# App Discovery ### 👥 **Who It Applies To** | Role | Capabilities | | ---------- | ---------------------------------------------------------------------------------------------------------------- | | **Admins** | Configure and manage app discovery sources, review discovered apps, triage new apps, roll out browser extension. | | **Users** | Contribute to discovery by recording existing access via the installation of the browser extension. | *** ### 📖 Key Concepts * **App Discovery** surfaces SaaS apps employees access without central provisioning. * Apps can be discovered from multiple sources: Browser Extension, Google Workspace, Entra (Azure AD / Microsoft 365). * Each discovered app entry in Cakewalk is enriched with metadata such as **Last Activity Date**, **Discovery Source** and **First Seen Date**. * Admins can decide whether to **Manage, Restrict** or **Ignore** each discovered app. * Cakewalk's app discovery helps identify **Shadow IT**, allowing apps to be governed or restricted, thus closing blind spots and providing a comprehensive view of your attack surface. * It also detects all **dormant accounts** by highlighting their last activity, supporting the enforcement of *Least Privilege* best practices. :bulb: *Why this matters*: App Discovery transforms unknown and unmanaged apps into governable assets, reducing risk, improving compliance and giving IT & Security teams confidence in their full app stack. *** ### 🔍 Discovery Sources #### Browser Extension * **How it works**: Detects and records app usage from users' browsers. * **Discovery scope**: Discovery of app logins, covering **6,000+ apps**. * **How to install it**: Roll out centrally (e.g., Intune, Jamf, GPO) or let users install individually. * **Actions:** * **Record existing access**: Users can declare apps they already use. * **Record managed apps**: Log access to apps already governed in Cakewalk. * **Restricted apps**: Notifications sent to both employee and Admins if accessed. * **Privacy**: Configure prompted logging (explicit user input) or silent logging (background detection). * **Reference**: See the [Browser Extension guide](/connections-and-integrations/cakewalk-browser-extension.md) for detailed setup and configuration. * **Why this matters**: Captures shadow IT apps employees sign up for without approval. {% hint style="info" %} **How browser extension access works:** The browser extension records current access that users already have, which is added directly to Cakewalk without going through the Access Request process. Access Requests are for new access that users want to have. Use the **Source** column in each app's User table to distinguish between access granted through requests versus discovered by the browser extension. {% endhint %} *** #### Google Workspace * **Capabilities**: * Applications employees have accessed using **Google SSO** or granted OAuth permissions to within the past 6 months. * Detects shadow SaaS apps that employees connect with their work Google account. * Lists all connected apps under *App Governance → Discovered Apps*. * **Actions**: * Admins can review newly discovered apps and decide to **Manage, Restrict** or **Ignore**. * Use discovery metadata (Last Activity Date, Access Since Date, Discovery Source) to prioritize high-risk apps. * Combine with access reviews to identify dormant or unapproved Google-connected accounts. * **How to set it up**: Must be configured by an **Admin in Cakewalk** who also has **admin rights in Google Workspace**, granting Cakewalk read access to OAuth tokens your users have approved for third-party apps. * **Why this matters**: Many SaaS tools are adopted via Google login without central oversight. Cakewalk exposes these OAuth-based connections so you can govern or restrict them and prevent uncontrolled data sharing. *** #### Entra ID * **Capabilities**: * Surfaces all apps employees log into with **Entra SSO**. * Detects **OAuth grants to third-party apps** connected to Microsoft accounts. * Provides audit-level detail on who accessed which apps and when, using Entra sign-in logs. * **Actions**: * Admins can view discovered apps in *App Governance* and classify them as **Managed, Restricted** or **Ignored**. * Use discovery metadata (Last Activity Date, Access Since Date, Discovery Source) to highlight unused or risky apps. * Map Entra-discovered apps against groups and RBAC policies to tighten enforcement. * **How to set it up**: Must be configured by an **Admin in Cakewalk** who also has **global admin rights in Entra**, granting Cakewalk read access to sign-in logs and enterprise app assignments. * **Why this matters**: In Microsoft-centric organizations, Entra is the central identity hub. Cakewalk integrates with Entra to give full visibility into connected apps and OAuth grants, helping you uncover *Shadow IT*, reduce dormant accounts and enforce *Least Privilege* at scale. *** ### 📊 Discovery Metadata Each discovered app entry and discovered identity entry (human or non-human, where supported) includes the following metadata: * **Last Activity Date:** Most recent usage detected across sources. * **Discovery Source:** Indicates whether the app was surfaced via Browser Extension, Google Workspace or Entra. * **Access Since Date:** When Cakewalk first detected the app access. 💡 *Together, these fields help Admins and App Owners evaluate risk, identify stale access and decide whether to manage, restrict or ignore an app.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.getcakewalk.io/how-to-guides/apps/app-discovery.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.