Shadow IT is a serious problem in today’s workplace and can compromise your company’s data security. But what exactly is shadow IT?

In short, it’s any kind of unapproved hardware or software that an employee uses without your IT team’s knowledge. When an employee chooses to circumvent your company’s security policies and procedures through the use of shadow IT, they can only bring harm to your enterprise. In fact, a few years ago, Gartner predicted that shadow IT can cost 35% of an enterprise’s resources.

Download our PowerPoint deck: 7 Free Things You Can Do to Improve Your Office 365 Security Posture.

The first example of shadow IT that comes to mind is when an employee installs unauthorized software on a company computer or device. But it can go much deeper than that. One thing you may not have even considered is when an employee—or even an entire department—starts using a public cloud server that has not been authorized by your IT department.

In the case of the first example, unauthorized software is very easy to detect; the same cannot be said about using a rogue public server. In light of shadow IT, Microsoft suggests that you give your employees the capabilities they need—but within authorized applications and servers.

With Office 365 applications, an employee does not need to invoke shadow IT to use a piece of software or hardware. But if they do so anyway, there are security measures in place to help you take appropriate action.

Fight Shadow IT with the Productivity App Discovery Tool

NOTE: The Productivity App Discovery tool is only available if you subscribe to Advanced Security Management (ASM) in Office 365.

Microsoft has introduced a new app in its fight against shadow IT. It’s called the Productivity App Discovery tool, and it’s conveniently located in the Office 365 Security and Compliance Center.

In short, the Productivity App Discovery tool monitors how your Office 365 applications are being used and visualizes the results using a graphical dashboard. It’s easy to use and does not require any installation.

But if detecting and combating shadow IT is so tricky, how does Office 365 accomplish its mission? The answer is in the logs of your enterprise’s firewall.

In these logs, the Productivity App Discovery tool looks for:

  • The date of the transaction in question
  • The IP address from which the transaction originated
  • The individual who initiated the transaction
  • The IP address to which the request was sent
  • The URL to which the activity was directed
  • The amount of data that was sent or received
  • The response from the enterprise’s firewall (acceptance or rejection)

Supported Firewalls

The Productivity App Discovery tool cannot analyze every type of firewall out there, but it does work with the more popular ones. And some firewalls do not log the names of users who initiate transactions, which can make your IT department’s detective work a bit trickier.

Currently, the Productivity App Discovery tool works with the following firewalls:

  • Barracuda Web App Firewall (W3C)
  • Blue Coat Proxy SG access log (W3C)
  • Check Point
  • Cisco ASA Firewall (note: the information level must be set to 6)
  • Cisco ASA with Fire POWER
  • Cisco IronPort WSA
  • Cisco Scan Safe
  • Cisco Meraki – URLs log
  • Clavister NGFW (Syslog)
  • Dell Sonic wall
  • Digital Arts i-FILTER
  • Fortinet Fortigate
  • Juniper SRX
  • Juniper SSG
  • McAfee Secure Web Gateway
  • Microsoft Forefront Threat Management Gateway (W3C)
  • Palo Alto series Firewall
  • Sophos SG
  • Sophos Cyberoam
  • Squid (Common)
  • Squid (Native)
  • Websense – Web Security Solutions – Investigative detail report (CSV)
  • Websense – Web Security Solutions – Internet activity log (CEF)
  • Zscaler

*Source: GitHub

Your specific firewall may not be included in the list above. However, on the dashboard you also have the option to select “Other”, and you will still be able to upload your log files for analysis. Microsoft will take your log format and add the firewall to its growing list of devices.

The Productivity App Discovery Dashboard

User and IP address information are the newest changes to the Productivity App Discovery tool. After you create a report, you’ll be able to see the number of users as well as those who use cloud servers the most in your enterprise.

You can sort the information in the Productivity App Discovery dashboard by:

  • Traffic
  • Applications
  • Users
  • Risk Assessment

But in order to access the Productivity App Discovery dashboard, you need to first create a report. To do so, you need to give your report a name and description and then the source of the information, such as logs from your firewalls or proxies. Depending on the size of the logs, it may take a few minutes for the Productivity App Discovery tool to analyze the data in them. But it will send you an email notification when the report is complete.

You can upload as many as 20 log files (max 1 GB each) to be analyzed in a single report. Once a report is created, it can be exported to CSV or Excel format for further analysis. The log files are uploaded manually by an admin. Once that’s done, the files are checked to make sure they are in the proper format for analysis. The log files are then analyzed using the Microsoft SaaS database, and a risk assessment is calculated. Finally, the data is aggregated to create the visual dashboard shown below.

Fighting Shadow IT with Office 365: Productivity App Discovery Dashboard

To make it easier for the Productivity App Discovery tool to show how much data goes through each of your Office 365 apps, Microsoft groups them into the following categories:

  • Collaboration – Office 365, and Sharepoint
  • Cloud storage – OneDrive
  • Webmail – Exchange Online
  • Social Network – Yammer
  • Online Meeting – Skype for Business

The page above also has three tabs to the right of the Dashboard:

  • Discovered apps
  • IP addresses
  • Users

The Discovered apps tab shows you information like the amount of traffic, number of users, and times when the application in question was accessed. You can drill down to get additional information, such as the users who accessed the app and the IP addresses they used. You can also create a custom query for apps that you’re interested in monitoring.

The IP Addresses tab shows the top 100 IP addresses that are accessing cloud services within your organization. You can click on an individual IP address and get a summary of transactions and traffic for specific apps and users.

And lastly, the Users tab shows you the top 100 Office 365 users at your organization. You can use this tab to search for users and see a summary of the cloud services they used.

Cloud App Discovery

The Productivity App Discovery tool gives your enterprise access to Office 365 Cloud App Discovery. This service is available in Office 365 E5 plans; it allows you to monitor and control how different productivity cloud applications are used by your enterprise.

Cloud App Discovery is not a part of the Office 365 admin center but can be accessed at

To use Cloud App Discovery, you need to manually upload logs from your firewall or proxy.

Cloud App Discovery is structured with the following sections:

  • Cloud Discovery – used to determine all of the cloud usage in your enterprise, including those related to shadow IT.
  • Data Protection – used to monitor and track your data in the cloud so your IT admin can be notified and perform investigative work if necessary.
  • Threat Protection – used to detect and mitigate security incidents with notifications that are sent to IT admins.

Cloud App Discovery can generate two types of reports: snapshot and continuous. As its name implies, a snapshot report provides summaries of the logs that were manually uploaded from your firewalls and proxies. In contrast, continuous reports analyze all of the logs submitted and provide visibility on all the data, using a machine learning engine or policies that you have customized to fit your enterprise’s needs.

Using Policies

There are seven different types of Cloud App Discovery policies that you can use to monitor and alert your IT admins. These are:

  • Access policy: Enables real-time monitoring and establishes control over user logins to cloud apps.
  • Activity policy: Enables you to enforce a wide range of automated processes using an app provider’s API. Allows you to monitor specific activities carried out by different users or track high activity levels.
  • Anomaly detection policy: Allows you to look for unusual activities on your cloud. This is based on the risk factors you created. You’ll receive alerts when something odd happens that differs from either your enterprise’s reference baseline or your users’ regular activity.
  • App discovery policy: Allows you to set alerts to notify you when new apps are detected within your enterprise.
  • Cloud Discovery anomaly detection policy: Looks at the logs you use for discovering cloud apps and searches for unusual occurrences (e.g., when a user who has never used Dropbox uploads 600 GB to it).
  • File policy: Allows you to scan your cloud apps for specific files, file types (such as shared, or shared with external domains), or data (proprietary information, credit card information, etc.). Also allows you to apply governing actions to these files.
  • Session policy: Provides you with real-time monitoring and control over user activity in your enterprise’s cloud apps.

Under the policy of bring your own device (BYOD), it’s difficult to fight shadow IT without a comprehensive solution that monitors your enterprise’s data usage and network traffic. With Office 365 Productivity App Discovery and Cloud App Discovery, Microsoft enables enterprises like you to mitigate shadow IT and other security concerns.

Download Our Free PowerPoint Deck!

7 Free Things You Can Do to Improve Your Office 365 Security Posture

Find out what you can be doing to better protect your Office 365 environment, why you should be taking these precautions and a step by step guide of how to implement these procedures.

Thank you! We've just sent you your deck.

Written by Sophie Furnival Content Specialist @ SherWeb

Sophie is SherWeb's Marketing Communications Strategist.