Shadow IT: What is it and how can Microsoft 365 help?

'Shadow IT' has become commonplace in almost every organisation—but what is shadow IT and how can you manage it?

In this article, we dissect this challenging recent trend and provide advice on how any organisation can tackle the issue.

We cover:

  • What is shadow IT?
  • Why do organisations experience shadow IT?
  • What are the risks and threats of shadow IT?
  • What are the advantages of shadow IT?
  • Should you embrace shadow IT?
  • How to manage shadow IT with Microsoft 365

What is shadow IT?

Did you know that 80% of employees using non-sanctioned apps as part of their workflows?

This activity is an example of ‘shadow IT’, which can be defined as the use of software, applications, devices or other hardware which have not be approved, or supported, by the organisation’s IT department.

When employees take it upon themselves to use new tools, the IT department can lose visibility of the technologies being used within their organisation and can no longer manage them all. Shadow IT is why the CIO and IT department only control around 60% of IT spending on average, due to the expenditure on shadow IT from other individuals and teams.

On average, 1,181 different cloud services are used by an enterprise.

Why do organisations experience shadow IT?

There are various reasons that shadow IT might occur within a business.

The rise of software-as-a-service (SaaS) and consumer tech

One of the most common reasons for shadow IT is the meteoric rise in cloud-based consumer technologies and SaaS apps which we all use for communication and collaboration in our personal lives outside of work.

We’re so comfortable using many of these technologies, that using them in the workplace is appealing in situations where IT-mandated software and devices are outdated and clunky to use—inhibiting productivity and leading to frustrations. These temptations are especially likely to arise where employees are using personal devices for work (i.e. BYOD scenarios).

Without an IT-mandated productivity app like Microsoft Teams, users inevitably turn to alternative collaboration apps such as Slack or even messaging apps like Whatsapp or Signal when short on time.

If your employer isn’t running a suite of cloud-based business apps including the likes of OneDrive or Google Drive, why wouldn’t users reach for their personal cloud apps such as DropBox? These services have made it easy to store files in the cloud and share them with a simple link. Having to compress folders and worry about email file-size limits are no longer something employees expect to have to do.

Infrastructure as a Service (IaaS)

Some organisations with their own developers may find shadow IT appearing in the form of IaaS services. For example, a developer might opt to make use of a public cloud service such as Amazon Web Services (AWS) rather than waiting for IT to acquire the necessary infrastructure—which could take a lot more time and slow progress.

Remote working

Before the pandemic, remote working was nowhere near as common and employees often struggled to work productively outside of the company network.

Rather than asking IT for help with gaining access to company resources remotely (such as requesting assistance with the corporate VPN), employees would often email sensitive work documents to their personal cloud-based email inboxes or take files home on unencrypted USB sticks to bypass those challenges and save time.

Personal preference

Even where IT have provided staff with high quality apps and hardware, some people will always prefer their own way of doing things.

Whether this is using familiar apps such as the Firefox or Chrome browsers instead of Edge, using Evernote instead of OneNote or Todoist instead of Microsoft To do, some people will always prefer the things they’re used to and may even find it helpful to mix work and personal content together.

What are the risks and threats of shadow IT?

Shadow IT can pose many substantial risks to organisations.

Increased attack surface

Shadow IT has the potential to expand an organisation’s attack surface significantly. Aside from the obvious threats such as users clicking on app download links from various illegitimate websites, if IT don’t manage the new software or hardware, there is no way IT can support it and ensure it is secure.

Some legitimate pieces of consumer software can have notoriously poor security and lack crucial authentication features, such as two-factor authentication (2FA). The IT team also won’t be able to extend single sign-on authentication or other company security policies across apps they aren’t able to manage.


If you don’t have visibility of where your sensitive company data resides within shadow IT, you can’t enforce your security and data compliance policies. The risk of your data being lost, leaked or stolen will dramatically increase and this could expose your organisation to serious regulatory failures, financial penalties, reputational damage and data breaches.

Data silos and inefficiencies

When data becomes siloed, it can’t flow through an organisation as it is supposed to. Inefficiencies can arise when data becomes duplicated in different locations, impacting productivity, data accuracy and reporting etc. Whilst shadow IT can lead to quick-fixes in many scenarios, if not properly managed, it can also cause much greater issues further down the line.

Unnecessary expenditure

Where multiple departments use different shadow IT products (which may serve similar functions), business expenditure can be wasted from duplication of resources. When IT have visibility of the various resources being used across the organisation, they can detect overlap in capabilities and identify cost saving opportunities from a consolidation exercise. IT can also ensure best practice is followed when provisioning different tools and systems, preventing wasted spend by inexperienced team members without the necessary experience.

What are the advantages of shadow IT?

Despite the risks, there are a lot of benefits to shadow IT and many will tell you that you should embrace the fact that shadow IT is just another part of modern business—albeit one which needs to be carefully managed.


Giving employees the autonomy to work with the tools and technologies of their choosing, can certainly help foster a culture of innovation and empower them to do their best work. Teams can create new efficiencies when they have the licence to design their own processes and workflows. With so many incredible apps on the market, it can be hard for IT to know which teams would benefit from various pieces of software. It often makes more sense for the team to decide which tools will fit their specific requirements, however, discussions should always be held with IT to ensure the apps can be properly procured, secured and managed.


Waiting for IT to provide approval of a specific piece of software or hardware can be time consuming; having the ability to rapidly provision and utilise tools, enables teams to be more agile and get work done faster. Teams can reduce their time to market significantly by speeding up the development process and avoiding the bottlenecks often associated with gaining approval from IT.

Engaged employees

If employees only have access to outdated tools, it’s likely that they won’t be your employee much longer. People want, expect (and even demand) the very latest technology for their work. If they aren’t using cutting edge modern technology, and the competition are, employees will look to move elsewhere to keep their skillsets fresh and in-demand.

Should you embrace shadow IT?

The benefits associated with shadow IT such as increased productivity, innovation, collaboration and employee engagement are certainly significant. However, the benefits must be carefully weighed up against the many risks, especially around security and data compliance.

If IT want to act as a business enabler within the organisation, rather than be seen as a blocker, IT need to ensure they have the tools and capabilities to manage shadow IT in order to reap its rewards and avoid any unwelcome consequences.

There are many tools available on the market which can help organisations do this. Whilst many vendors will have their own proprietary tools, Microsoft Defender for Cloud Apps (part of Microsoft 365 and formerly known as ‘Microsoft Cloud App Security’) is a great example of this.

How to manage shadow IT with Microsoft 365 and Microsoft Defender for Cloud Apps

If your organisation is using Microsoft 365, Microsoft Defender for Cloud Apps can help you discover shadow IT and control the data flowing across the cloud applications in your organisation.

Defender for Cloud Apps is Microsoft’s cloud access security broker (CASB) and is an incredibly powerful tool which is included within various Microsoft subscriptions as part of their Microsoft 365 Defender suite of XDR tools, or as a standalone product.

It enables you to investigate and control the use of shadow IT, protect your data anywhere in the cloud, guard against suspicious behaviour and threats, and assess your app compliance.

‘Cloud Discovery’ is one of the core capabilities of Defender for Cloud Apps and enables you to identify which apps (including shadow IT) are being used within your organisation. Cloud Discovery can be integrated with ‘Microsoft Defender for Endpoint’ to collect data on Windows devices, whilst you can also use your firewalls and other proxies to collect further data from your endpoints. It also integrates natively with some third party proxies such as Zscaler.

This gives you a picture of the app usage across your organisation and enables you to identify non-approved apps easily. Risk levels are also calculated for each app, using a catalogue of over 16,000 apps to provide contextual information on the app and its development history. This includes various details on aspects such as security, industry and legal regulations etc.

Naturally, you’ll want to understand if app usage is compliant with your organisation’s policies and compliance obligations. Microsoft Defender for Cloud Apps helps you identify which standards the app is compliant with, for example GDPR or HIPAA etc.

To understand the nature of the app usage, Microsoft Defender for Cloud Apps enables you to analyse how the app is being used and by whom. This is useful as you can identify if only a small contained set of users are using an app, or if it’s spreading across departments or even the whole organisation. You can analyse traffic volumes for each app and identify the total active users and the departments which are using the app.

If there appears to be a strong business requirement for the functionality of a specific app, yet deemed to be risky, the catalogue of apps helps to identify apps with similar functionality which have different security controls and are considered safer to use.

With a strong understanding of the shadow IT taking place in your organsiation, Defender for Cloud Apps makes governing these apps simple. You can choose to sanction, revoke or block apps or even mark them for review. You can also take other actions such as adding some apps to Azure Active Directory in order to apply features such as single sign-on to extend your robust authentication across new apps.

With continuous monitoring, you can also choose to be notified when new or risky apps are discovered within your organisation—enabling you to take action quickly.

This is just scratching the surface of how Microsoft Defender for Cloud Apps can help you manage your shadow IT. You can also approve specific apps, use connectors that leverage app APIs, and create policies to control what activities a user can take within that app. e.g. block downloads of information containing specific data such as bank account details or external sharing of .PDF files. The possibilities are extremely granular, giving you an incredible level of control over the actions users can take in your cloud apps.

With Azure AD and Conditional Access integration, you can also use Conditional Access App Control to enforce access and session controls based on any condition in Conditional Access, such as leveraging further integrations with Azure Information Protection and its classification labels to determine what actions can be performed for data of a certain label.

Next steps

If you’d like to find out more about controlling shadow IT with Microsoft 365, or would like help configuring Microsoft Defender for Cloud Apps within your organisation, get in touch with Chorus today.