Collect
Ingest supported endpoint, firewall, proxy, secure web gateway, or uploaded traffic records.
Microsoft Defender · Cloud Discovery · SaaS governance
Cloud apps Shadow IT discovery turns endpoint, firewall, proxy, and secure web gateway traffic into an accountable SaaS governance process. This guide shows Orange County and Southern California IT and security teams how to establish coverage, evaluate discovered services, investigate users and devices, make sanctioned or unsanctioned decisions, apply proportionate controls, and prove that governance works.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience.

Operating objective
Employees adopt cloud services to solve legitimate business problems: collaboration, file transfer, design, messaging, automation, analytics, artificial intelligence, and specialized industry work. The risk is not simply that an app is unknown to IT. The risk is that organizational identities, endpoints, regulated data, client information, intellectual property, or privileged workflows move through a service whose security, privacy, contractual, retention, ownership, and recovery characteristics have not been evaluated.
Defender for Cloud Apps Cloud Discovery analyzes supported network-activity sources and compares observed services with the cloud app catalog. It can add usage, user, device, IP-address, transaction, traffic, category, and risk context. The operational program must then distinguish a real business need from avoidable duplication, assign an application and data owner, evaluate risk factors against company requirements, and choose a proportionate response.
Discovery architecture
No single source sees every location, device, protocol, user, or app. Combine practical sources and document their blind spots before treating a dashboard as complete.
Ingest supported endpoint, firewall, proxy, secure web gateway, or uploaded traffic records.
Parse domains, transactions, users, devices, IPs, bytes, timestamps, and report streams.
Map activity to cloud apps, catalog categories, risk factors, and unmatched services.
Review usage, business purpose, entities, trends, data sensitivity, and alternatives.
Sanction, watch, restrict, warn, block, migrate, or approve a bounded exception.
Confirm tags, policies, enforcement, residual access, help-desk impact, and evidence.
Source coverage
The native integration can forward cloud-app network activity from onboarded Windows devices, including user and device context, whether users are on or off the corporate network. Validate supported platform, license, onboarding, cloud-delivered protection, and network-protection requirements in current Microsoft documentation.
Continuous reports can cover managed network egress, non-Windows systems, devices that are not endpoint-onboarded, and site traffic. Preserve original supported log formats, accurate timestamps, required fields, collector health, and source-to-location mapping.
Snapshot reports support pilots and point-in-time analysis. Cloud Discovery APIs can automate supported upload and reporting workflows. Neither should silently become the long-term program without ownership, monitoring, retention, and failure handling.
| Coverage question | Endpoint integration | Network-log source | Evidence to retain |
|---|---|---|---|
| Where is activity observed? | On onboarded supported endpoints, including remote use | At the firewall, proxy, gateway, or collector path | Architecture and in-scope populations |
| Which entity context is available? | User and device when supported and resolved | User/IP/device only when the source log provides and maps it | Identity mapping and field sample |
| What can be missed? | Unonboarded or unsupported devices and gaps in network signals | Traffic outside the routed path, encrypted or missing fields | Blind-spot register and compensating source |
| How is health tested? | Onboarding, integration toggle, sensor and network-protection state | Collector, disk, parsing, upload, timestamps, volume, and alerts | Daily health record and failure escalation |
| How is enforcement linked? | Unsanctioned tags can sync to endpoint indicators when prerequisites are met | Block scripts or appliance-native policy according to supported workflow | Change record, pilot result, and effective block test |
Treat a combined source inventory as part of the control. Record office, remote, VPN, guest, server, macOS, mobile, unmanaged, and third-party populations so reporting gaps are visible.
Readiness and privacy
Verify current Defender for Cloud Apps and Defender for Endpoint entitlements, portal roles, device scope, network-protection state, policy permissions, governance authority, and who may tag or block an app. Use least privilege and test each role.
Document the purpose of monitoring, notice, acceptable-use policy, authorized reviewers, permitted investigations, labor requirements, data minimization, retention, and escalation. Cloud usage evidence can be sensitive even when it is not content inspection.
Name the security owner, SaaS/application owner, data owner, procurement/legal reviewer, network/endpoint enforcement owner, help desk, communications lead, and business risk approver. Avoid making the SOC the permanent owner of every unknown app.
Do not move to broad warning or blocking until source coverage, identity mapping, app/domain accuracy, sanctioned alternatives, emergency bypass, false-positive handling, service-desk readiness, user communication, rollback, and approval authority have been tested.
App evaluation
Microsoft’s cloud app catalog scores discoverable services using many risk factors across categories such as general, security, compliance, and legal characteristics. The score is a useful research input—not a substitute for a vendor assessment or a final allow/block decision. Review the current details, the date and source of evidence, unknown fields, and the organization’s own requirements.
Users, devices, IPs, transactions, traffic, uploads, first/last seen, growth, geography, business unit, remote use, and concentration.
Data classes, credentials, SSO/MFA support, account lifecycle, sharing, external users, ownership, export, deletion, recovery, and admin model.
Security program, encryption, logging, incident notification, subcontractors, vulnerability handling, availability, backup, retention, and legal terms.
Purpose, owner, approved overlap, integration, accessibility, cost, contractual need, migration path, operational criticality, and supportability.
| Priority band | Signals | Required action | Decision deadline |
|---|---|---|---|
| Immediate review | Sensitive upload, privileged identity, risky category, high growth, incident link, or no viable owner | Preserve evidence, contact owner, contain if authorized, legal/privacy review as needed | Hours to one business day |
| Accelerated | Wide usage, weak risk factors, regulated workflow, duplicate high-risk service, or unmanaged sharing | App assessment, alternative analysis, pilot communication, decision and remediation plan | Several business days |
| Planned | Moderate use, lower-sensitivity purpose, manageable risk, identified owner, no urgent threat | Queue by category and owner; complete documented review in normal cadence | Defined monthly or quarterly SLA |
| Monitor | Low use, low consequence, incomplete signal, or approved service awaiting confirmation | Tag, save query, set policy threshold, and re-evaluate when usage or risk changes | Periodic review |
Decision states
New or insufficiently investigated. Preserve source, scope, risk context, owner-search status, and review due date. Unreviewed must not become permanent.
Monitoring is appropriate while usage, owner, vendor evidence, or business purpose develops. Define measurable policy thresholds that trigger reassessment.
Approved for a stated purpose, population, data class, identity pattern, and configuration. Record conditions, owner, renewal, and approved tenant or domain.
Allowed only for specific users, non-sensitive data, read-only use, approved devices, browser session controls, or transition period. Enforce and test the boundary.
Prohibited after authorized review. Document affected users, replacement, communication, technical enforcement, exceptions, rollback, and residual access paths.
Real residual risk is accepted for a bounded scope and duration with a business owner, compensating controls, monitoring, milestones, expiration, and re-review.
Custom app tags can support workflow states such as “owner needed,” “legal review,” “migration planned,” or “approved for public data only.” Keep tag meanings documented. Do not create so many tags that teams cannot tell which ones carry policy or enforcement consequences.
Implementation runbook
Define objectives, scope, data sources, acceptable-use connection, privacy guardrails, decision rights, risk authority, reporting, and success criteria.
Inventory endpoint and network populations, remote paths, offices, platforms, unmanaged devices, guests, servers, collectors, gateways, and exclusions.
Use controlled known apps and users to test parsing, identity/device mapping, timestamps, domain matching, traffic volume, duplicate signals, latency, and report stream.
Map apps and categories to business, application, data, procurement, legal, endpoint, network, and support owners with escalation for unknown ownership.
Build repeatable filters for high traffic, new apps, risky storage, weak authentication, missing compliance evidence, anonymous use, and sensitive workflows.
Set material users, traffic, transactions, upload, category, score, risk-factor, or growth thresholds. Document baseline and expected false positives.
Review app detail, usage trend, top users/devices/IPs, related alerts, owner, purpose, data class, approved alternatives, and anomalous change.
Evaluate catalog evidence, security, compliance, legal, privacy, identity, data ownership, resilience, contract, configuration, and integration requirements.
Sanction, watch, restrict, warn, unsanction, migrate, or grant an exception. Record scope, owner, conditions, due date, and authority.
Notify affected users and managers, publish the approved alternative, prepare help-desk scripts, define emergency bypass, and identify business-critical exceptions.
Use a pilot group or location. Apply supported endpoint, firewall, proxy, or gateway warning/block methods with change control, monitoring, and rollback.
Test effective behavior, residual domains, unmanaged paths, user impact, bypasses, report trend, and exception expiry. Reopen when usage or vendor risk changes.
Policies and enforcement
Cloud Discovery policies can alert on new, risky, high-volume, wide-use, or category-specific activity. Start with a measured baseline. Use saved queries and tags that operations can understand, set alert severity and daily limits intentionally, name an owner, and document the investigation and closure criteria.
When Defender for Endpoint integration and prerequisites are enabled, the unsanctioned tag can synchronize app indicators for network-protection-based warning or blocking. Test onboarded devices, supported operating systems, policy mode, browser behavior, indicator propagation, off-network use, and the user experience.
Firewall or secure web gateway workflows can use supported block scripts or appliance-native policy. Validate the app’s domains and changing URL patterns, shared infrastructure, content delivery networks, regional services, mobile/desktop clients, APIs, and business exceptions before deployment.
Investigation workflow
Review category, catalog score and factors, domains, usage trend, uploads, transactions, traffic, related tags, policies, similar apps, approved alternatives, and evidence currency.
Review top users, devices, IP addresses, business units, locations, risk indicators, repeated usage, privileged roles, unmanaged devices, and recent changes. Respect authorized investigation boundaries.
Ask what problem the app solves, who owns the process, what data enters it, whether users signed terms, whether an enterprise tenant exists, and what interruption would affect.
Operational cadence
Check endpoint and collector health, parsing/upload failures, material new apps, policy alerts, high-risk growth, failed blocks, and urgent owner gaps.
Triage new and aged reviews, reconcile tags and tickets, investigate top entities, validate enforcement, review help-desk impact, and escalate decisions.
Analyze app/category trend, sanctioned overlap, exception debt, policy quality, source blind spots, residual use, report stream changes, and owner performance.
Reapprove charter, risk weights, decision criteria, app catalog, approved alternatives, retention/privacy, roles, connectors, enforcement patterns, and roadmap.
| Review | Inputs | Decision | Output |
|---|---|---|---|
| Source health | Collector status, endpoint coverage, report volume, parsing, gaps, timestamps | Healthy, degraded, blind, or invalid | Incident, owner, recovery target, and affected reporting window |
| App triage | Risk, usage, entities, business purpose, data, alternatives, alerts | Priority, owner, investigation path | Decision record and due date |
| Governance | Assessment, legal/privacy, procurement, owner, support, control options | Sanction, restrict, watch, block, migrate, or exception | Approved state, conditions, communication, implementation |
| Effectiveness | Effective policy, user test, traffic trend, residual paths, tickets, exceptions | Effective, partial, failed, or harmful | Closure evidence, correction, rollback, or reopened work |
Validation and evidence
Known-app pilot records, raw supported log sample, endpoint or collector configuration, timestamp mapping, report stream, parsed entities, health alerts, and documented blind spots.
App detail, usage, risk-factor review, owner and purpose, data assessment, legal/privacy/procurement evidence, approved state, conditions, alternative, and communication.
Policy/tag state, endpoint or network configuration, pilot result, supported browser/client/device tests, effective warning/block, residual domains, bypasses, exceptions, and rollback.
Sources observe expected populations, decisions are authorized, controls work for their defined scope, residual use is understood, and user/business impact is acceptable.
One source, platform, location, client, domain, or device class remains outside coverage or enforcement. Keep the decision open with owner and deadline.
Parsing, identity mapping, catalog match, tag, policy, block, alternative, or communication is wrong. Roll back harmful controls, correct evidence, and retest.
Top risks and common misconfigurations
These patterns create invisible populations, weak decisions, business disruption, or control claims that cannot be proven.
Unonboarded, unsupported, personal, mobile, server, guest, or network-only activity remains invisible. Maintain the coverage and blind-spot map.
IP-only or poorly mapped records are assigned to the wrong user or team. Validate source fields, NAT/proxy behavior, clocks, and identity resolution.
Disk, parsing, certificate, proxy, bandwidth, or upload problems create a clean dashboard while new logs are absent. Alert on health and volume.
A numeric score cannot establish local data, contract, identity, ownership, resilience, configuration, or business requirements. Complete the assessment.
The unreviewed queue grows indefinitely. Assign an owner-search route, risk-based SLA, and escalation to application/service governance.
The portal state is reported as blocked without confirming indicator sync, network protection, appliance policy, scope, propagation, and effective access.
No business owner, alternative, pilot, communication, exception, or rollback exists. Users shift to harder-to-see channels and trust erodes.
Broad indicators affect unrelated apps, authentication, APIs, CDNs, or embedded services. Test domain dependencies and client behaviors.
Noisy users, IPs, groups, or devices are excluded without justification and review. Preserve scope and remember exclusions may affect only future data or certain streams.
Temporary business needs become permanent unmanaged services. Report owner, data, controls, milestones, expiration, and residual usage.
Metrics and reporting
| Measure | Definition | Why it matters | Quality warning |
|---|---|---|---|
| Discovery coverage | In-scope users, devices, and locations represented by healthy sources | Shows whether inventory claims are credible | Denominator excludes unmanaged populations |
| Source freshness | Expected versus received data by report stream | Detects silent visibility loss | Portal has old data but still looks populated |
| Time to owner | Median time from material discovery to accountable app/data owner | Measures service-governance quality | Security is assigned by default but cannot decide |
| Time to decision | Median age to sanction, restrict, watch, block, migrate, or exception | Reduces permanent unreviewed use | Records close without an authorized decision |
| Residual unsanctioned use | Users, devices, transactions, or traffic after enforcement | Tests real behavior and alternate paths | Tag state is counted as effective blocking |
| Approved-app adoption | Affected users successfully moved to sanctioned alternative | Measures business enablement, not only denial | Use disappears because work moved off monitored paths |
| Policy precision | Useful alerts or actions versus false positives and noise | Protects analyst capacity and user trust | Low alert count is mistaken for low risk |
| Exception debt | Open, expiring, overdue, and renewed exceptions by owner/data class | Keeps accepted risk visible | Exceptions are omitted from executive reports |
Material app categories, sensitive data paths, source blind spots, high-risk growth, owner gaps, residual unsanctioned use, exception debt, and investment decisions.
Collector and integration health, new apps, aged queue, policy alerts, failed tags/blocks, help-desk impact, approved-alternative adoption, and re-tests.
Charter, roles, source map, privacy basis, app assessments, approvals, policy changes, user communications, technical tests, exceptions, and review evidence.
Troubleshooting
Check licensing, onboarding, Defender for Cloud Apps integration toggle, cloud-delivered protection, network protection, supported devices, portal role, network traffic, and the documented data appearance window.
Validate source format, collector status, disk space, timestamps, connectivity, proxy/certificate trust, syslog or FTP delivery, file completion, upload, parsing errors, and report source selection.
Confirm domain/subdomain in raw traffic, catalog matching, custom parser output, URL normalization, TLS/proxy behavior, and whether a new app should be suggested to Microsoft.
Review NAT, proxy authentication, user aliases, IP changes, shared devices, clock skew, device identity, endpoint context, and whether the report stream supports the entity field.
Check duplicate sources, retry traffic, CDN domains, background synchronization, service accounts, shared egress, bytes/transactions meaning, exclusions, and observation period.
Verify policy enabled state, filters, thresholds, app/category scope, report stream, alert limit, recent data, tag condition, severity, recipient, and suppression.
Check tag propagation, Defender for Endpoint integration, network-protection block mode, indicator status, device onboarding, browser/client, alternate domains, mobile/unmanaged use, and shared URLs.
Disable or roll back the harmful rule, preserve evidence, compare indicator/domain scope, inspect shared infrastructure, test authentication/API dependencies, and refine enforcement.
Investigate usability, access, performance, licensing, external sharing, feature gaps, training, migration, mobile experience, and help-desk friction before escalating enforcement.
Related architecture and authoritative resources
Microsoft Security Exposure Management Operations Guide — connect SaaS exposure to critical assets, attack paths, owners, and risk reporting.
Defender for Endpoint Device Grouping and RBAC Guide — design scope and permissions for endpoint-driven discovery and enforcement.
Microsoft Defender XDR Operations Guide — investigate related users, devices, incidents, and evidence.
Microsoft 365 Security Configuration Guide — align discovered-app governance with tenant security controls.
Microsoft 365 Managed Services — ongoing identity, endpoint, cloud, email, collaboration, and administration support.
About Ali Hassani — CISO, CISSP, CCISO, and Microsoft infrastructure/security professional.
Defender for Cloud Apps documentation — current product, Cloud Discovery, policy, governance, and operations guidance.
Discover and manage Shadow IT — discovery, analysis, management, and control workflow.
Integrate Defender for Endpoint — endpoint signal prerequisites, device and user context, and configuration.
Govern discovered apps with Defender for Endpoint — unsanctioned tags, warning, and network-protection blocking.
Cloud app catalog and risk scores — catalog factors, category weighting, and update requests.
Cloud Discovery dashboard — app, user, device, IP, traffic, report, exclusion, and executive-report guidance.
Discovered app filters and queries — reusable investigations, tags, risk, usage, and category filters.
Automatic log upload — continuous reports, log collectors, prerequisites, capacity, and health.
Defender for Cloud Apps operational guide — current daily, weekly, monthly, and ad-hoc tasks.
This guide supports implementation planning and initial validation. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal/privacy review, procurement review, or product-licensing analysis. Microsoft features and requirements change; confirm current tenant behavior and official documentation before relying on a particular setting or limit.
Frequently asked questions
Cloud Discovery analyzes supported endpoint and network traffic signals to identify cloud services being used, add user, device, IP, transaction, traffic, category, and catalog-risk context, and support investigation and governance. It does not by itself establish business purpose, data sensitivity, contract approval, or complete control effectiveness.
No. The catalog score is an important research and prioritization input, but a decision should also consider actual usage, data, identities, vendor evidence, contract and privacy requirements, business need, alternatives, ownership, technical feasibility, and user impact.
A sanctioned app is approved for a defined purpose and conditions. An unsanctioned app is prohibited after an authorized review. Both states require ownership, scope, communication, evidence, and periodic review. Marking an app unsanctioned does not prove every access path is blocked.
The supported integration can provide endpoint-based cloud-app network activity from onboarded devices when they are away from the corporate network. Coverage still depends on current licensing, supported devices, onboarding, settings, network activity, permissions, and Microsoft prerequisites.
Use a pilot population and test the actual app, domains, browsers, desktop and mobile clients, APIs, locations, managed and unmanaged paths, warning or block behavior, propagation, help-desk impact, approved alternatives, exceptions, and rollback. Then review residual traffic rather than relying only on a tag.
No. Cloud Discovery is a valuable visibility and SaaS governance capability. A professional assessment also evaluates tenant configuration, identity, endpoint, data protection, vendor risk, policy, legal and compliance obligations, evidence quality, process effectiveness, and exposures outside a single product view.
Cloud app discovery, governance, and support
IT Perfection helps Orange County and Southern California organizations establish Cloud Discovery coverage, app-risk review, policy thresholds, sanctioned alternatives, safe endpoint and network enforcement, validation evidence, and ongoing Microsoft 365 security operations.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.