How to detect shadow IT and protect your Microsoft 365 tenant

Picture this: An employee finds an exciting new app that promises to increase their productivity by 50%. They could run it by IT, but they don’t want the hassle of waiting for approval or filling out complex forms. Instead, they just download and start using it, thinking, “What’s the worst that could happen?”

This is an example of shadow IT, and it’s one of the biggest risks in cloud-first workspaces. That seemingly innocuous app could actually be a new entry route for malicious actors looking to steal your data or infect your files. And the worst part? Since no one reported it, you might not even know it’s there. 

In this article, we explain how to detect shadow IT, explore its major risks, and outline best practices to keep your M365 environment safe, secure, and in your control.

What is shadow IT?

While there are a few ways to define shadow IT, it’s generally any app, cloud service, or third-party tool that’s used without the IT department’s approval. This could be anything from a simple file-sharing website to a full AI workflow. 

In Microsoft 365, shadow IT often shows up as unsanctioned apps connected to Entra ID, unauthorized SaaS tools users upload files into, or browser extensions that quietly get access to company data. These tools can bypass your sensitivity labels, conditional access policies, and tenant-level security controls, leaving gaps you might not notice right away.

Here's the problem: some of these tools work within your Microsoft 365 environment but slip past your controls. Others operate outside your tenant completely, ignoring your multi-factor authentication (MFA), data loss prevention (DLP) policies, and conditional access rules from the start. Either way, they bypass your sensitivity labels and tenant-level security controls.

Unreported tools become blind spots fast. After all, you can’t enforce data security and build compliance strategies for products you don’t even know people are using.

Why do employees use shadow IT?

There are several reasons an employee might turn to external apps or tools:

• Comfort: People are creatures of habit. People like to useapps they’re familiar with from a past workplace, even though it’s not on your list of approved tech.
• Lack of cybersecurity knowledge: Without proper cybersecurity training, employees might not realize the risks posed by unauthorized tools.
• Lengthy approval processes: If using an app or service means the employee has to go through a lengthy, complex tech approval process, they might ignore protocol and download it anyway.
• Budget restrictions: If you don’t have the budget to provide the tool they want, teams might try using free, unregulated alternatives instead.
• Regulation frustrations: When users hit a wall in Microsoft 365, whether from strict SharePoint or OneDrive sharing controls, blocked Teams connectors, or permissions that limit how they collaborate, they often look for a way aroundthose restrictions. Without clear, accessible pathways to get the access they need, workarounds start to feel easier than following the rules. 

What are the risks of shadow IT?

Left unchecked, shadow IT can cause many problems, from data sprawl to creating an entry point for cyberattacks. Here are the biggest risks to watch out for.

Compromised data security

IBM’s Cost of a Data Breach report reveals that one in three data breaches involve shadow IT.
Unapproved programs and third-party services don’t play by the same rules as catalogued, compliance-checked software. 

In Microsoft 365, when users authorize third-party apps through OAuth, they're granting access to SharePoint or OneDrive files—without IT knowing. And they’ll stay connected until someone revokes them. 

Compliance and regulatory gaps

Files that end up in unapproved cloud apps have none of your usual security protocols to protect them. Sensitivity labels, retention policies, and audit logs are all left behind. You might be in breach of legal or regulatory compliance and not even know it. 

Introduction of malicious code

Malicious actors purposefully market some shadow IT services to catch employees’ attention. One quick download from a dodgy site and you’ve got an active malware threat to deal with.

We often see this when employees install productivity extensions or AI assistants that aren’t vetted. One compromised extension could read SharePoint pages, capture credentials, or quietly move data out of Microsoft 365.

Data sprawl and broken collaboration

If an employee is using Google docs when the rest of the organization is using Word, the chance of people wasting time creating duplicate work and being misaligned on project skyrockets. This is a complete workflow killer. 

How to detect and manage shadow IT

A shadow isn’t completely invisible, and neither is shadow IT. These five steps will help you spot unauthorized software, services, and tools. 

Step 1: Look for unauthorized apps and services

Scan your environment for anything that’s working outside of your approved channels. Microsoft Defender for Cloud Apps lets you look through Cloud Discovery logs to find any strange app behavior, unauthorized SaaS platforms, or spikes in traffic volume.

You should also audit the browser extensions users have on their devices and check your firewall and proxy logs. This first step is all about making an inventory of what’s active, what’s authorized, and what’s been flying under the radar.

Step 2: Assess risks and usage patterns

Rank the shadow IT you come across according to risk levels and how often employees access that app or service. Once you’ve got your priorities mapped out, you’ll know what to tackle first.

Step 3: Identify useful and malicious shadow IT

Not every form of shadow IT is harmful. Users might find a tool that would genuinely help them with their work. If that’s the case, evaluate it. Can it integrate with Entra ID? Does it meet compliance standards? Is there budget for it? If it checks the boxes, onboard it properly with SSO, MFA, and data policies.

If you find a potentially malicious app, block it (using Defender for Cloud Apps) and suggest approved alternatives to employees. 

Step 4: Generate shadow IT reports

Generating regular shadow IT reports helps you keep tabs on your progress. These include shadow IT use and attempts to access blocked services. Monitoring usage changes over time will help you track progress and communicate your wins to leadership.

Step 5: Enforce policies for sanctioned applications

After blocking access to shadow IT and cleaning up your tech stack, you’ll need to create and enforce policies that keep users from interacting with any unauthorized apps and services. 

Establish conditional access controls to prevent users from downloading their own tools. Then, regularly review your existing shadow IT policies and check for any spikes in suspicious activity. Catching things early can help prevent major cybersecurity risks down the line.

Best practices for shadow IT detection and management

Here are a few best practices to follow to help you keep shadow IT under control without slowing down your workforce:

• Use specialized tools: Use a shadow IT discovery tool to carry out an audit of your system, monitoring for unauthorized apps, cloud services, and tools. These programs can even detect new downloads automatically, so you can ask employees to remove the software immediately. 
• Verify security settings: Every approved tool in your organization needs to meet compliance standards. This means up-to-date configs, modern encryption standards, and sensitive information security.
• Address AI adoption proactively: AI tools are being adopted too fast for most governance processes to keep up. These create unique blind spots around data exposure and usage. Microsoft MVP Jasper Oosterveld created a checklist to help you reduce AI risk in Microsoft 365 using Microsoft Purview and Defender for Cloud Apps to surface AI usage, assess risk, and enforce policies.
• Define an approval pathway: Make it easy for employees to request access to a tool. If the process is quick and simple, people are more likely to use it instead of ignoring protocol.

Learn more about security and governance

With shiny new apps and services hitting the market every other week, shadow IT will always be a concern. If people think they can speed up their work with the help of a new tool, they’ll want to try it out. This isn’t inherently a problem, but it can lead to major issues if you lose visibility over your environment. 
To learn more about security, compliance, and management best practices, dive into ShareGate’s IT governance toolbox.