What it is
A privileged role assignment that the principal simply never exercises. The role, often Owner, Contributor, or User Access Administrator, is granted at a scope where the user or service principal performs no operations at all. It is live, standing access that does nothing except widen the set of identities that could act on the subscription if compromised.
Why it happens
Unused assignments accumulate because RBAC grants have no natural expiry. Access is handed out for a project, a migration, a break-glass scenario, or "just in case," and once the reason passes the assignment stays. Removing an assignment nobody is using feels risky, since you can't be certain it isn't load-bearing for some rare path, so the safe-looking choice is always to leave it.
Azure never tells you an assignment has gone unused. There's no last-used indicator on a role assignment and no prompt when a grant has sat idle since the day it was created. From the assignment alone, a principal that has done nothing looks the same as one doing critical daily work, so dormant privileged access is invisible until someone deliberately goes looking.
What it costs / blast radius
This is a blast-radius problem, not a bill. Every standing privileged assignment is another identity an attacker can aim at, and the ones nobody uses are the worst kind: they carry real permissions but no one is watching them, because no legitimate activity would ever draw attention to the account. (Azure behavior; authored assessment.) Unused Owner or User Access Administrator grants are persistent, unmonitored footholds that add risk while contributing nothing.
See it
resource standingOwner 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscription().id, principalId, ownerRoleId)
properties: {
// Permanent grant. Never expires, never gets re-justified,
// and this principal has performed no operations in scope.
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Owner
principalId: principalId
principalType: 'User'
}
}// Drop the permanent assignment and make the role eligible instead,
// so the privilege is activated on request and expires on its own.
resource eligibleOwner 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
name: guid(subscription().id, principalId, ownerRoleId, 'eligible')
properties: {
principalId: principalId
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Owner, eligible not active
requestType: 'AdminAssign'
}
}How StratoLens helps
StratoLens flags privileged role assignments that sit unused in their scope so dormant standing access stops hiding behind the accounts that never touch it. The check runs automatically and continuously across every subscription in your own tenant, turning "is anyone actually using this grant?" into an answer instead of a guess.