Customer-Hosted
StratoLens isn't a SaaS. The application, the scanner, the database, and every byte of your infrastructure data live entirely inside your own Azure tenant. Nothing about your environment is uploaded to a vendor cloud, and StratoLens has no ability to read it from outside. The only outbound traffic is a small license heartbeat covered below.
What This Means
- StratoLens (the vendor) has zero access to your Azure resources. There is no vendor-side login, no support back-door, no API key we hold that can reach into your tenant. The scanner runs under your managed identity, in your subscription, governed by your RBAC.
- StratoLens deploys from the Azure Marketplace into a subscription you choose
- All scan data is stored in your Cosmos DB instance, in your subscription
- Only metadata (resource configuration) is collected, never the data inside your resources
- Outbound traffic is limited to license validation, no infrastructure data leaves your tenant
How It Runs
StratoLens is delivered as an Azure Managed Application from the Azure Marketplace. When you install it, Azure provisions seven resources into a managed resource group inside your subscription:
- Container App (web dashboard, scales to zero when idle)
- Container App Job (the scheduled scanner)
- Container Apps Environment with Log Analytics
- Cosmos DB account, serverless tier (stores every scan result)
- Key Vault for secrets
- User-Assigned Managed Identity (the scanner's identity)
- Log Analytics Workspace
For a full walk-through of the deployment, including the Marketplace wizard inputs and the post-install setup script, see the Installation Guide.
Single tenant per deployment
A single StratoLens deployment scans one Azure tenant. The scanner can cover the entire tenant or any subset of management groups, subscriptions, or resource groups, but it doesn't reach across tenant boundaries. Multi-tenant organizations deploy one StratoLens instance per tenant.
What StratoLens Can Read
StratoLens reads only the control plane of Azure: the metadata and configuration of your resources. It never touches the data plane, so it can't see what's inside your storage accounts, databases, or virtual machines.
What it collects
- Resource names, types, locations, and configurations
- RBAC role assignments and permissions
- Cost and billing metadata
- Network topology and connectivity
- Tags and resource group organization
What it never collects
- Files or blobs inside storage accounts
- Data inside SQL, Cosmos DB, or any other database
- Contents of managed disks or virtual machines
- Secrets, keys, or certificates from Key Vault
- Any property Azure flags as a secret (VM passwords, storage keys, connection strings, and so on)
StratoLens sees what resources you have and how they're configured. It never sees the data inside them.
Permissions in Your Tenant
StratoLens follows the principle of least privilege. The scanner's managed identity needs:
- Reader (your resources)
- Read-only access to whatever scope you grant, the tenant root, specific management groups, specific subscriptions, or specific resource groups.
- Contributor (its own apps)
- Limited to StratoLens's own Container Apps, used only for self-updating to a newer version.
- Microsoft Graph (read)
- Read-only access to users and groups, used to resolve names and group memberships in RBAC analysis.
You decide the scanning scope
By default the install grants Reader at the tenant root management group so StratoLens discovers your entire estate. If that's too broad, scope the role down to specific management groups, subscriptions, or resource groups, and StratoLens will scan only what it can see. Nothing breaks if access is narrowed.
What Leaves Your Tenant
Two outbound flows exist, both narrow and both to the StratoLens licensing service. Neither carries any of your infrastructure data.
License heartbeat
StratoLens periodically reports a small set of fields to validate your license:
- Anonymous Installation ID (UUID)
- Tenant ID (UUID)
- Subscription count and resource count (integers, used to determine your billing tier)
- Timestamp of your most recent successful scan
- StratoLens version you're running
- Company name, technical contact, and billing contact (only if you set them in Settings)
No resource names, subscription names, resource group names, or configuration details are ever transmitted.
Optional usage and error reporting
By default, StratoLens sends anonymous usage metrics, error reports, and scanner performance metrics (phase durations, processed counts) to help improve the product. These contain no resource names, no subscription names, and no data plane information. The full list is documented in the Application Privacy Policy.
You can turn it off
All optional usage metrics and error reporting can be disabled with a single toggle on the Settings page. The license heartbeat is required to keep the install licensed and is not part of that toggle.
Who Can Sign In
Users authenticate to the StratoLens dashboard with their existing Entra ID credentials, the same identity they already use for the Azure Portal. Two app registrations are created during install:
- Authentication app
- Lets users sign in to StratoLens and provides the directory reads needed for RBAC analysis. Admin consent is granted once during install.
- StratoLens Notifications
- Used to send email notifications from StratoLens.
The administrator who runs the install is the initial StratoLens user. From there, additional users and groups are added inside StratoLens itself.
Related
See also
- Installation Guide — full step-by-step Marketplace deployment, including permissions, the setup script, and admin consent.
- FAQ — deeper answers on data residency, permissions, billing, and the exact fields sent for licensing.
- Self-Updating — how StratoLens keeps itself current without leaving your tenant.
Want to learn more about what Customer-Hosted can do?
Check out the feature page for benefits, use cases, and highlights.
View Feature Page