Technical Details
Understand the technical architecture behind Access Optimization including data sources, refresh intervals, performance optimizations, required permissions, and platform limitations.
Technical Overview
- 5 Data Sources: Resource Graph, Activity Logs, Microsoft Graph, Management Groups, Entity Inventory
- Scan Frequency: Every 5 minutes (configurable per tenant)
- Activity Retention: Extended to 365 days via Cosmos DB storage
- Performance: Server-side optimization computation with parallel queries
- Permissions: Azure Reader + Microsoft Graph API access
Data Sources
Access Optimization retrieves data from the following Azure and Microsoft APIs:
Azure Resource Graph API
Role assignments (RBAC) across all subscriptions, resource groups, and management groups. Includes assignment metadata (principal, role, scope, creation date).
Azure Activity Logs API
365-day rolling window of operations with monthly partitioning (YYYY-MM format) for query performance. Captures write operations (create, update, delete, RBAC changes) but not read operations (Azure platform limitation).
Note: Read operations are not logged by the Azure platform, affecting unused detection for read-only roles.
Microsoft Graph API (beta endpoint)
Transitive group members via /groups/{id}/transitiveMembers for nested group support. Provides member types (User, ServicePrincipal, Managed Identity) and resolves multi-level group hierarchies automatically.
Azure Management Groups API
Management group hierarchy with expand=children and recurse=true parameters for complete organizational structure. Enables accurate redundancy detection across management group scopes.
Entity Inventory (Cosmos DB)
Real-time entity counts by type and subscription for accurate scope efficiency calculations in over-scoped detection (no estimates).
Refresh Frequency
- Scan Interval
- Every 5 minutes by default (configurable per tenant in system settings)
- Activity Log Retention
Azure retains activity logs for 90 days natively
StratoLens extends retention to 365 days via Cosmos DB storage in activity_log_operations container
Monthly partitions for query performance (partition key: YYYY-MM)
- Group Membership Cache
15-minute TTL (time-to-live) in Cosmos DB temporary_data container to reduce Microsoft Graph API calls
First request: Resolves groups via Graph API, stores in cache
Subsequent requests within 15 minutes: Returns cached results
After 15 minutes: Cache expires automatically via TTL, next request fetches fresh data
- Principal Display Name Cache
- 1-hour cache for member name lookups minimizes duplicate Graph API calls for display name resolution
Extended Activity Retention
StratoLens provides 365-day activity log retention compared to Azure's native 90 days, enabling year-over-year access pattern analysis for comprehensive security audits.
Performance Characteristics
Scan Speed
Processes thousands of role assignments per second during entity discovery and RBAC collection phases
Activity Aggregation
99% payload reduction through grouping by caller, operationType, subscriptionId, resourceGroupName
Raw data
Millions of individual activity log operations
Aggregated data
Thousands of activity metric summaries
Result
Faster API responses and reduced frontend processing
Parallel Queries
Dual parallel execution of role assignment query and activity metrics query for 2x speedup
Batch Group Resolution
Up to 20 groups per Microsoft Graph API request with parallel batch execution
First call (cache miss)
50 groups = 3 parallel batches (~2-3 seconds)
Subsequent calls (cache hit)
50 groups = <100ms (within 15 minutes)
Backend Optimization Computation
All six optimization types computed server-side using shared optimizationDetection.ts utility before returning to frontend
Frontend receives ready-to-display optimizations (no client-side computation)
Ensures consistency between main Access Optimization page and Dashboard widget (same detection logic)
Performance Impact
Group membership caching reduces API calls by ~95% for repeated queries, dramatically improving page load times when viewing the same principals within a 15-minute window.
Permissions Required
To use Access Optimization, the StratoLens managed identity requires:
Azure RBAC
- Required Role
- Reader
- Scope
- All subscriptions and management groups being monitored
- Purpose
- Enumerating role assignments, reading entity metadata, accessing activity logs
Microsoft Graph API
Group.Read.All
Read Azure AD group memberships (transitive members)
User.Read.All
Read user details for principal display name resolution
Application.Read.All
Read service principal details for application identity resolution
Limited Functionality Without Graph API Permissions
Without Microsoft Graph API permissions, Access Optimization will still function but with limited capabilities:
Still Works
- Detects all six optimization types
- Shows role assignments granted to groups
Limited Functionality
- Cannot resolve group memberships to individual users
- Cannot show "via Group" attribution or nested group chains
- Group filtering will be limited
Permission Verification
Check Azure Portal → Azure Active Directory → Enterprise Applications → [StratoLens App Name] → Permissions to confirm Graph API permissions are granted and admin-consented.
Known Limitations
Read Operations Not Captured
Azure Activity Logs only capture write operations (create, update, delete, RBAC changes). Read operations are not logged by the Azure platform. This means:
- Read-only roles (Reader, Monitoring Reader, etc.) cannot have "unused" detection (we cannot verify if they're reading data)
- Users with Contributor who only read dashboards will show as "unused" even though they're using the read permission component
- This is an Azure platform limitation affecting all tools, not specific to StratoLens
Management Group Hierarchy
Complete redundancy detection (hierarchy inheritance type) requires the StratoLens managed identity to have Reader access to the root management group. If access is restricted:
Partial hierarchy visible
Only detects redundancy within accessible management group branches
No hierarchy visible
Cannot detect hierarchy-based redundancy at all (other types still work)
Activity Log Ingestion Delay
Azure Activity Logs have a 5-15 minute ingestion delay. Very recent activity (within the last 15 minutes) may not yet appear in optimization analysis.
Resolution: Re-scan after 15-30 minutes to capture latest activity.
Group Membership Resolution
Requires Microsoft Graph API permissions (Group.Read.All, User.Read.All, Application.Read.All). Without permissions:
- Access Optimization shows assignments granted to groups but not individual members
- "Via Group" attribution and nested group chains not displayed
- Users must manually look up group members in Azure Portal
Custom Role Support
Optimization detection for custom roles uses the same logic as built-in roles. The "over-privileged" detection only applies to specific built-in critical roles (Owner, User Access Administrator), not custom roles with equivalent permissions. Consider adding custom critical role names to your documentation or requesting feature enhancement.
Cross-Tenant Assignments
Access Optimization only analyzes assignments within the tenant where StratoLens is deployed. Azure Lighthouse delegated access or B2B guest user assignments across tenants are not included in analysis. Multi-tenant organizations need separate StratoLens deployments per tenant.
Service Principal Activity Correlation
Some service principals use certificate-based authentication where the caller field in activity logs may not exactly match the principal object ID. StratoLens uses multiple matching strategies (object ID, UPN, display name) but some service principal activity may not correlate correctly.
Time Window Changes Trigger API Calls
Changing the time window or detection thresholds triggers a new API call to recompute optimizations (backend detection pattern). This is by design to ensure accurate threshold-based detection but means rapid threshold adjustments may cause multiple API calls.
Understanding Limitations
Most limitations stem from Azure platform constraints (activity log ingestion delay, read operation logging) rather than StratoLens implementation. Understanding these boundaries helps set appropriate expectations for optimization analysis accuracy.