A marketing manager signs up for a design tool using their corporate email. A project lead stores client documents in their personal Dropbox. A developer connects a third-party app to the company's Microsoft 365 tenant using OAuth consent. None of these actions were malicious. All of them created security exposures that the IT department cannot see.
This is shadow IT: technology used within an organization without explicit approval or knowledge of IT management. It is not a new problem, but cloud services have made it dramatically worse.
The Scale of the Problem
Research from Gartner consistently shows that 30 to 40 percent of IT spending in enterprises occurs outside the IT department's budget. For SMEs without formal procurement processes, the percentage is likely higher.
In a typical Microsoft 365 tenant audit, we find between 15 and 40 third-party applications with OAuth consent grants — meaning they have been given permission to read emails, access files, or act on behalf of users. Most IT administrators are unaware of the majority of these grants.
Each OAuth consent grant is a potential access vector. If the third-party application is compromised, the attacker inherits whatever permissions that application was granted in your tenant.
Why Employees Use Shadow IT
Understanding the motivation is essential to addressing the problem. Employees turn to unauthorized tools because:
- The approved tool is too slow or cumbersome — if the official project management tool takes 12 clicks to create a task, people will use a simpler alternative
- No approved tool exists — the organization has not provided a solution for a legitimate business need
- They don't know it's a problem — most employees have no idea that connecting a third-party app to their M365 account creates a security exposure
Punishing employees for using shadow IT without addressing these root causes guarantees the problem will continue — it will just become better hidden.
The Specific Risks
Data Exfiltration
When a user stores corporate documents in a personal cloud storage account, those documents leave your security perimeter permanently. You lose visibility, control, and the ability to revoke access. If that employee leaves the organization, the data goes with them.
OAuth Token Abuse
A third-party application with "Read and write all files" permission in your M365 tenant can access every document in SharePoint and OneDrive — even files the consenting user does not personally have access to, depending on the permission scope. These tokens persist until explicitly revoked.
Compliance Violations
GDPR requires that personal data processing is documented and lawful. If customer data flows through an unauthorized SaaS application with servers outside the EU, your organization may be in breach of data transfer regulations — regardless of whether IT knew about it.
NIS2 requires supply chain security measures. Every unauthorized SaaS application is an undocumented supplier that bypasses your supply chain security assessment.
Account Compromise Amplification
If an employee uses the same password for a shadow IT service and their corporate account (still common despite repeated warnings), a breach of the shadow service directly compromises corporate credentials.
How to Address Shadow IT
1. Discover What Exists
Microsoft Defender for Cloud Apps (included in M365 E5 or available as an add-on) provides a shadow IT discovery dashboard. It analyzes network traffic to identify which cloud services employees are using. This is the starting point — you cannot manage what you cannot see.
For organizations without Defender for Cloud Apps, an Entra ID audit of OAuth consent grants reveals which third-party applications have been granted access to your tenant. This can be done manually through the Azure portal.
2. Review OAuth Consent Grants
Audit every enterprise application in Entra ID. For each one, determine: who granted consent, what permissions were granted, and whether the application is still in use. Revoke grants for applications that are no longer needed or were never authorized.
Configure Entra ID to require admin consent for new OAuth grants. This prevents users from granting third-party applications access to corporate data without IT approval.
3. Provide Approved Alternatives
For every shadow IT tool you discover, ask: what business need does this serve? If there is a legitimate need, provide an approved alternative. If the need does not exist, communicate clearly why the tool is not permitted.
4. Implement DLP Policies
Data Loss Prevention policies in Microsoft 365 can detect and block the transfer of sensitive data to unauthorized cloud services. Configure policies that prevent upload of documents containing customer data, financial information, or classified content to non-approved destinations.
5. Educate Without Punishing
Run a security awareness session that explains why shadow IT creates risk — not in abstract terms, but with concrete examples relevant to your organization. Most employees will comply when they understand the exposure they are creating.
The Ongoing Process
Shadow IT discovery is not a one-time exercise. New applications appear constantly. Schedule quarterly reviews of OAuth consent grants and annual shadow IT discovery scans. Include shadow IT in your incident response plan — when a third-party service is breached, you need to know quickly whether your organization had data there.
Start with an M365 security audit to discover what shadow IT exists in your environment today.