Go to WebsiteLoginGet a Demo

App Discovery

App Discovery in Cakewalk identifies all apps used in your organization. Using browser extension data and integration with Google Workspace and Entra, it shows every app, its users and last usage.

👥 Who It Applies To

Role
Capabilities

Admins

Configure and manage app discovery sources, review discovered apps, triage new apps, roll out browser extension.

Users

Contribute to discovery by recording existing access via the installation of the browser extension.

📖 Key Concepts

  • App Discovery surfaces SaaS apps employees access without central provisioning.

  • Apps can be discovered from multiple sources: Browser Extension, Google Workspace, Entra (Azure AD / Microsoft 365).

  • Each discovered app entry in Cakewalk is enriched with metadata such as Last Activity Date, Discovery Source and First Seen Date.

  • Admins can decide whether to Manage, Restrict or Ignore each discovered app.

  • Cakewalk's app discovery helps identify Shadow IT, allowing apps to be governed or restricted, thus closing blind spots and providing a comprehensive view of your attack surface.

  • It also detects all dormant accounts by highlighting their last activity, supporting the enforcement of Least Privilege best practices.

💡 Why this matters: App Discovery transforms unknown and unmanaged apps into governable assets, reducing risk, improving compliance and giving IT & Security teams confidence in their full app stack.

🔍 Discovery Sources

Browser Extension

  • How it works: Detects and records app usage from users' browsers.

  • Discovery scope: Discovery of app logins, covering 6,000+ apps.

  • How to install it: Roll out centrally (e.g., Intune, Jamf, GPO) or let users install individually.

  • Actions:

    • Record existing access: Users can declare apps they already use.

    • Record managed apps: Log access to apps already governed in Cakewalk.

    • Restricted apps: Notifications sent to both employee and Admins if accessed.

  • Privacy: Configure prompted logging (explicit user input) or silent logging (background detection).

  • Reference: See the Browser Extension guide for detailed setup and configuration.

  • Why this matters: Captures shadow IT apps employees sign up for without approval.

Google Workspace

  • Capabilities:

    • Applications employees have accessed using Google SSO or granted OAuth permissions to within the past 6 months.

    • Detects shadow SaaS apps that employees connect with their work Google account.

    • Lists all connected apps under App Governance → Discovered Apps.

  • Actions:

    • Admins can review newly discovered apps and decide to Manage, Restrict or Ignore.

    • Use discovery metadata (Last Activity Date, Access Since Date, Discovery Source) to prioritize high-risk apps.

    • Combine with access reviews to identify dormant or unapproved Google-connected accounts.

  • How to set it up: Must be configured by an Admin in Cakewalk who also has admin rights in Google Workspace, granting Cakewalk read access to OAuth tokens your users have approved for third-party apps.

  • Why this matters: Many SaaS tools are adopted via Google login without central oversight. Cakewalk exposes these OAuth-based connections so you can govern or restrict them and prevent uncontrolled data sharing.

Entra ID

  • Capabilities:

    • Surfaces all apps employees log into with Entra SSO.

    • Detects OAuth grants to third-party apps connected to Microsoft accounts.

    • Provides audit-level detail on who accessed which apps and when, using Entra sign-in logs.

  • Actions:

    • Admins can view discovered apps in App Governance and classify them as Managed, Restricted or Ignored.

    • Use discovery metadata (Last Activity Date, Access Since Date, Discovery Source) to highlight unused or risky apps.

    • Map Entra-discovered apps against groups and RBAC policies to tighten enforcement.

  • How to set it up: Must be configured by an Admin in Cakewalk who also has global admin rights in Entra, granting Cakewalk read access to sign-in logs and enterprise app assignments.

  • Why this matters: In Microsoft-centric organizations, Entra is the central identity hub. Cakewalk integrates with Entra to give full visibility into connected apps and OAuth grants, helping you uncover Shadow IT, reduce dormant accounts and enforce Least Privilege at scale.

📊 Discovery Metadata

Each discovered app and user entry includes the following metadata:

  • Last Activity Date: Most recent usage detected across sources.

  • Discovery Source: Indicates whether the app was surfaced via Browser Extension, Google Workspace or Entra.

  • Access Since Date: When Cakewalk first detected the app access.

💡 Together, these fields help Admins and App Owners evaluate risk, identify stale access and decide whether to manage, restrict or ignore an app.

PreviousAppsNextApp Governance

Last updated

Was this helpful?