What it is
A high-privilege role assignment (Owner, Contributor, User Access Administrator) that was exercised at some point but hasn't been used in a long time. The migration, incident, or one-off task that justified it has ended, yet the assignment stays exactly as it was: permanent, always-on standing access.
Why it happens
Azure role assignments are permanent by default. Nothing expires them and nothing revisits them. A grant made to get a project over the line stays configured until a human decides to remove it, and removal is nobody's explicit job.
There is no "last used" timestamp shown next to an assignment in the portal, so a role that was busy for a week and then idle for six months looks identical to one in daily use. The safe-feeling default is to leave it, which is how Owner grants accumulate faster than they ever get cleaned up. Stale is distinct from never-used (see AZF-0052): this access was legitimately used, which is exactly why no one questions it later.
What it costs / blast radius
A role assignment is free, so there is no direct dollar cost. The harm is security and governance hygiene. (Azure behavior; authored assessment.) Every stale privileged grant is an extra live credential: one more account an attacker can phish into full control, one more path a departed contractor might retain, and one more line every access review has to reconcile. Standing privilege that nobody uses is pure attack surface with no offsetting benefit.
See it
resource owner 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscription().id, principalId, 'Owner')
properties: {
// Owner — standing, permanent, and last exercised months ago
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
principalId: principalId
principalType: 'User'
}
}// No standing access. The principal becomes ELIGIBLE for Owner,
// activates it when needed, and eligibility itself lapses after 90 days.
param nowTime string = utcNow() // utcNow() is only valid as a param default
resource ownerEligible 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
name: guid(subscription().id, principalId, 'Owner-eligible')
properties: {
principalId: principalId
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
requestType: 'AdminAssign'
scheduleInfo: {
startDateTime: nowTime
expiration: {
type: 'AfterDuration'
duration: 'P90D' // eligibility expires; standing access never accrues
}
}
}
}How StratoLens helps
StratoLens surfaces privileged assignments that have gone quiet long after the work ended, across every subscription and every principal, so a stale Owner can't sit as forgotten standing access in a subscription nobody opens. You don't have to remember to re-review each grant; the check runs continuously inside your own tenant.