All insights
Security OperationsZero Trust

Shadow IT Exposure: Quantifying the Unsanctioned Application Risk for Board Reporting

The typical organisation's actual application footprint is three to five times larger than what IT departments report. This ungoverned usage represents unquantified data leakage risk that most boards have never been briefed on. This walkthrough of Defender for Cloud Apps discovery gives management the visibility and sanctioning framework needed to report shadow IT exposure accurately.

INSIGHTS OF 2026
10 min read
Practitioner Insight

Shadow IT Discovery: What Defender for Cloud Apps Actually Reveals

Shadow IT, the use of unsanctioned applications and services by employees - is not a new problem, but its scale has accelerated dramatically. The combination of SaaS proliferation, remote work, and readily available AI tools means that the average organisation's actual application footprint is 3-5 times larger than what IT departments believe. Microsoft Defender for Cloud Apps (MDCA) provides the discovery capability to quantify and address this risk.

What Shadow IT Looks Like in Practice

Shadow IT is not malicious in most cases. Employees use unsanctioned tools because they solve immediate problems faster than approved alternatives. Common patterns include:

  • File sharing: Employees use personal Dropbox, Google Drive, or WeTransfer accounts to share files with external parties because the approved SharePoint external sharing process is too complex or too slow.
  • Communication: Teams in different time zones adopt Slack, Discord, or WhatsApp for quick coordination because Teams notification settings are poorly configured.
  • AI tools: Users paste documents into ChatGPT, Claude, or Gemini for summarisation because no enterprise AI tool is available (or because Copilot licensing has not been extended to them).
  • Project management: Departments adopt Notion, Trello, or Monday.com because the approved project management tool does not meet their workflow needs.
  • Personal email: Employees forward corporate documents to personal Gmail or Outlook.com accounts to work from personal devices.
  • Developer tools: Engineers use GitHub personal accounts, Replit, or other coding platforms that are not under corporate governance.

Each of these represents a data boundary violation. Corporate data leaves the controlled M365 environment and enters a service where the organisation has no governance, no audit trail, and no ability to enforce retention or deletion.

Defender for Cloud Apps Discovery Setup

MDCA discovery operates through three data sources. Configure all three for comprehensive visibility.

Source 1: Defender for Endpoint integration

This is the primary and most comprehensive source. Navigate to Microsoft Defender XDR > Settings > Cloud Apps > Cloud Discovery > Microsoft Defender for Endpoint. Enable the integration. Once active, every web request from a Defender for Endpoint-managed device is analysed against MDCA's application catalogue. No proxy, firewall log upload, or network appliance is required.

The key advantage: this works for remote workers on home networks, on mobile data, and on any network - because the signal comes from the endpoint agent, not the network perimeter.

Source 2: Firewall and proxy log upload

For organisations with centralised network egress (office networks), configure automatic log upload from your firewall or proxy. Navigate to Cloud Apps > Cloud discovery > Automatic log upload > Add data source. MDCA supports log formats from Palo Alto, Zscaler, Cisco, Fortinet, Squid, Blue Coat, and many others.

This captures traffic from unmanaged devices on the corporate network - contractor laptops, IoT devices, and any endpoint without Defender for Endpoint.

Source 3: Cloud App Security API connectors

For sanctioned applications, configure API connectors under Cloud Apps > Connected apps. These provide deep visibility into user activity within connected apps (Microsoft 365, Google Workspace, Salesforce, etc.) and can detect shadow IT within those platforms - for example, a user configuring a mail forwarding rule to send copies of all email to a personal account.

The Cloud Discovery Dashboard

Once data sources are flowing, the Cloud Discovery dashboard (Cloud Apps > Cloud discovery > Cloud discovery dashboard) provides the overview:

  • Total discovered apps: Expect 200-1000+ depending on organisation size. This number is always shocking to IT teams.
  • App categories: Broken down by cloud storage, collaboration, email, security, development, AI, and dozens more.
  • Traffic volume: Which apps are consuming the most bandwidth and seeing the most active use.
  • User count: How many unique users are accessing each app.

Risk Scoring

Every discovered application receives a risk score from 1 (highest risk) to 10 (lowest risk) based on MDCA's catalogue assessment. The scoring considers:

  • Compliance certifications: SOC 2, ISO 27001, GDPR compliance, HIPAA - certified apps score higher
  • Data encryption: In-transit and at-rest encryption
  • Data residency: Where the service stores data (EU, US, other)
  • Terms of service: Whether the provider claims ownership of uploaded data
  • Security features: MFA support, SSO, audit logging
  • Account governance: Data retention, deletion capabilities, admin controls

Filter the discovered apps by risk score to identify the highest-risk applications. Apps scoring 1-3 represent immediate concern, they typically lack encryption, have problematic terms of service, or store data in uncontrolled jurisdictions.

The Sanctioning Workflow

MDCA provides three app states that drive enforcement:

Sanctioned: The app is approved for use. No blocking action is taken. Sanctioned apps should have an API connector configured for deeper monitoring where supported.

Unsanctioned: The app is blocked. If Defender for Endpoint integration is active, DNS-level blocking is enforced on managed devices. Users attempting to access unsanctioned apps see a block page explaining the restriction.

Monitored: The app is neither approved nor blocked. Usage is logged for ongoing assessment. This is the default state for newly discovered apps.

The sanctioning process should follow a structured workflow:

  1. Initial discovery: All apps start as Monitored.
  2. Risk assessment: Apps with risk scores below 4 are immediately Unsanctioned unless a business case exists.
  3. Business review: Department heads review discovered apps used by their teams and confirm whether a business need exists.
  4. Alternative evaluation: For apps with legitimate business need, evaluate whether an approved alternative exists (e.g., OneDrive instead of personal Google Drive, Copilot instead of ChatGPT).
  5. Sanctioning decision: Apps with no approved alternative and a legitimate business need are evaluated for enterprise licensing and governance before being Sanctioned. Apps with approved alternatives are Unsanctioned with user communication.

Common Findings and Action Plans

Based on hundreds of MDCA deployments, these are the findings that appear in virtually every organisation:

Personal cloud storage (Dropbox, Google Drive, iCloud): Found in 95% of organisations. Action: Unsanction and block. Provide training on SharePoint external sharing and OneDrive.

AI tools (ChatGPT, Claude, Gemini, Perplexity): Found in 85% of organisations as of 2025. Action: Block unsanctioned tools, accelerate Copilot deployment as the sanctioned alternative.

Personal email (Gmail, Outlook.com, Yahoo Mail): Found in 80% of organisations. Action: Block webmail access on corporate devices. Deploy DLP policies to detect forwarding rules to personal accounts.

File transfer services (WeTransfer, SendGB, Filemail): Found in 70% of organisations. Action: Unsanction. Provide SharePoint external sharing links as the approved method for large file transfers.

Unsanctioned project management (Trello, Notion, Asana): Found in 60% of organisations. Action: Evaluate whether the approved tool meets user needs. If not, consider sanctioning one alternative with proper governance.

Screen recording and transcription (Loom, Otter.ai): Found in 50% of organisations. Action: Evaluate whether Teams meeting recording and transcription meet the need. If not, assess enterprise licensing for a single sanctioned tool.

Ongoing Governance

Shadow IT discovery is not a one-time project. New SaaS applications launch daily, and employee adoption of unsanctioned tools is continuous. Establish:

  • Weekly automated report: Configure MDCA to email a summary of newly discovered apps to the IT security team.
  • Monthly review: Review all Monitored apps and make sanctioning decisions.
  • Quarterly business review: Present shadow IT trends to department heads, including data volume flowing to unsanctioned services.
  • Annual policy update: Refresh the acceptable use policy based on discovery findings and the evolving application landscape.

MDCA transforms shadow IT from an unknown risk into a quantified, managed challenge. The discovery data is often the most impactful security finding an organisation encounters - not because it reveals a breach, but because it reveals the true scale of data boundary violations that have been occurring, undetected, for years.

Facing this in your environment?

We implement and operate these exact controls inside Microsoft 365 tenants. Find the right first step for your situation.

Explore Readiness Sprint
PreviousRemoving Local Admin Rights: The Governance Control That Blocks Lateral MovementNext Token Theft Detection: The MFA Bypass Attack That Boards Must Account For

More in Security Operations

ISO 27001

Token Theft Detection: The MFA Bypass Attack That Boards Must Account For

12 min readISO 27001

Incident Response Governance: Building the Evidence Chain Regulators Require

13 min readISO 27001

Retention vs Backup: The Audit Question Most Organisations Answer Incorrectly

10 min read