Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Microsoft

How Do I Find and Control Shadow IT and SaaS Sprawl?

Quick Answer

Shadow IT is technology used without IT approval. In 2026, that's primarily SaaS apps—employees sign up directly, bypassing procurement and security. Discovery tools reveal what's actually in use. Then you assess, approve, block, or replace.

The Scale of the Problem

Average organisation:

  • 300-500+ SaaS apps in use
  • IT knows about 30-40% of them
  • 60-70% are shadow IT
How it happens:
  • Employee needs a tool, signs up with company email
  • Department buys subscription on corporate card
  • Free tools spread organically
  • Integrations connect to more services
Each unknown app is:
  • A potential data leak
  • An unmanaged access point
  • A compliance blind spot
  • A security risk

Why Shadow IT Grows

Business reality:

  • SaaS is easy to adopt (no IT involvement needed)
  • Teams solve problems quickly
  • Waiting for IT approval is slow
  • Free tiers remove budget barriers
IT reality:
  • Can't see what you don't know about
  • Traditional controls don't work for SaaS
  • Blocking everything kills productivity
  • Users find workarounds
Shadow IT isn't malicious—it's people getting work done. But it creates real risk.

Discovery: Find What's Actually In Use

Microsoft Defender for Cloud Apps

For M365 environments, Defender for Cloud Apps (formerly MCAS):
  • Analyses traffic to identify cloud apps
  • Risk scores for discovered apps
  • Usage patterns and data volumes
  • Integration with Conditional Access for control

Network-based discovery

  • Firewall logs reveal cloud connections
  • Proxy logs show SaaS traffic
  • DNS analysis identifies services

Expense analysis

  • Credit card statements show subscriptions
  • Procurement records catch some
  • Expense report review

User surveys

  • Ask departments what they use
  • Less reliable but catches some

SSO analysis

  • What do users authenticate to?
  • What's connected via OAuth?

Assessment: Decide What to Do

Once you've discovered apps, assess each:

Security assessment:

  • What data does it access?
  • What security controls does it have?
  • Where is data stored?
  • What's the vendor's security posture?
Business assessment:
  • Is there legitimate business need?
  • Is there an approved alternative?
  • What's the user base?
  • What's the cost?
Risk categorisation:
  • Sanctioned (approved, managed)
  • Tolerated (low risk, allowed)
  • Unsanctioned (blocked, replace)

Control: Take Action

For sanctioned apps

  • Bring into official management
  • Enable SSO where possible
  • Apply DLP policies
  • Monitor usage
  • Ensure proper offboarding

For tolerated apps

  • Document acceptance of risk
  • Monitor for changes
  • Review periodically

For unsanctioned apps

  • Block access (web filtering, Conditional Access)
  • Provide approved alternative
  • Communicate why
  • Help users migrate

Prevent future shadow IT

  • Make approval process faster
  • Self-service app catalogue
  • Clear policies on acceptable use
  • Regular discovery and review

The Microsoft 365 Shadow AI Problem

AI is the newest shadow IT:

  • ChatGPT
  • Claude
  • Gemini
  • Dozens of AI assistants
Same problem, higher stakes. Data going into AI you don't control. See our guide on stopping AI data leakage.

Building a Sustainable Approach

Don't just block everything:

  • Users find workarounds
  • Creates adversarial relationship
  • Kills productivity
Do:
  • Discover continuously (not one-time)
  • Provide good alternatives to common shadow IT
  • Make approval reasonably fast
  • Focus enforcement on high-risk apps
  • Communicate the "why"

What We Implement

For managed clients:

Discovery:

  • Defender for Cloud Apps deployment
  • Continuous shadow IT monitoring
  • Regular reporting on cloud app usage
Control:
  • Risk assessment of discovered apps
  • Conditional Access policies
  • Web filtering for blocked apps
  • DLP for sanctioned apps
Enablement:
  • Secure alternatives for common needs
  • Streamlined approval process
  • User education
You can't secure what you can't see.

Related Questions