Orphaned Resources
StratoLens detects Azure resources that are unattached, empty, or idle and surfaces them as recommendations with monthly and annual savings estimates. Recommendations refresh on every scan, and resources you clean up move into Realized Savings so you can prove the impact of your work.
On This Page
Refresh cadence
Recommendations are recomputed during every scan. After cleaning up a resource in Azure, run a new scan to see it move from active to Resolved.
How Detection Works
StratoLens uses two complementary detection methods. Most resource types use one or the other; a few use both.
- Inventory-based
- Flags resources that are definitively unattached based on Azure inventory (a Public IP not associated with any NIC, a Managed Disk with no attached VM, an empty SQL Elastic Pool).
- Metrics-based
- Flags resources that exist and look attached but show zero activity over time (a VPN Gateway with no traffic, a Storage Account with no transactions). Gated by the Minimum Idle Days threshold so newly deployed resources aren't flagged immediately.
- Both methods
- Application Gateway, NAT Gateway, and Traffic Manager Profile use both: inventory catches empty/unattached versions, metrics catches configured-but-idle ones.
Status Categories
Every recommendation falls into one of five statuses. The Status filter on the page uses these same values.
- Unattached
- The resource is not connected to anything. Examples: Public IP with no NIC, Managed Disk with no VM, Network Interface Card with no parent.
- Empty
- A container with no contents. Examples: App Service Plan with zero sites, empty Subnet, empty Resource Group, empty Virtual Network.
- Idle
- Configured but showing no activity in metrics. Examples: VPN Gateway with no traffic, Azure Bastion with no sessions, Idle Storage Account, Idle Container Registry.
- Stale
- Age-based. Currently used for Disk Snapshots older than the configured threshold.
- Stopped (Not Deallocated)
- A VM in the Stopped power state, still billing for compute. Should be Deallocated if not in use.
StratoLens covers 30+ specific recommendation types across these statuses, including networking (NICs, NSGs, Route Tables, Private Endpoints), compute (Stopped VMs, Empty App Service Plans), storage (Stale Snapshots, Idle Storage Accounts), and governance (Empty Subnets, Orphaned API Connections, Orphaned DNS Zones).
What a Recommendation Shows
Each recommendation card has three information sections.
- Detection Evidence
- The detection method, how long the resource has been in this state (Orphaned Duration or Idle Duration), the date it became orphaned or last had activity, and what it was previously attached to.
- Estimated Savings
- Monthly and annual cost in the resource's actual currency. When 30+ days of cost data exist, a sub-line shows the rolling 30-day actual spend, which is the basis for the estimate.
- Recommendation Rationale
- A short plain-English explanation of why the resource was flagged, the consequence of leaving it, and a suggested action.
Two action buttons in the panel header let you investigate before acting: View in Explorer opens the entity in StratoLens's Explorer (handy for checking RBAC and dependencies on a NIC or NSG before deletion), and Open in Azure Portal deep-links to the resource.
Previously Attached To needs prior scan data
Previously Attached To is reconstructed from scan history, so it's only available when StratoLens captured a scan while the resource was still attached. On a fresh install, or for resources that were already orphaned before the first scan, this field shows Unknown.
Indirect Orphans
A resource is an indirect orphan when it's technically attached to something, but the chain it depends on is broken. The classic example is a Public IP attached to a NIC, where the NIC itself isn't attached to a VM. Cards for indirect orphans show an Indirect badge in the header and a short Indirect Reason in Detection Evidence.
Governance-Only Resources
Some resources have no direct Azure cost but still create governance debt. Empty Resource Groups, Empty Subnets, Orphaned IP Groups, Orphaned API Connections, Orphaned Private DNS Zones, and similar types fall into this bucket. Their cards swap the cost panel for a Security & Governance note explaining that the resource should still be reviewed for cleanup.
Stale credentials risk
Orphaned API Connections in particular may hold authentication credentials for systems no Logic App still references. Treat them as a security cleanup, not a cost cleanup.
Resolved & Realized Savings
Toggle Show resolved to switch from active recommendations to resources that were previously flagged and have since been deleted or re-attached. Each resolved card shows a green Resolved Recommendation header, a Resource Deleted or Resource Reattached badge, the resolution date, and the savings the cleanup unlocked as Realized Savings.
The Type and Status filters are not available in resolved mode, the dataset is independent and is meant for tracking outcomes, not slicing.
Related Documentation
Settings & Behavior
Tune detection thresholds, control noisy recommendations with hide, and understand how the Metrics Timeframe filter changes results.
Read: Settings & Behavior →Automated Scanning
Detection runs as part of every scan. To pick up Azure changes faster, run scans more often or tighten the schedule.
Read: Automated Scanning →Want to learn more about what Orphaned Resources can do?
Check out the feature page for benefits, use cases, and highlights.
View Feature Page