Shine a light on shadow apps

ConductorOne Docs

Detect and manage shadow apps

ConductorOne helps businesses manage shadow IT by detecting unauthorized apps employees use and bringing them under management.

What are shadow apps?

Shadow apps are applications and cloud services not managed or approved by the organization’s IT department that employees sign into using their corporate email. In ConductorOne, you can track the shadow apps that users sign into using their IdP credentials and bring key shadow apps under management.

IdP support and integration requirements

Google Workspace and Microsoft Entra ID are currently supported.

To use this feature, you must set up either the Google Workspace v2 integration or the Entra ID integration.

Discover shadow apps

ConductorOne monitors the OAuth scopes granted to apps when an employee’s email is used to sign into an unmanaged app. The list of these apps is shown on the Shadow apps page.

  1. In ConductorOne, open Apps and click Shadow apps.

  2. The list of discovered shadow apps is shown.

    A new shadow app is discovered whenever an employee in your organization first logs into it using their Google Workspace or Entra IdP credentials.

    When you first begin using shadow apps, you’ll see historic data from the 30 days (for Entra users) or the 180 days (for Google Workspace users) before the feature was added to your ConductorOne instance.

  3. Click the name of a shadow app to view its details, the list of users who have accessed the app, and how recently each user signed in.

    On this page you also have the option to authorize or ignore the shadow app. We’ll walk through each option below.

Authorize a shadow app

Authorizing a shadow app brings it under ConductorOne management. Once a shadow app is authorized, it is added to your list of applications in ConductorOne. You can then add it to request catalogs, include it in UAR campaigns, and work with it like any other app.

  1. On the shadow app’s details page, click Authorize.

  2. Choose an owner for the application. Setting multiple owners is allowed.

  3. Click Authorize.

    The app is removed from the list of discovered apps on the Shadow apps page and a new entry is created for it in the list on the Applications page. The shadow app’s users are mapped to ConductorOne users and shown on the Accounts tab.

    On the application’s Data sources tab, you’ll see that the shadow app feed has been added as a connector. View the log to see recent activity on the feed.

Limitations of shadow app data sources:

  1. You cannot add a shadow app as a data source to an existing application.
  2. You cannot delete a shadow app connector from an authorized shadow app.

Ignore a shadow app

You can also choose to ignore any shadow apps that aren’t a current concern.

  1. On the shadow app’s details page, click Ignore.

    Ignoring a shadow app hides it from the list of discovered shadow apps, but the shadow app will continue to accumulate usage data.

  2. To view all ignored apps, return to the Shadow apps page and click Show ignored apps.

You can authorize an ignored shadow app by navigating the the shadow app’s details page and selecting Authorize from the (more actions) menu.

Frequently asked questions about shadow apps

I just started using shadow apps, why is nothing listed on the page?

If you don’t see anything on the Shadow apps page, run a new sync of your Google Workspace v2 integration or Entra ID integration.

Why don’t I see recent logins to shadow apps made using Google Workspace credentials?

Google’s documentation on data retention and lag times states that it can take “up to a few hours” to pass OAuth login information to its endpoints. This means there might be a delay between when the login occurs and when the information appears in ConductorOne.

What happens if I delete an authorized shadow app from my list of ConductorOne applications?

The deleted app returns to the list of shadow apps, where you can ignore it or re-authorize it in the future. The app’s full history and logs are preserved.

What is a shadow app external ID and what do I do with it?

This is the ID string for the app provided by Google or Entra. You can use this string to look up the shadow app in the Google Workspace or Entra admin console and block it, if desired. To learn more, see Google’s documentation on third-party and internal app access to Google Workspace data.