Shadow IT is out of control at my company. I'm building a tool that auto-detects SaaS tools via SSO logs. Any sysadmins dealt with this? What would actually help?"

Posted by Capital-Job-3592@reddit | sysadmin | View on Reddit | 39 comments

Sysadmins at mid-size companies (100-500 employees) — I need your help.

I'm responsible for IT at a \~120 person company. Last month I

decided to do a full audit of what tools we're actually using.

Expected maybe 40-50 SaaS subscriptions. Found 87.

Here's what's killing me:

- IT officially manages about 35 of them

- The rest? Someone signed up with a company card, expensed it,

or used their work email and forgot about it

- We're paying for 3 different project management tools because

3 teams each picked their own

- 2 password managers — one team didn't know the other existed

- A design tool nobody has logged into in 4 months

- Something called "TeamSyncPro" that I cannot find a single

human who uses it

I've been managing all of this in a Google Sheet. It's a

disaster. Rows are outdated the moment I add them.

So I want to know — how are YOU handling this?

Do you have a system? Tool? Spreadsheet? Nothing?
How often do you audit? Quarterly? Annually? Never?
What's the biggest pain — finding the tools, tracking

usage, or getting people to actually cancel things?

Anyone tried SSO-based detection? Like pulling app lists

from Okta or Azure AD? Does that actually catch everything?

How do you handle the conversation with department heads?

"Hey, you're paying for 3 tools that do the same thing"

never goes well in my experience.

I'm not selling anything. I don't have a product. I'm just a

sysadmin who spent 3 days in a Google Sheet and wants to know

if there's a better way.

Thanks. 🍺

[-]

Relative_Test5911@reddit

It is really pretty simple if you just do the following:

Only setup sso if the app is approved. Refuse to set it up if it is not.
Your companies bans all non approved SaaS and enforces this via Finance to block them.
It is not your problem you do not support when tickets come in ( and trust me they will) you escalate.
Any SaaS you do not know about that can be seen in Entra (this is very easy) - block it and wait till they start screaming then tell them policy.
If your company wont comply then it is no longer your problem forget about it and just refuse to support it when issue come up. If management tell you to support do so at the expense of other more important stuff.

[-]

Capital-Job-3592@reddit (OP)

This is the real problem nobody talks about. SSO catches managed apps. Finance catches expensed apps. But the engineer who spun up a personal Notion workspace for project notes, or the designer using Figma on a personal account — that's invisible until they leave and take the data with them.

I've seen one approach that kinda works: browser extension that monitors SaaS logins on company devices. But that feels invasive and probably kills trust.

Has anyone tried a less creepy detection method? Or is this genuinely unsolvable without surveillance?

[-]

Relative_Test5911@reddit

The only way mitigate this use case is via DLP software - it isn't full proof catch all but not aware of any other methods. Just need to get the fine of the DLP locked in.

[-]

ajsadler@reddit

Make a policy that states all software must go through an approval process with IT.

Give everyone a grace period (1-2 months) to make those approval requests, and then block everything else.

[-]

Capital-Job-3592@reddit (OP)

Yeah we tried the policy route. Problem is enforcement. Policy exists on paper but nobody checks. People just put it on their card and expense it. How do you actually enforce the approval process without blocking everything and pissing off the entire company?

[-]

Sillent_Screams@reddit

Policy and Enforcement issue, major orgs use ServiceNow to apply for any new software and equipment.

You could design an online form system to do similar.

Your Senior Management and CEO must enforce it.

[-]

ajsadler@reddit

You need the company to support the enforcement. Breaches of a policy results in disciplinary or termination, depending on severity.

[-]

Capital-Job-3592@reddit (OP)

Makes sense. The approval workflow part is straightforward — the hard part is getting leadership to actually enforce consequences when someone bypasses it.

Right now the culture is "ask forgiveness, not permission." People buy tools, expense them, and nobody says anything until an audit happens.

Sounds like the real fix is less about tooling and more about getting leadership to back the policy with actual consequences. Which is a people problem, not a tech problem.

Appreciate the input — this is helping me think about whether the solution is a tool or just better process enforcement.

[-]

Bright_Arm8782@reddit

Convince the accounts team not to approve the expense.

[-]

br01t@reddit

You create the policy so a user is enforced to do a request and an admin mist approve

[-]

dynalisia2@reddit

How do you detect this via SSO logs? Is anyone just allowed to onboard an app on SSO? What about all the stuff that’s not on SSO?

[-]

c1u5t3r@reddit

You allow SSO to be configured by non-admins?

[-]

Capital-Job-3592@reddit (OP)

Fair point. We do have SSO admin controls but not every app goes through SSO. People sign up directly with their work email for free tiers or trials — those never touch SSO at all.

That's actually the gap I'm trying to figure out. SSO catches the managed apps. The unmanaged ones are the real shadow IT problem.

[-]

c1u5t3r@reddit

Then your tool to check SSO logs won‘t help you find those shadow IT apps/services.

[-]

Thick-Membership-918@reddit

Like you we use a spreadsheet and have over 100 pieces of software on it and weekly someone mentions they’ve lost access to some portal and want us to get them back in.

“Let us know what it is and in writing handover ownership to IT”

Then I add to spreadsheet. I also make sure to let the board know each quarter about how much this all costs and then they make decisions.

[-]

Capital-Job-3592@reddit (OP)

The quarterly board reporting angle is smart. How do you calculate the total cost? Just sum up what's in the spreadsheet, or do you also estimate the hidden costs like time spent managing access requests and troubleshooting unknown tools?

Also — 100+ in a spreadsheet, does anyone ever actually review the full list? Or does it just keep growing?

[-]

wrt-wtf-@reddit

Sounds like a firewall and proxy issue…

[-]

teslas_codpiece@reddit

Umm what sso logs are you planning to use? What software do you have writing to what sso logs, which is not also known by your admins configuring new apps in your sso idp?

[-]

special_rub69@reddit

OP is a clanker karma farming

[-]

Capital-Job-3592@reddit (OP)

Fair point. I was thinking Azure AD app registrations and OAuth consents — those show up even if IT didn't manually configure them. But you're right that it won't catch everything. What would you use instead?

[-]

redex93@reddit

Straight up my thought, how did it get into SSO without you being aware.

[-]

LetRoutine8851@reddit

How do you catch shadow IT when the employee is paying for it personally? It doesn't hit expense reports, doesn't hit SSO logs, doesn't hit finance data — but the workflow and sometimes the data lives in their personal account until the day they quit. Has anyone actually solved the detection side of this, or is it purely a "fix your approval process so people stop doing it" problem?

[-]

mckinnon81@reddit

Turn off Allow Enterprise App registration when they try and connect to Azure.

https://learn.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide

[-]

Khulod@reddit

Remove local admin Standard OS image managed by application management tool Only allow trusted devices Implement DLP for company assets Single budget holder for IT Formal change&purchasing process vetted by architect (or equivalent)

Put the above in a business case for management, along with a risk assesment of the current implementation (security, cost) and hope they will support the initiative.

If not, await the first serious cybersecurity incident to receive support for the initiative.

[-]

Capital-Job-3592@reddit (OP)

This is the most practical breakdown I've seen. The risk assessment angle is smart — leadership responds to "here's what could go wrong" better than "here's what IS wrong."

One question — you mentioned single budget holder for IT. We have multiple departments with their own budgets that they spend on SaaS independently. How do you consolidate that without stepping on department heads' toes? That's where the political friction comes in.

[-]

Khulod@reddit

By going to management and convincing them a single person is responsible for managing the IT landscape. A CIO if you will.

[-]

accidentalciso@reddit

Push security does this via a browser plugin. It will help find SaaS tools that don’t hit your centralized identity provider. Also, get with your finance team and have them help figure out what SaaS tools are being submitted on expense reports, and who is paying for them.

[-]

DistantFlea90909@reddit

Yay, more ai vibe coded slop

[-]

limlwl@reddit

The e is gem r of shadow IT is a failure of IT management, not sys admin. If IT can deliver, there is no need for other departments to source their own IT solution or services

[-]

Capital-Job-3592@reddit (OP)

This is the realest comment on this thread.

You're right — shadow IT is a symptom. The disease is IT not being responsive enough to what departments actually need. When someone needs a project management tool and IT says "put in a ticket, we'll review in 2 weeks," they just go buy it themselves.

So the question becomes — how do you make IT faster at delivering without losing control? Because the current model is either:

IT controls everything → slow → shadow IT happens
Departments buy freely → fast → chaos and security risk

Is there a middle ground? Self-service with guardrails? Pre-approved tool catalog? Or is that just fantasy?

[-]

aguynamedbrand@reddit

AI slop = downvote

[-]

Bob_Spud@reddit

A quick method of determing actual requirements is to disable everything and see who complains.

The should be preceded with the appropriate butt protection aka authorisation.

[-]

Capital-Job-3592@reddit (OP)

Ha. The nuclear option. We actually did something similar by accident — IT blocked a few apps during a security review and suddenly 15 people came out of the woodwork saying "why can't I access [tool we didn't know existed]?"

Discovered 6 tools we had no record of in one afternoon.

Problem is the "butt protection" part. I need sign-off from leadership before I start randomly blocking things. And getting that sign-off means proving the problem exists first. Chicken and egg.

How do you get authorization for something like this without already knowing what's out there?

[-]

mahsab@reddit

Write your own post, for starters

[-]

Capital-Job-3592@reddit (OP)

the problem is real — I've been manually tracking this in a sheet for months. Just wanted input from people who actually deal with this.

[-]

jtonl@reddit

If purchases are less than $100 it can be bought with the company credit card. Otherwise it needs to be enrolled in your ERP.
Not IT's responsibility.
All of the above.
No.
Take it up the chain. Better with compliance or legal.

[-]

Capital-Job-3592@reddit (OP)

This is really helpful, thanks. The $100 threshold with ERP for everything else makes sense.

Follow-up — when something does go through ERP, does anyone actually check if a similar tool already exists before approving it? Or is it just "budget approved, go ahead"?

[-]

Kangie@reddit

This is a policy issue, not an IT issue. Follow up with finance and ensure that it's _not fucking permissible for people to buy software without involving IT_.

[-]

MarzipanFederal8059@reddit

Maybe start without using AI to think for you?