excessive Sprawl Threshold
Number of subscriptions a single role can span before the assignments are flagged for review. Lower values prompt reviews of broad access more aggressively; higher values focus only on extreme sprawl.
Defaults
- Default
- 5 subscriptions
- Range
- 1-50
Recommended Settings
3-4
Strict. Many subscriptions, broad access discouraged.
5-7
Balanced. Default for most organizations.
10+
Permissive. Large enterprises where wide access is more common.