Shadow IT is the software and accounts your employees adopt without telling anyone. Here is why it matters and four practical steps to get a handle on it without blaming your team.
Somewhere in your business, an employee signed up for a free tool to get something done and never mentioned it to anyone. That is shadow IT, and almost every company has it.
What shadow IT actually looks like
Shadow IT (software, apps, and accounts that employees adopt without any approval process) is rarely malicious. It is usually just practical. Someone needs to convert a PDF, share a large file with a client, or track leads, and the company does not have an obvious solution. So they sign up for something free in five minutes and get on with their day.
Common examples at a 20-person business:
- A free online file-converter that asks for access to your Microsoft or Google account to function
- A personal Dropbox or Google Drive used to send work files because emailing them felt clunky
- A trial CRM (customer relationship management) tool someone tested and then forgot about
- A messaging or project app a small team started using without looping in anyone else
None of these are automatically catastrophic. But they create a category of risk that is difficult to manage because, by definition, you do not know the apps are there.
Why it is a real problem
Company data ends up in places you never reviewed. When a customer list goes into a free trial CRM, that data is now subject to that vendor's security practices — not yours. If that vendor has a breach, your data is in it.
Apps hold on to access long after they are useful. Most apps that connect to Microsoft 365 are granted permission once, and that permission does not expire automatically. An employee who signed up for something two years ago, used it for a month, and then forgot about it may have left an active connection to your company email sitting open. If that vendor's security is weak, or the app is abandoned, that connection is a door.
Offboarding misses them. When an employee leaves and you remove their Microsoft 365 account, you likely catch their email and Teams access. You probably do not catch the three apps they connected with their work credentials, which may still have their own copies of your files or contacts.
Four practical steps — without making your team feel like suspects
The goal is not to lock everything down. It is to have visibility and a simple process so someone knows what is connected and why.
- Make it easy to request tools. If getting a new app approved takes two weeks, people will work around it. A quick message to the right person is enough — the point is that someone knows.
- Check which apps have access to your Microsoft 365. In the Microsoft 365 admin center, there is a list of every third-party application that has been granted permissions to your tenant. Most business owners have never looked at it. Some entries will be things you recognize; others will be surprises.
- Decide who can approve new app permissions. By default in Microsoft 365, any employee can click 'Accept' on a permission prompt and grant an app access to their email, files, or calendar. Changing that so admin approval is required means one person sees everything that gets connected.
- Review and revoke periodically. Apps that nobody is actively using should have their access removed. It takes a few minutes and closes connections that have no reason to stay open.
The honest reason this is hard
Shadow IT is not really a technology problem — it is a workflow problem. People adopt tools because they are solving a real problem, and formal approval processes can feel disproportionate for a small team. The answer is not elaborate policies. It is lowering the barrier to asking, so asking becomes the default.
Tenant Strike reads the list of apps connected to your Microsoft 365 tenant and surfaces anything that looks unusual or overly permissioned — the kinds of connections that often go unreviewed for months or years. It takes about five minutes and does not change anything itself.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.