In the realm of cybersecurity for Microsoft 365, shadow IT represents a significant challenge. Shadow IT refers to the use of unsanctioned applications within an organization, often without the knowledge of the IT department. Microsoft Defender for Cloud Apps offers robust tools for discovering and managing these unauthorized applications, crucial for maintaining security and compliance for Microsoft cloud.

Understanding the Scope of Shadow IT

IT administrators often underestimate the extent of shadow IT. While the average estimate is around 30 to 40 apps, the reality often exceeds 1,000 different apps used by employees, many of which are not reviewed or compliant with managed compliance for Microsoft 365 standards.

Phase 1: Discover and Identify Shadow IT

Discover Shadow IT: Utilize Cloud Discovery to assess your organization's security posture. This can be done via integration with Microsoft Defender for Endpoint.

To enable Defender for Endpoint integration with Defender for Cloud Apps:

1. In Microsoft Defender XDR, from the navigation pane, select Settings.

2. Select Endpoints.

3. Under General, select Advanced features.

4. Toggle the Microsoft Defender for Cloud Apps to On.

5. Select Apply.

Note: It takes up to two hours after you enable the integration for the data to show up in Defender for Cloud Apps.

To configure the severity for alerts sent to Microsoft Defender for Endpoint:

1. In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps. Under Cloud Discovery, select Microsoft Defender for Endpoint.

2. Under Alerts, select the global severity level for alerts.

3. Select Save.

Now that Cloud Discovery is running on your network, look at the continuous reports that are generated and look at the Cloud Discovery dashboard to get a full picture of what apps are being used in your organization. It's a good idea to look at them by category, because you'll often find that non-sanctioned apps are being used for legitimate work-related purposes that weren't addressed by a sanctioned app.

Identify the risk levels of your apps: Dive into the risks associated with each discovered app using the Defender for Cloud Apps catalog, which assesses apps using over 90 risk factors.

• In the Microsoft Defender Portal, under Cloud Apps, select Cloud Discovery. Then go to the Discovered apps tab. Filter the list of apps discovered in your organization by the risk factors you're concerned about. For example, you can use Advanced filters to find all apps with a risk score lower than 8.

• You can drill down into the app to understand more about its compliance by selecting the app name and then selecting the Info tab to see details about the app's security risk factors.

Phase 2: Evaluate Compliance and Usage

Evaluate compliance: Check whether the apps are certified as compliant with your organization's standards, such as HIPAA or SOC2.

• In the Microsoft Defender Portal, under Cloud Apps, select Cloud Discovery. Then go to the Discovered apps tab. Filter the list of apps discovered in your organization by the compliance risk factors you're concerned about. For example, use the suggested query to filter out non-compliant apps.

• You can drill down into the app to understand more about its compliance by selecting the app name and then selecting the Info tab to see details about the app's compliance risk factors.

Analyze usage: Now that you know whether or not you want the app to be used in your organization, you want to investigate how and who is using it. If it's only used in a limited way in your organization maybe it's ok, but maybe if the use is growing you want to be notified about it so you can decide if you want to block the app.

• In the Microsoft Defender Portal, under Cloud Apps, select Cloud Discovery. Then go to the Discovered apps tab, and then drill down by selecting the specific app you want to investigate. The Usage tab lets you know how many active users are using the app and how much traffic it's generating. This can already give you a good picture of what's happening with the app. Then, if you want to see who, specifically, is using the app, you can drill down further by selecting Total active users. This important step can give you pertinent information, for example, if you discover that all the users of a specific app are from the Marketing department, it's possible that there's a business need for this app, and if it's risky you should talk to them about an alternative before blocking it.

• Dive even deeper when investigating use of discovered apps. View subdomains and resources to learn about specific activities, data access, and resource usage in your cloud services.

Identify alternative apps: Use the Cloud App Catalog to identify safer apps that achieve similar business functionality as the detected risky apps, but do comply with your organization's policy. You can do this by using the advanced filters to find apps in the same category that meet with your different security controls.

Phase 3: Manage Your Apps

App Management: Create custom app tags for classification and monitoring, an essential aspect of managed security for Microsoft cloud​​. App tags can be managed under Settings > Cloud Apps > Cloud Discovery > App tags. These tags can then be used later for filtering in the Cloud Discovery pages and creating policies using them.

Continuous monitoring: Now that you've thoroughly investigated the apps, you might want to set policies that monitor the apps and provide control where needed. You can use policy templates available with Microsoft Defender for Cloud Apps. To see the full list of policy templates, in the Microsoft Defender Portal, under Cloud Apps, go to Policies -> Policy templates.

Phase 4: Advanced Shadow IT discovery reporting

In addition to the reporting options available in Defender for Cloud Apps, you can integrate Cloud Discovery logs into Microsoft Sentinel for further investigation and analysis. Once the data is in Microsoft Sentinel, you can view it in dashboards, run queries using Kusto query language, export queries to Microsoft Power BI, integrate with other sources, and create custom alerts.

Ongoing Vigilance

Regularly track, review, and update your policies, ensuring that your organization adapts to the ever-changing landscape of cloud apps and maintains robust security and compliance for Microsoft 365​​.

In summary, managing shadow IT effectively is pivotal for organizations seeking to improve their cybersecurity posture. By leveraging tools like Microsoft Defender for Cloud Apps, you can ensure that your organization's use of applications is secure, compliant, and aligned with your business objectives.

To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.