StratoLens LogoStratoLens

Workflows

Concrete procedures for the most common reasons teams open Access Optimization. Each workflow names the filters to apply, what to look for, and where to act.

On This Page

Quarterly Security Audit

Identify and remediate over-privileged or unused access ahead of a quarterly compliance review.

  1. Set Time Window to 90 days. Leave thresholds at defaults unless your organization has stricter policies.
  2. Sort the principal list by Most Optimizations. Start with the top of the list — these have the most findings to triage.
  3. Click each principal in turn. Read the Recommendation on every card and check the supporting evidence (Last Used, Activity Count, Operations breakdown).
  4. For each finding, decide: remove (clearly unused), downgrade (over-privileged), rescope (over-scoped), or justify (legitimate but unusual).
  5. Use View in Activity Explorer to confirm operation patterns when a recommendation isn't obvious.
  6. Execute remediations in the Azure Portal, then return after the next scan to confirm the findings are gone.

Prioritize by severity

Filter by Role Type: Critical first to focus on Owner and User Access Administrator. Those are the highest-impact remediations and the ones most likely to be questioned by auditors.

User Offboarding Verification

Confirm a departing user has no remaining direct or group-based access.

  1. Set Time Window to 90 days so any recent activity surfaces.
  2. Search the principal list for the user. If they don't appear, no findings exist — but also confirm in Role Assignments that no healthy assignments remain.
  3. Open the user's detail panel. Note every finding showing a Via Group field — those are group memberships you also need to remove.
  4. Document the group names and any nested chains (e.g., SeniorEngineers → AppTeam).
  5. Coordinate with your Azure AD administrators to remove the user from each group and clear remaining direct assignments.
  6. Wait for the next scan and re-search. The user should no longer appear in either Access Optimization or Role Assignments.

Nested groups are easy to miss

Manual offboarding often catches direct group memberships but leaves nested chains in place. The Via Group chain in the detail panel is the most reliable way to find them.

Critical-Role Enforcement

Find Owner and User Access Administrator assignments that aren't actually used for permission management, and downgrade them.

  1. Set Time Window to 365 days to catch infrequent but legitimate RBAC usage.
  2. Filter by Role Type: Critical and Optimization Type: Over-Privileged.
  3. For each principal, read the Operations breakdown:
    • High Create/Update with zero RBAC operations → downgrade to Contributor.
    • Mostly Read/Action operations → consider Reader or a custom role.
    • Zero operations of any kind → unused, candidate for removal.
  4. Before downgrading, check for break-glass or quarterly-RBAC patterns (see Over-Privileged Access).
  5. Notify the affected principals before executing the change so they aren't surprised.

Group Membership Cleanup

Find users who should be removed from Azure AD groups based on inactivity through that group's permissions.

  1. Set Time Window to 180 days and raise the stale threshold to 60% to focus on clearly inactive members.
  2. Look for principals showing a via [Group Name] subtitle in the principal list.
  3. Filter by Optimization Type: Unused or Stale to surface inactive group members.
  4. For each finding with a Via Group field, check the evidence: Last Used, Activity Count, Scope Efficiency.
  5. Group findings by group name. If many members of the same group are flagged, the group itself may be over-assigned — consider restructuring rather than removing individuals.
  6. Coordinate with the group owner before making changes; they may have context the activity data doesn't show.

Subscription Migration Cleanup

Remove lingering access on a source subscription after workloads have moved to a new one.

  1. Set Time Window based on when migration completed: 30 days for recent migrations, 90 days for older ones.
  2. In the principal list, look for users with high optimization counts — they often have access on both old and new subscriptions.
  3. For each finding, check the Subscription field on the card to confirm whether it's on the source or target.
  4. Use View in Role Assignments to see the same principal's assignments across both subscriptions side by side.
  5. Remove source-subscription assignments where the principal's legitimate work has fully moved to the target. Keep a small set of administrators with Owner on the source for decommissioning.
  6. Re-scan after the cleanup and confirm the source subscription only has the expected residual access.

Exporting Findings

Export reflects the currently visible findings — apply filters first, then export. The export contains exactly what's on the page.

Common patterns:

Quarterly critical-role audit
Filter by Role Type: Critical + Optimization Type: Over-Privileged, Unused. Export as CSV for the audit binder.
Service principal cleanup
Filter by Principal Type: Service Principal + Optimization Type: Unused, Stale. Export as JSON to feed automation scripts.
Single-user offboarding
Search for the user's name, then export. Attach to the offboarding ticket as evidence of full access removal.
← Previous: SettingsBack to Overview →