Every time I walk into an organization and say “your users are copying and pasting corporate data into AI tools you don’t manage”, nobody disagrees. They just hadn’t looked.
That’s the Shadow AI problem in a nutshell. It’s not a future risk. It’s happening today, quietly, across every tenant you manage.
What Shadow AI Actually Looks Like
Picture one of your client’s accounting employees trying to get a proposal out the door faster. She’s got her personal Gmail open in Chrome, opens a new tab, logs into Claude.ai with her personal account, and uploads the draft. The proposal has client names, contract values, and internal pricing.
She isn’t trying to cause harm. She just wants to finish faster. But within 30 seconds, that data has left your client’s security perimeter, processed on a server they never vetted, through an account you have zero visibility into. No alert fires. No ticket gets created. And unless you go looking, you’ll never know it happened.
This isn’t just platforms like Claude or ChatGPT, either. Microsoft’s cloud app catalog now tracks over 1,000 generative AI applications — transcript tools, writing assistants, coding tools, meeting summarizers, and that list grows every week as existing SaaS products bolt AI features onto their platforms.
What You Need to Detect It
The good news: Microsoft has a native detection layer built into Defender for Cloud Apps, and if your clients are on Business Premium, you likely already have access to it. No third-party agents, no extra tooling.
Two boxes need to be checked:
Licensing: Microsoft Business Premium or higher (E3/E5 with Defender for Cloud Apps also qualifies). Business Standard and Basic don’t include this feature which is worth flagging during security assessments.
Device enrollment: Devices need to be enrolled in Microsoft Defender for Endpoint or Defender for Business. The discovery engine reads traffic from managed endpoints, so anything not enrolled is invisible. Important caveat for clients with mixed environments.
Once both conditions are met, Defender for Cloud Apps starts passively collecting data. No policy to write, no switch to flip.
Note: Defender for Business is the SMB-friendly version of Defender for Endpoint, included in Business Premium. If your client is on Business Premium and devices are enrolled, you’re already ready to go.
How to See It in the Portal
Head to security.microsoft.com and navigate to Cloud Apps → Cloud Discovery → Discovered Apps. Filter by category and select Generative AI.
What you’ll see is every generative AI application accessed from managed devices in that tenant, ranked by user count. Sort by users, devices, or traffic volume. The breadth is usually the first thing that surprises people, it’s rarely just ChatGPT or Claude but they usually have the highest footprint from what I’ve seen.
Click into any app for the detail view: total users, total devices, traffic volume in and out, and a list of individual users accessing it. The bytes-uploaded number is the one to pay attention to. That’s data leaving the environment. You can’t see what was uploaded, but you can see that it happened and who did it.
Each app also carries a Risk Score out of 10, based on data handling practices, compliance certifications, and security posture. A score below 5 flags red. That doesn’t mean the app is malicious, it means it hasn’t passed enterprise-grade scrutiny, and that’s the conversation to have with your client.
For developers: Microsoft has added cloud app discovery data to Microsoft Graph via a beta API endpoint. The
cloudAppDiscoveryReportanddiscoveredCloudAppDetailresources under the/betasecurity namespace let you query discovered apps, pull user lists, and build multi-tenant reporting without screen-scraping the portal. It’s in preview — don’t ship to production yet, but worth prototyping now
A Few Things to Know Before You Start
Discovery is not enforcement. This shows you what’s happening, it doesn’t block it. Blocking unsanctioned AI apps requires additional Defender for Cloud Apps policy configuration which is only available in E5 or the Defender Suite add-on for plans like Business Premium. Visibility first, enforcement second.
Personal accounts are a blind spot. If a user accesses Claude through their personal Gmail on a managed device, Defender sees traffic to claude.ai, but it can’t tell you it’s a personal account from this view alone. The data is still leaving. Keep that framing when talking to clients. There are ways you can lock this down with Claude but that’s outside the scope of this article. (will do future articles on this).
The 90-day window. Cloud Discovery data is retained for 90 days by default. Build this into your QBR rhythm with clients so the window doesn’t close without capturing a baseline.
The MSP Problem: 20+ Portals, No Time
The data exists. The problem for MSPs is that it lives in a different Defender portal for every client. Logging into 20 portals to get a picture of Shadow AI exposure across your book of business isn’t operationally realistic.
That’s exactly what we’re solving at CloudCapsule. We’re in early access right now for our Shadow AI Report — part of our holistic security assessment — which pulls Defender for Cloud Apps generative AI discovery data across all your tenants into a single view. See which clients have the most exposure, which AI apps are most prevalent, and where to start the conversation, without leaving one dashboard.
