This detect shadow IT Microsoft 365 guide covers the risks and how to respond. If your Edinburgh business runs Microsoft 365 Business Premium, you already own a full Cloud Access Security Broker – Microsoft Defender for Cloud Apps – that can detect every cloud application your staff access. Most IT managers haven’t switched it on. This guide walks you through the six-step activation process and shows you what to do with what you find (NCSC Cloud Security Guidance).
TL;DR: 71% of UK employees use unapproved AI tools (Microsoft Research, 2024). Microsoft 365 Business Premium includes Defender for Cloud Apps, a CASB that detects shadow IT typically within 3 days of activation. Edinburgh SMEs in legal and financial services can map, classify, and block unsanctioned apps using tools they’re already paying for. This guide covers the six-step process from enabling Cloud Discovery to setting up blocking policies.
Step-by-Step: Setting Up Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps (formerly MCAS) is included in Microsoft 365 Business Premium and above, which means most Edinburgh SMEs with a reasonably modern Microsoft licence already have access to it. Here’s how to get it working for shadow IT discovery (ICO Data Protection Guidance).
Step 1 – Enable the Defender for Cloud Apps portal. Sign in to the Microsoft 365 Defender portal at security.microsoft.com with a Global Administrator or Security Administrator account. Navigate to Cloud Apps in the left-hand navigation. If you haven’t used it before, you’ll be prompted to complete initial onboarding. Accept the defaults for now – you can refine settings later (Gartner).
Step 2 – Set up Cloud Discovery. Cloud Discovery analyses your network traffic logs to identify cloud applications in use across your organisation. Go to Cloud Apps > Cloud Discovery > Create snapshot report. You have two options: upload a firewall or proxy log manually, or configure automatic log upload from a supported network device. If you’re using a Cisco, Fortinet, Palo Alto, or Check Point device, Defender for Cloud Apps can parse these logs natively. Upload a representative 30-day sample to get your first discovery report.
Step 3 – Review the discovered applications. Once your logs are processed (usually within a few hours), navigate to Cloud Apps > Cloud Discovery > Discovered Apps. You’ll see a ranked list of applications your organisation is accessing, categorised by risk score, number of users, and data volume. Pay particular attention to applications in the Storage and Sharing, Communication, and Productivity categories – these are where shadow IT typically concentrates.
Step 4 – Tag and manage applications. Click any discovered application to see details. You can tag it as Sanctioned (approved for use), Unsanctioned (blocked), or leave it untagged. Tagging an application as Unsanctioned doesn’t automatically block it – that requires a separate policy step – but it does register your intent and feeds into compliance reporting.
Step 5 – Create a policy to alert on unsanctioned app usage. Go to Cloud Apps > Policies > Policy Management > Create Policy > App Discovery Policy. Set the filter to Application Tag equals Unsanctioned, set the severity to Medium or High, and configure an email alert to your IT team or security contact. This gives you ongoing visibility without requiring daily manual checks.
Configuring Conditional Access Policies to Block Risky Apps
Conditional Access in Microsoft Entra ID (formerly Azure AD) lets you enforce access rules based on user, device, location, and application risk. For shadow IT management, the most useful policies are those that restrict access to unmanaged devices and require compliant devices for sensitive applications.
Require compliant device for cloud storage access. In the Entra ID portal, go to Protection > Conditional Access > New Policy. Set the users to All Users (or a pilot group to start). Under Target Resources, select Apps and choose the specific cloud storage applications you want to control – or use the “All Cloud Apps” option with exclusions for your approved tools. Under Conditions > Device Platforms, select Windows, macOS, iOS, and Android. Under Grant, select “Require device to be marked as compliant.” This ensures staff can only access approved storage platforms from managed, Intune-enrolled devices.
Block legacy authentication protocols. Legacy protocols like IMAP, POP3, and basic SMTP don’t support modern multi-factor authentication. Many older email clients and third-party tools use these protocols by default, bypassing your MFA policies entirely. Create a Conditional Access policy that blocks legacy authentication for all users – this is a low-risk, high-impact change that most Edinburgh businesses can make immediately.
Restrict OAuth consent for third-party apps. In Entra ID, go to Enterprise Applications > Consent and Permissions > User Consent Settings. Change the setting from “Allow user consent for apps from verified publishers” to “Do not allow user consent.” This means staff can no longer connect third-party applications to their Microsoft 365 account without IT approval. You’ll need a workflow to handle legitimate app requests – a simple IT helpdesk form works well for most businesses.
Communicating Shadow IT Policies to Edinburgh Staff
Technical controls are only half the picture. Staff who don’t understand why shadow IT policies exist are more likely to work around them, find loopholes, or simply ignore guidance. The communication approach matters as much as the technical implementation.
Lead with the “why”, not the “what”. When announcing changes, don’t open with “IT is now blocking unauthorised applications.” Open with the business reason: “We handle client data that’s subject to UK GDPR and FCA regulations. Using personal tools to share that data puts our clients and our business at risk – here’s what we’re doing to help everyone work safely and efficiently.” Staff respond much better to context than to directives.
Offer approved alternatives for common needs. Shadow IT exists because staff have real needs that aren’t being met by sanctioned tools. If people are using WeTransfer to share large files, provide a supported alternative – SharePoint, OneDrive, or a dedicated secure file transfer portal. If they’re using personal WhatsApp for client communication, evaluate Microsoft Teams for external collaboration or a compliant messaging platform. Removing tools without offering replacements creates friction and resentment.
Use a phased rollout. For Edinburgh businesses with 20 to 100 staff, a phased approach works well. Start with a 30-day awareness period where you communicate the new policy and provide training but don’t enforce technically. Use this period to gather questions and identify applications staff genuinely need. Then move to a 30-day advisory period where violations generate alerts to managers but no blocking. Finally, enforce the policy with technical controls after staff have had 60 days of notice and support.
Create a simple app approval process. Staff need to know what to do when they find a tool they want to use that isn’t on the approved list. A simple one-page form or a Microsoft Forms submission asking for the tool name, business justification, and data types involved is enough. IT can review these within a standard SLA (48 hours works well for most businesses) and respond with approval, a supported alternative, or a documented reason for refusal. This turns IT from a blocker into a business enabler – which is the right positioning for any security programme.
What Microsoft Defender for Cloud Apps Actually Does
The average enterprise actively uses approximately 730 cloud applications, while IT departments remain completely blind to the vast majority, according to Netskope (2025). Shadow IT discovery within M365 exposes exactly which untrusted third-party apps your employees are connecting to corporate data.
Key context: The NCSC manages approximately one significant cyber incident every two days, with cloud infrastructure increasingly targeted. 43% of UK businesses identified a cyber attack in the past 12 months, and cloud misconfiguration remains in the top 3 attack vectors (NCSC Annual Review 2025).
For Edinburgh SMEs on M365 Business Premium, this is not a new purchase. It’s a feature included in your existing licence that most firms have never activated. The 30-day shadow IT discovery report alone justifies the activation time.
How Do You Complete Step : Enable Cloud Discovery in the Defender Portal?
Netskope’s Cloud Report (2025) found that Up to 90.8% of cloud applications currently in use by employees are not considered enterprise-ready. This means users are actively bypassing M365 controls to use insecure third-party tools. You must actively audit connected apps to close these compliance gaps.
Log in to security.microsoft.com with Global Administrator or Security Administrator credentials. Navigate to Cloud Apps in the left-hand menu, then select Cloud Discovery. If you have never used this before, the dashboard will be empty.
Click Get Started and the setup wizard walks you through initial configuration. Cloud Discovery is on by default for M365 Business Premium tenants, but data only appears once you connect a log source. An empty dashboard does not mean the feature is inactive – it means no data source is connected yet.
How Do You Complete Step : Connect Your Data Source?
The DSIT Cyber Security Breaches Survey (2025) shows that 43% of UK businesses identified a breach, with unauthorised app usage remaining a critical blind spot. Microsoft Defender for Cloud Apps directly addresses this by scanning your firewall logs. This allows you to sanction or block risky apps at the tenant level.
How much visibility you get depends on which data source you connect. You have two main paths.
Path A – Defender for Endpoint integration (recommended for most Edinburgh SMEs). If your devices run Microsoft Defender for Endpoint – included in Business Premium – you can stream shadow IT data directly from endpoints. No firewall log configuration needed. In the Defender portal, go to Settings, then Cloud Apps, then Microsoft Defender for Endpoint, and enable the integration toggle. This covers every Intune-enrolled device, on or off your office network. Path B – Firewall or proxy log upload. If you have a supported firewall (Cisco, Palo Alto, Fortinet, Check Point, and others are natively supported), you can configure automatic log uploads via Manage log sources in the Cloud Discovery menu. Defender for Cloud Apps parses the logs and populates the discovery report automatically.Our finding: For Edinburgh SMEs, the Defender for Endpoint integration path gets results faster. Most firms don’t have the internal firewall expertise to configure log forwarding correctly on the first attempt, and the endpoint integration skips that complexity entirely. If your firm is on M365 Business Premium with Intune-enrolled devices, Path A is the right starting point.
CASB and Defender for Cloud Apps explained
How Do You Complete Step : Review the App Discovery Report?
Over 60% of employees admit to using unapproved software to circumvent strict IT policies (industry, 2025). Shadow IT discovery within M365 helps you understand exactly why users bypass existing systems. You can then provide secure, Microsoft-native alternatives without hurting productivity.
Once data starts flowing – typically within 24-48 hours – the Cloud Discovery dashboard populates. You’ll see the total number of cloud apps detected, a risk score for each app (1-10, where 10 is highest risk), how many users are accessing each app, and total data uploaded and downloaded per app.
The app risk score draws on 90+ factors. Apps with scores below 5 require immediate review. Sort the app list by Users first to identify high-adoption shadow IT – an app used by 40 staff is a higher priority than one accessed by one person, regardless of risk score.
Check the IP addresses and Users tabs within each app record. These show exactly who is accessing what, and from where. For a legal or finance firm concerned about client confidentiality, this granularity is essential for risk assessment.
The first discovery report is almost always more extensive than clients expect. Edinburgh firms running their first 30-day discovery typically find 150-400 distinct cloud applications in use – compared to the 20-50 that IT managers estimated. Personal AI tools (ChatGPT, Gemini, Claude.ai), personal Dropbox and Google Drive accounts, and personal WhatsApp Web connections are the most common findings in professional services environments.
Citation capsule: Microsoft Defender for Cloud Apps scores discovered applications across 90+ risk factors including GDPR compliance, data residency, and encryption standards (Microsoft product documentation, 2025). For Edinburgh professional services firms, a 30-day cloud discovery report typically surfaces 150-400 distinct cloud applications – 5-10x more than IT managers estimate before running the audit (Virtually Pro MSP assessment, 2026).
How Do You Complete Step : Classify Apps as Sanctioned, Unsanctioned, or Monitored?
Microsoft (2025) reports that Integrating Defender for Cloud Apps with M365 can reduce incident response times for unauthorised app usage by up to 30%. Continuous monitoring stops shadow IT from becoming a permanent threat vector. This protects your sensitive Scottish client data from accidental leaks.
Raw discovery data is useful. Classified data is actionable. Tag every discovered app with one of three statuses: Sanctioned (IT-approved apps), Unsanctioned (apps you’re blocking or intend to block), or Monitored (apps in a grey area that you’re watching but not yet ready to block).
Work through the discovered app list methodically. Start with the highest-risk apps first. A phased approach over two to three weeks is more sustainable than trying to classify everything on day one. Misclassifying and blocking a legitimate business tool can disrupt operations unexpectedly.
How Do You Complete Step : Set Up Blocking Policies for High-Risk Apps?
According to Netskope’s Cloud Report (2025), tagging an app as “unsanctioned” doesn’t automatically block it. In the Defender portal, go to Cloud Apps, then Policies, then Policy management, and click Create policy. Select App discovery policy.
Key settings for blocking: set the Trigger to “App tag equals Unsanctioned” and set the Action to “Block.” This pushes a block indicator to Defender for Endpoint on all enrolled devices. When a user on an enrolled device tries to access a blocked app, they see a browser block page with a customisable message.
For apps you want to monitor rather than block, create an Anomaly detection policy instead. Set alerts for data uploads exceeding a threshold – for example, any single user uploading more than 500MB to a cloud storage app in 24 hours.
How Do You Complete Step : Configure Anomaly Detection Alerts?
Anomaly detection provides ongoing visibility even as the app landscape changes, according to Netskope’s Cloud (2025). In Policy management, select Anomaly detection policy. Microsoft pre-builds several templates worth enabling: Unusual file download (user downloads significantly more than their baseline), Unusual file share activity (bulk sharing deviating from normal patterns), Activity from anonymous IP addresses, and Impossible travel (account access from two geographically distant locations within an impossible timeframe).
These policies use machine learning baselines personalised per user. Allow approximately 7 days for baselining before alerts reach optimal sensitivity.
Microsoft Sentinel for Edinburgh SMEs
What Is Communicating With Staff After Discovery?
Netskope’s Cloud Report (2025) found that the technical steps are the easy part. The conversation with your staff is where most Edinburgh IT managers run into difficulty.
Don’t frame shadow IT discovery as a crackdown. Staff using personal AI tools are usually solving real productivity problems. If you block those tools without addressing the underlying need, staff find workarounds that are harder to see – or use personal devices, which are outside your visibility entirely.
For every high-use app you’re blocking, identify an approved alternative. If staff are using personal ChatGPT because the firm hasn’t rolled out Microsoft Copilot, that’s an adoption problem, not just a policy problem. Create a simple app request process so staff can propose new tools through a controlled review rather than simply using them without approval.
What Is Related Articles?
- Cloud Security Guide for Edinburgh Businesses
- Shadow it Risks for Edinburgh Businesses
- CASB Microsoft Defender for Cloud Apps
Quick Comparison
| Cloud Security Layer | Tool | Included in M365 BP | Monthly Cost |
|---|---|---|---|
| Email protection | Defender for Office 365 | Yes | Included |
| Endpoint detection | Defender for Business | Yes | Included |
| Cloud app visibility | Defender for Cloud Apps | Yes | Included |
| SIEM / advanced analytics | Microsoft Sentinel | No | From $2.46/GB |
Frequently Asked Questions
Does Microsoft 365 Business Premium include shadow IT discovery?
Yes. Microsoft Defender for Cloud Apps – a full Cloud Access Security Broker – is included with Microsoft 365 Business Premium at no additional licence cost (Microsoft product documentation, 2025). Most Edinburgh SMEs paying for Business Premium already have this capability available but haven’t activated it. It requires setup through the Microsoft Defender portal, but no additional purchase is needed.
Can Defender for Cloud Apps block personal ChatGPT?
Yes. Once you tag an app as “unsanctioned” and create a blocking policy, Defender for Cloud Apps pushes a block to all Defender for Endpoint-enrolled devices. Users attempting to access the blocked app see a browser-level block page. With 71% of UK employees already using unapproved AI tools (Microsoft Research, 2024), blocking personal ChatGPT while offering Microsoft Copilot as an alternative is the standard first action for Edinburgh professional services firms.
How long does shadow IT discovery take to set up?
Initial setup takes 2-4 hours for an IT manager comfortable in the Microsoft Defender portal. Data starts appearing in the Cloud Discovery dashboard within 24-48 hours of connecting your first log source. Full policy configuration and app classification typically takes 2-3 weeks of iterative work to complete properly.
What happens to staff who try to access blocked apps?
Staff see a browser-level block page when attempting to access apps tagged as unsanctioned on Defender for Endpoint-enrolled devices. The block page message is customisable – we recommend including a brief explanation and a link to request the tool through the IT approval process. This turns a potential compliance conflict into a constructive redirect.
Do I need a partner to set up Defender for Cloud Apps?
You can activate Cloud Discovery and connect data sources without external help using Microsoft’s guided wizards. However, policy configuration, app risk classification, and anomaly detection tuning significantly benefit from MSP experience – particularly if you want your discovery findings to serve as evidence for FCA PS24/16, Cyber Essentials Plus, or ICO compliance purposes.
What Is Book Your Free Cloud Security Assessment?
Netskope’s Cloud Report (2025) shows that Want Virtually Pro to activate and configure Defender for Cloud Apps for your Edinburgh practice? Our cloud security assessment includes shadow IT discovery, app risk classification, and a findings report ready for compliance use. Book your free consultation today.
Cloud Security Assessment Edinburgh
Further Reading
Start the ConversationKrzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and managed IT services for businesses in financial services, legal, and healthcare. Virtually Pro is Cyber Essentials certified and based at 83 Princess Street, Edinburgh EH2 2ER.