Shadow AI in Microsoft 365: vendor reports won't show you what's there
Microsoft will happily tell you about Copilot adoption. Your DLP vendor will produce a dashboard on Copilot data leakage. Neither will tell you that someone in finance signed up for an AI invoice-reading tool last Tuesday, clicked "allow" on the consent prompt, and granted it permission to read every mailbox in the tenant. Vendor reports show what vendors want to show. The actual shadow AI inventory is somewhere else, and finding it is a manual job.
A SaaS adoption in 2018 meant a credit card and a username. An AI tool adoption in 2026 means an OAuth grant, usually with Graph API scopes that read more than the user realises they're handing over: Mail.Read, Files.ReadWrite.All, Calendars.Read, sometimes the directory itself. Once consented, the tool runs in the cloud and polls Graph on its own schedule. The user doesn't need to be logged in. The endpoint doesn't need to call out anywhere your DNS filter can see. The tool sits inside your tenant doing its work, whether anyone remembers it's there or not.
Where shadow AI lives in your Microsoft 365 tenant
This is why M365 is the right place to start an audit. Almost every modern AI tool that touches business data gets itself authorised inside a customer's tenant. The fingerprints are there if you go looking.
Five surfaces are worth checking. Entra Enterprise Applications is the obvious one: every consented app, the permissions granted, who consented, when it was last used. If you've never audited the list, expect surprises — forgotten trials, ex-staff consents, apps with sweeping permissions nobody can explain. Power Automate is the next layer, where staff build AI workflows without involving IT, often using the OpenAI or generic HTTP connectors to pull from Outlook or SharePoint and push to a third party. The Teams app catalogue is where meeting AI tools sit — Otter, Read, Fireflies, Granola — usually with calendar and recording access. Outlook add-ins and mailbox forwarding rules are an older surface but still relevant for sales tools and transcript bots, especially for anyone customer-facing. And Graph API webhook subscriptions are the easiest to miss: any tool subscribing to mailbox or calendar changes is registered there, and PowerShell against Graph is the only reliable way to enumerate them.
DNS filtering catches a different layer
DNS filtering sees what an endpoint calls out to, which picks up the "user installs AI tool, AI tool phones home" pattern. It won't see anything that's been authorised in your tenant and runs entirely cloud-to-cloud. We use it as a second signal. If a tool shows up in DNS but not in your tenant audit, someone is using it without authorising it. If it shows up in your tenant audit but not in DNS, it is living in the cloud and operating quietly. Both are worth knowing about.
The honest part is that there is no single pane for any of this. You hop between Entra Admin, Power Platform Admin, Teams Admin, Defender for Cloud Apps, and a PowerShell session for Graph. Defender for Cloud Apps catalogues a lot of it, but the catalogue lags the tools. The AI sales platform that launched six weeks ago is not in the catalogue yet. The internal Power Automate flow with a custom HTTP connector to an OpenAI endpoint is not in any catalogue at all. Even with E5 licensing, the gap is real.
How we audit clients
This kind of audit is a service we offer for clients who want it, not something every tenant needs on a fixed cadence. The right rhythm depends on the size of the business, how many staff are experimenting with AI, and how sensitive the data in the tenant is. Time depends on tool sprawl: a 30-seat tenant with a tidy app list might be a couple of hours; a 120-seat tenant with three years of consents and a dozen Power Automate flows can be a full day. The output is the same either way — a report covering what is authorised, what has changed, what looks risky, and a recommendation per item: keep, restrict, or revoke. The first pass on a new client almost always finds something the business owner didn't know was there.
The point is not to block AI. Most of our clients are using it now and want to use more of it. The point is to know what has already been authorised, so the conversation about where AI fits in the business is informed rather than guessed. Governance only works if the visibility comes first. You cannot write a sensible AI policy when you do not know which tools already have access to your mailboxes.
You cannot write a sensible AI policy when you do not know which tools already have access to your mailboxes.
Two structural changes worth making once
The audit is recurring work, but two settings are worth changing once and leaving in place.
The thing vendor dashboards genuinely can't tell you is whether what is in your tenant matches what should be there. That match is the audit. Until Microsoft builds it, somebody has to do it by hand.
Frequently asked questions
What is shadow AI in Microsoft 365?
Shadow AI in Microsoft 365 is any AI tool, OAuth-consented app, Power Automate flow, Teams app, or Graph webhook subscription that has been authorised inside the tenant without IT visibility. It runs cloud-to-cloud — the user does not need to be logged in for the tool to keep operating, which is why DNS filtering and endpoint controls do not catch it.
How do I audit OAuth consents in Microsoft 365?
The primary surface is Entra Admin Centre, under Enterprise Applications. Review apps with broad Graph permissions like Mail.Read, Files.ReadWrite.All, or Directory.Read.All, and cross-check who consented and when. Anything sitting unused for six months with broad scope is a candidate for revocation. Defender for Cloud Apps catalogues what it knows, but lags new tools by weeks.
Can Microsoft Defender for Cloud Apps detect all shadow AI?
No. Defender for Cloud Apps catalogues thousands of SaaS and AI providers and does the heavy lifting on classification and risk scoring, but two categories slip through: AI tools that launched too recently to be in the catalogue, and custom Power Automate flows or HTTP-connected workflows calling AI endpoints directly. A complete audit needs Defender plus a manual sweep of Enterprise Applications, Power Automate, Teams app catalogue, and Graph webhook subscriptions.
How often should we audit shadow AI in our Microsoft 365 tenant?
The first audit on a new tenant almost always finds something the business did not know was there — that is the baseline. After that, quarterly is the right cadence for most 30-150 seat businesses. The point of the recurring review is not to find every tool from scratch; it is to find what has changed since the baseline.
