top of page
Search

How to Detect SaaS Applications That Bypass Your SSO

How to Detect SaaS Applications That Bypass Your SSO
How to Detect SaaS Applications That Bypass Your SSO

If you’re seeing surprise apps in your audit logs or invoices, you’re probably dealing with tools that bypass your SSO—via local passwords, personal accounts, or “Sign in with …” consents. Waldo Security discovers every SaaS app and account in minutes, flags services operating outside SSO/MFA, and centralizes OAuth grants so you can right-size permissions and revoke risky tokens fast. Start with Instant SaaS Discovery, then export audit-ready proof from our SaaS Compliance Overview.


Why SSO bypass keeps winning

  • Users can grant access without IT. Modern IdPs allow user consent to third-party apps; that’s great for productivity but easy for unsanctioned tools to slip in—often with broad scopes or offline_access for persistence. Microsoft’s guidance details how to limit user consent and require admin review. (Microsoft Learn)

  • Credential-driven attacks love unmanaged apps. The 2025 Verizon DBIR reports that stolen credentials dominate basic web-app breaches, so any app outside SSO/MFA is a soft target. (Verizon)

  • Your portfolio is bigger than you think. Okta’s 2025 “Businesses at Work” shows the global average now tops 100 apps per customer—that’s a lot of places to miss SSO. (Okta)

  • Shadow AI accelerates bypass. GenAI tools and plug-ins often run under personal accounts or browser sessions, sidestepping corporate identity. Netskope’s 2025 research shows most genAI use is shadow IT. (Netskope)

Bottom line: SSO is necessary, not sufficient. You need detection for what slips around it.


The detection blueprint (works this month, not just on paper)

1) Build a ground-truth inventory (the non-negotiable step)

Combine signals from your IdP, email suites, network/DNS/proxy, browser extensions, and expense data into one deduped list of apps, tenants, and accounts. Tag each app with owner, department, auth method (SSO vs local), admin count, and OAuth scopes. This mirrors CISA’s guidance: inventory + least privilege + logging are the bedrock of cloud/SaaS security. (CISA)

With Waldo: Discovery correlates these sources automatically and highlights apps/users operating outside SSO/MFA.

2) Find non-SSO authentications in your identity logs

  • Microsoft Entra / Okta: Filter sign-ins where Application = not in your SSO catalog or where user authentication method shows password-only.

  • Flag multi-tenant apps provisioned by user consent (common for OAuth logins). Entra docs show how to restrict apps to specific users/groups and tune consent policies. (Microsoft Learn)


3) Audit OAuth grants for persistence + blast radius

  • Pull all OAuth consents (Graph/Workspace/Slack/GitHub, etc.).

  • Prioritize grants with *.ReadWrite.All or other tenant-wide scopes plus offline_access (long-lived refresh tokens).

  • Kill unused or unverified-publisher grants; require admin approval for high-risk scopes going forward. Microsoft’s consent model makes these controls explicit. (Microsoft Learn)


4) Correlate traffic that never touches your IdP

  • Use proxy/DNS to find domains of known SaaS that have no corresponding SSO events.

  • Cross-check expense data (card charges, invoices) to spot paid tools your IdP never saw.

  • Review browser extension inventories for AI assistants and plug-ins that move data off-platform. Netskope’s trend data is a good baseline for what to expect. (Netskope)


5) Validate “public link” exposure

Even when SSO is in place, apps can leak via public links or guest shares. Search for org-wide public sharing in collaboration suites and alert on new external links in sensitive workspaces.


Practical queries & tells (copy these ideas)

  • “Apps with users but no SSO”JOIN sign-in logs (IdP) ON app_id LEFT JOIN app_catalog; WHERE app_catalog.sso_enforced = false AND signins.count > 0

  • “Grants with persistence + breadth”Filter OAuth grants: scope CONTAINS ("offline_access") AND scope MATCHES (".*ReadWrite.All|mail.send|files.content.write")

  • “Never-seen SSO domains with spend”WHERE proxy.domain IN (SaaS_known) AND NOT EXISTS (IdP_signin[domain]) AND EXISTS (Expense[domain])

  • “GenAI usage via personal accounts”Look for consumer domains (e.g., gmail.com) in OAuth client IDs or referrers; compare against enterprise allowlist.


Close the loop: fix fast, prove it happened

  1. Set stronger consent policies. Limit end-user consent to low-risk scopes and verified publishers; require admin approval for high-privilege or multi-tenant apps. (Microsoft documents the knobs to do exactly this.) (Microsoft Learn)

  2. Enforce SSO/MFA where it counts. Start with high-sensitivity apps and time-box admin elevation. DBIR data shows credential misuse is the dominant pattern—MFA + SSO close the biggest door first. (Verizon)

  3. Automate offboarding across the long tail. Revoke refresh tokens, remove consents, and transfer data ownership on HR events, not just for your big suites.

  4. Stream logs and keep evidence fresh. Pipe SaaS audit logs to your SIEM; alert on new admins, new high-privilege grants, public links, and apps without SSO.

With Waldo: Bulk-revoke risky grants, enforce guardrails, and export one-click evidence (SSO coverage, admin changes, token revocations) for auditors.

KPIs that prove you’ve actually closed the gap

  • Unknown → Known: % of SaaS traffic/spend tied to inventoried apps.

  • SSO coverage: % of high-risk apps enforcing SSO/MFA.

  • OAuth health: Count of high-privilege grants with offline_access; % reduced MoM.

  • Shadow AI control: GenAI apps on allowlist vs. blocked/ coached events.

  • Offboarding SLA: Median time to revoke all SaaS access (including tokens) after HR change.


The takeaway

SSO is table stakes—but bypass paths are everywhere: user consents, personal accounts, plug-ins, duplicate tenants, and public links. Detecting them isn’t magic; it’s method. Inventory first, correlate identity with network/expense/browser data, hunt for persistent OAuth, and shut down public egress. Waldo makes that loop fast—find what’s real, fix what matters, and prove it continuously.

Start by mapping what’s actually in use with Instant SaaS Discovery. Then keep auditors and customers smiling with clean, repeatable evidence via our SaaS Compliance Overview.


Sources & further reading

  • Verizon 2025 DBIR — stolen credentials dominate basic web-app breaches. (Verizon)

  • Microsoft Entra — user & admin consent policies and restricting apps to users/groups. (Microsoft Learn)

  • CISA Cloud Security Technical Reference Architecture — inventory + least privilege + logging as cloud/SaaS bedrock. (CISA)

  • Okta Businesses at Work 2025 — average org now 100+ apps. (Okta)

 
 
 

Comments

bottom of page