Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Uncover your blind spots: seamlessly control cloud usage risks to your organization
Published Mar 09 2021 09:00 AM 10.4K Views

Authored with Boris Kacevich, Product Manager, Microsoft Cloud App Security


There has been a massive increase of Shadow Iusage in organizations over the past several years. While thousands of applications and dozens of gigabytes of data are being uploaded to the cloud, only 12% of these resources and usage attributed to applications that are managed and monitored by an org.... Rapid cloud adoption is a fact, and we believe any organization should adopt the cloud in a safe and monitored way to minimize risk of exposure.  

Shadow IT discovery should give immediate and clear feedback to your organization about which applications are being leveraged in your cloud environmentThis brief two-minute video demonstrates the value of cloud shadow IT discovery in Microsoft Cloud App Security: 

Microsoft Cloud App Security is designed to help organizations to discover and identify risky usage, potential exfiltration and protect your organization from any risk surfaced by shadow apps usageThe Cloud App Security database houses a cloud app catalog which grants discovery of more than 17,000 public applications, each evaluated by more than 90 risk indicators. The Cloud app catalog can also be extended to discover usage of your line of business apps.   

With unique endpoint controls, native integrations with third party network solutions and support for any log source, Microsoft Cloud App Security is designed for safe adoption based on three main app lifecycle phases:  

  1. Discover and identify cloud usage  
  2. Evaluate and analyze associated risk and compliance   
  3. Manage and monitor access and usage 

Discover and identify cloud usage  

We recommend customers begin their journey by discovering which apps are being used in their organization. Integrated with more than 30 unique network appliances, customers can use custom or native integrations with third party solutions and leverage native integration with Microsoft Defender for Endpoints to get visibility of cloud usage from all their users and managed endpoints.   

By leveraging the app catalog containing more than 17,000 public apps, Cloud App Security helps organizations understand usage patterns across apps, users, devices and IP addresses. Cloud App Security also enables configuration of your own line of business applications to help uncover their usage patterns. From this dashboard view, you can already see the rich insights presented after Cloud App Security has begun to detect applications in your environment: 

Discovery dashboard - SS1.jpg


Evaluate and analyze associated risk  

After apps are discovered, risks are identified that might expose your organization. The compliance posture of the app is evaluated based on industry-leading standards such as GDPR, HIPAA, PCI, and more. The app’s risk assessment consists of more than 90 risk indicators including app vendor overview, security and compliance indicators. Cloud App Security helps organizations to stay up to date and learn about recent data breaches or publicly disclosed incidents, potential attack vectors, and whether the app has been patched for known vulnerabilities. Because each organization has its own process for addressing risk, we also provide the ability to override risk scores and modify risk weights to influence overall app risk calculation.   

Application risk in Microsoft Cloud App Security is continuously updated by offering self-attestation, continuous security research, advanced automated tools and customer feedback, which can influence each apps global score.   
Here’s an example of the catalog of data insights that are kept for the 17,000+ applications in our database:  


Risky app indicators - SS2.jpg


We have also partnered with Microsoft’s App Compliance program to power the public application self-attestation program, gathering risk data beyond web apps and driving individual service vendors to develop more secure apps.  

However, understanding the security and compliance posture of discovered apps doesn’t provide the full picture without analyzing the app’s actual usage. Understandably, a high usage of one risky app should be more concerning than the low usage of another risky app.  

Manage and monitor access and usage  

Cloud App Security provides various usage report types. For example, admins can select reports based on regions where they are deployed or specific business units, with the ability to dive deeper into app usage patterns in any connected app instance. Cloud App Security also offers traffic trends by transactions, users, uploads and downloads from discovered apps.    

By leveraging integration with Microsoft Defender for Endpoint, Cloud App Security enriches usage telemetry with information about the device in use while using the appWith clarity on risk and usage patterns, administrators can improve their security and compliance posture by managing discovered cloud applications.   


Recommendations for managing newly discovered applications   

Organization admins must decide whether an application is valid for use from the perspectives of productivity, security and compliance. If the application is valid for use in the organizationthe priority is to sanction the app.   

Next, it’s wise to examine whether auditing or official management of the app is required. If either of these methods are needed, consider onboarding the app in Azure Active directory for access (SSO) and user provisioning, control app access with conditional access or apply real time session controls based on user’s session risk. When available, use the app connector to enable advanced threat protection and DLP capabilities   

Should an organization decide an app shouldnt be used by their employeesit is a simple action to label an app as unsanctioned. This action will be propagated directly to Microsoft Defender for Endpoints, or any other integrated appliance like ZscaleriBoss, Menlo or Corrata and will block access to the app. 

ShadowIT slide take action.jpg

The last step of the framework is to create a continuous monitoring process, including a security plan that alerts on newly discovered risky apps or unusual high-volume use. 

Cloud App Security also provides customized report building capabilities by integrating with Azure Sentinel and Microsoft Power BI  in addition to reports and dashboards provided out of the box. 


Traditional shadow IT discovery is a joint effort between a CASB and a network solution. The network solution sends all traffic telemetry from the corporate network to the CASB, which in turn provides detailed reporting. When multiple vendors are involved, it can become complex due to log collections and access policy sync, as well as supporting various log formats and their changes. Microsoft Cloud App Security enables discovery and enforcement down to the endpoint (sometimes referred to as endpoint CASB).  These endpoint CASB capabilities deliver a seamless experience, leveraging integration with deployed Windows 10-based agents. These capabilities are available with single-click deployment, by enabling Microsoft Cloud App Security in Microsoft Defender for Endpoint. Enforcement is done on the endpoint and is agnostic to the network, providing visibility and control even when the user is working remotely, using a public/home networkThis easily enabled tool allows enforcement of access controls at any time and from anywhere user is trying to access cloud apps: 

ShadowIT slide endpoint casb.jpg


For further training or information, view Boris’ twenty-minute discussion on shadow IT discovery in Microsoft Cloud App Security:



We welcome your feedback or relevant use cases and requirements for this pillar of Cloud App Security by emailing and mention Shadow IT Discovery.  


Learn more 

For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below: 

Join the conversation on Tech Community 

Stay up to date—subscribe to our blog.  

Upload a log file from your network firewall or enable logging via Microsoft Defender for Endpoint to discover Shadow IT in your network. 

Learn more—download Top 20 use cases for CASB. 

Connect your cloud apps to detect suspicious user activity and exposed sensitive data. 

Search documentation on Microsoft Cloud App Security 

Enable out-of-the-box anomaly detection policies and start detecting cloud threats in your environment. 

Understand your licensing options .  

Continue with more advanced use cases across information protection, compliance, and more. 

Follow the Microsoft Cloud App Security Ninja blog and learn about Ninja Training 

Go deeper with these interactive guides: 


To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security. 

Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter, and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity. 

Version history
Last update:
‎Nov 02 2021 04:59 PM
Updated by: