Access Optimization

Correlate role assignments with up to 365 days of actual activity logs to identify unused permissions, stale access, and over-privileged roles. Includes Azure AD group member resolution to identify individual users granted access through groups.

The Problem

Organizations accumulate RBAC assignments over time, creating significant security and compliance risks:

Permission Sprawl: Users accumulate roles across projects and never have them removed
Stale Access: Former team members and contractors retain access long after they should
Over-Privileged Users: People have Owner or Contributor roles when Reader would suffice
Hidden Group Access: Users inherit permissions through nested group memberships that are difficult to trace
Audit Blind Spots: No way to prove who actually uses their permissions vs. who just has them

The Solution

StratoLens Access Optimization correlates every role assignment with actual Azure Activity Logs to identify usage patterns and detect optimization opportunities:

Unused Access: Zero activity in the selected time window—safe to remove
Stale Permissions: No recent activity beyond configurable threshold
Over-Privileged Roles: Critical roles (Owner/UAA) without corresponding RBAC operations
Over-Scoped Assignments: Activity confined to a small portion of the assigned scope
Excessive Sprawl: Same role duplicated across multiple subscriptions
Redundant Permissions: Duplicate access from hierarchy inheritance or group overlap

See It In Action

Key Benefits

Detect completely unused access with zero activity in customizable time window

Identify stale permissions with configurable activity thresholds

Find over-privileged users with critical roles (Owner/UAA) but no RBAC operations

Discover over-scoped assignments

Track excessive role sprawl (same role across multiple subscriptions)

Eliminate redundant assignments from hierarchy inheritance, role supersession, or group overlap

Resolve group memberships to identify individual users with access through groups

View nested group chains showing complete permission inheritance paths

Common Use Cases

Quarterly security audits to identify and remediate over-privileged access before auditors arrive

Compliance reporting for least-privilege enforcement and access certification

User offboarding verification to ensure complete access removal including group memberships

Continuous access reviews to maintain least-privilege as teams and projects evolve

Group membership cleanup to identify users who should be removed from Azure AD groups

Ready to Learn More?

Explore our documentation to see how Access Optimization works in detail.

Read Documentation View All Features