Shadow IT Discovery During Post-Merger Integration: Finding What Nobody Documented

Every enterprise has shadow IT. During a merger, the problem doubles — because you now have two organisations' worth of undocumented systems, unapproved SaaS tools, and departmental technology decisions that bypassed IT governance entirely.

The average enterprise uses 3-4× more SaaS applications than IT knows about. Post-merger, that ratio gets worse before it gets better. This post describes how to find what nobody documented and bring it under governance without disrupting the business.

Why Shadow IT Is an M&A Problem

Pre-Merger Shadow IT

Both companies have existing shadow IT. Common examples:

• Marketing running campaigns on an unapproved email platform with full customer data
• Engineering teams using personal GitHub accounts for company code
• Finance departments with SaaS tools that hold sensitive financial data
• HR using third-party assessment tools with employee PII

Merger-Induced Shadow IT

The merger itself creates new shadow IT:

• Teams adopt collaboration tools because IT has not yet unified communication platforms
• Departments spin up project management tools to coordinate cross-company work
• Engineers create shared cloud accounts to collaborate across company boundaries
• Sales teams share customer data through unapproved file-sharing services

Discovery Technique 1: CASB Network Analysis

Microsoft Defender for Cloud Apps

Configure Defender for Cloud Apps to analyse network traffic logs from firewalls and proxies:

The Cloud Discovery dashboard categorises every external service accessed by employees and scores risk based on:

• Security certifications (SOC 2, ISO 27001)
• Data encryption practices
• Data ownership terms
• Account termination policies
• Legal jurisdiction

What you will find: Typically 200-400 unique cloud services in use, of which 50-70% were unknown to IT.

Prioritisation

Sort discoveries by:

1. Data sensitivity — Services handling customer data, financial data, or PII
2. User count — Widely adopted tools are higher priority than one-person experiments
3. Risk score — Services with poor security posture or concerning ToS
4. Redundancy — Services that duplicate approved tool functionality

Discovery Technique 2: Entra ID Sign-In and Consent Logs

OAuth Application Consent

Users consent to OAuth applications that access company data (email, calendar, files). These appear in Entra ID:

# List all OAuth2 permission grants
Get-MgOAuth2PermissionGrant -All | Select-Object ClientId, ConsentType, Scope, PrincipalId

# List enterprise applications with user consent
Get-MgServicePrincipal -Filter "tags/any(t: t eq 'WindowsAzureActiveDirectoryIntegratedApp')" -All

What to look for:

• Applications with Mail.Read, Files.ReadWrite.All, or User.Read.All permissions
• Applications consented by many users (indicates widespread adoption)
• Applications from unknown publishers
• Applications with admin consent (highest risk)

Sign-In Logs Analysis

// KQL query in Log Analytics — find non-Microsoft app sign-ins
SigninLogs
| where TimeGenerated > ago(90d)
| where AppDisplayName !startswith "Microsoft" and AppDisplayName !startswith "Office"
| summarize UserCount = dcount(UserPrincipalName), SignInCount = count() by AppDisplayName, AppId
| order by UserCount desc
| take 50

Discovery Technique 3: Financial Analysis

Expense Report Mining

SaaS tools are often purchased on corporate credit cards or through expense reports. Work with Finance to:

1. Export all expense reports from the last 12 months
2. Filter for software, subscriptions, and technology vendors
3. Cross-reference against the approved software catalogue
4. Identify recurring charges to unknown vendors

Procurement Records

Check departmental procurement for direct purchases that bypassed IT approval. Marketing and Sales departments are the most common sources of unsanctioned technology purchases.

Discovery Technique 4: DNS and Endpoint Analysis

DNS Query Logs

If your DNS infrastructure logs queries, analyse traffic patterns:

• Resolve domain names to services (e.g., app.notion.so → Notion)
• Identify services accessed frequently by many endpoints
• Look for data exfiltration indicators (high upload volume to unknown services)

Endpoint Software Inventory

Use Intune or SCCM to inventory installed applications on managed endpoints. Look for:

• VPN clients (personal VPN usage indicating data routing concerns)
• Cloud storage sync clients (Dropbox, personal OneDrive, Google Drive)
• Remote desktop tools (TeamViewer, AnyDesk)
• Development tools that may indicate code storage outside approved repositories

The AMRR Classification Framework

For every discovered system, classify it:

Adopt

The tool meets a real need, is secure, and can be brought under IT governance. Add it to the approved catalogue, negotiate an enterprise agreement, configure SSO with Entra ID, and apply data loss prevention policies.

Migrate

The tool holds valuable data but does not meet security or compliance requirements. Export data to an approved alternative, assist users in transitioning, and set a decommission date.

Retire

The tool is no longer needed or duplicates approved functionality. Export any needed data, notify users, and decommission. Provide clear alternatives.

Replace

The tool meets a real need but is unsuitable for enterprise use. Procure an approved alternative that meets the same use case, then migrate users.

Governance After Discovery

Discovery is not a one-time event. Build ongoing shadow IT governance:

1. Continuous CASB monitoring — Weekly reports on new cloud services detected
2. Admin consent workflow — Require admin approval for OAuth application consent
3. Procurement policy — All SaaS purchases above EUR 100/month require IT review
4. Quarterly access review — Review enterprise applications in Entra ID quarterly
5. Self-service catalogue — Make it easy to request approved tools. If the official process is a 6-week procurement cycle, people will buy tools on their credit card.

The goal is not to block shadow IT — it is to make the governed path easier than the ungoverned path.

Dealing with shadow IT in a post-merger environment? Contact us — we help enterprises discover, classify, and govern the technology nobody documented.