Zum Hauptinhalt wechseln


We all know shadow IT is rampant in our companies. Line of business (LOB) employees bring their own devices into the workplace, along with apps and SaaS services that IT didn't approve or, more importantly, doesn’t even know about. But this reality actually creates an opening for IT to change how it is perceived – for the better.

It’s true, shadow IT creates risks for the company. Employees can expose core business data to unsecure services and if they leave the company so do these assets. But the LOB employees aren't circumventing IT maliciously. They're trying to get their job done and typically bring in these services because they help them do that. It's recognition of this mindset that creates the opportunity for IT to shift from being the Department of “No, you can't do that,” to the Department of “Know how, you can do that and still protect the company.”

In my last blog post I talked about how IT can start to change this perception by publishing a cloud-first policy that says to the company – we're ok with the use of cloud services. In fact, we can help you use them more efficiently.

But can you really? And do you really know what SaaS services your employees are using?

Our Enterprise Mobility Suite can help you answer this question. A key feature of the suite is the Cloud App Discovery feature of Azure Active Directory Premium which lets you track what outgoing traffic leaves your company firewall and where that traffic is going. Cloud App Discovery acts as a perimeter audit, helping you identify which SaaS applications are being used by your employees and, I hate to tell you, the number will be higher than you think. In my prior role at Forrester Research one of our pharmaceutical clients conducted this audit and going into it thought they would find between 40-60 SaaS accounts being used. The final number: over 600. Yep, Shadow IT is rampant.

But once you have identified all the SaaS apps your company is using, the wrong thing to do is to build a black list of those applications and block that traffic. While it might be your first instinct, after all, each connection could be critical data leave the company walls, such a move will just reinforce the belief that IT isn't on board with the cloud and drive up more shadow IT behavior.

What you want to do instead, is use this information to open a dialogue with your employees about how and why they are using these applications. And by the way, make it very clear that you are not asking so you can shut it down. Your approach should be to learn, understand and help them use these services safely.

What you will learn, taking this approach is the business case for these SaaS applications and mobile apps. And understanding the business case helps you learn what your employees are trying to accomplish. You will inevitably find that in many cases they are using services that overlap with capabilities you provide to them. Again, your first instinct may be wrong – no, you should not take that opportunity to convert them back to the IT-approved service. Instead take the opportunity to learn why they aren't using the service IT currently offers. Is it a user experience issue? Is there a  lack of training? Is there a capability the IT offer doesn't provide?

What may just surprise you, is that you will find that the service they brought in does the job better and, at least for their use case, is a better fit for their needs. In these cases, you can take the IT/LOB relationship to the next level by approving their service and taking it off their hands (and their credit card). By utilizing additional capabilities of the Enterprise Mobility Suite, including, single sign-on to the SaaS app, the ability to protect the contents of data people may access on their personal mobile devices, your organization can benefit from the best of both worlds – IT’s capability to protect the business, while enabling and encouraging user productivity. In other words, creating a true partnership between IT and users.

Of the 600 SaaS accounts the above pharmaceutical firm found in its perimeter audit, they found several common use cases and lots of overlapping personal accounts. To bring those applications under control, they bought corporate accounts on these services, brought those applications under IT control through their single sign-on service and went back to the employees who were now champions of IT engagement.

Take these actions and you might just hear, “IT actually listened to my use case, looked at the app I was using and agreed that it was a better fit for our needs. They're a joy to work with.” And by providing the employee with a “free” (off their credit card) and managed account on the same service, there was little resistance to migrating company data from their personal SaaS account to the business version.

This whole scenario is made possible using the Microsoft Enterprise Mobility Suite and you can start your journey to the Dept. of Know How today.

  • Explore


    Let us know what you think of Azure and what you would like to see in the future.


    Provide feedback

  • Build your cloud computing and Azure skills with free courses by Microsoft Learn.


    Explore Azure learning

Join the conversation