OAuth discovery and beyond | BetterCloud
You can’t secure what you can’t see.
That line gets repeated a lot in IT circles, and for good reason. Shadow IT is no longer the exception. It’s the norm. The average company uses over 100 different SaaS applications. But the apps IT knows about are just the beginning. Employees are spinning up tools, connecting integrations, and expensing software subscriptions without ever looping in IT. The gap between what’s actually in your environment and what’s on your radar is wider than most teams realize.
That gap is exactly what SaaS app discovery is designed to close.
What is SaaS app discovery?
SaaS app discovery is the process of identifying and cataloging every cloud application in use across your organization, including the ones IT didn’t sanction, approve, or even know existed. It covers the full spectrum: apps accessed through your identity provider, tools employees connected to their work accounts, software showing up in expense reports, and everything in between.
The goal isn’t just to build a list. It’s to create a complete, continuously updated picture of your SaaS environment so you can make informed decisions about access, spend, risk, and governance.
Why no single discovery method is enough
Here’s the part most vendors skip over: there is no single method that catches everything.
Every discovery approach has blind spots. OAuth shows you what’s been connected to your core identity providers, but only if the employee used “Sign in with Google” or “Sign in with Microsoft.” SSO captures apps going through your identity provider, but misses tools employees access directly. A browser extension picks up real-time usage at the point of access, but won’t surface subscriptions employees are paying for out of pocket. Financial and ERP data catches spend, but rarely tells you who’s using the app or what data it can access.
This is why layering matters. No single signal gives you the whole picture. Multiple methods, working together, get you closer to a complete inventory and a defensible security posture.
BetterCloud is built around this principle. Rather than relying on one discovery mechanism, BetterCloud uses four complementary methods to surface every app in your environment, sanctioned or not.
How BetterCloud discovers SaaS apps across your environment
OAuth
When employees connect a third-party app to Google Workspace or Microsoft 365, they grant it OAuth access. That handshake happens in seconds, often without any IT involvement, and the permission stands until someone revokes it.
BetterCloud surfaces every app that has been granted OAuth access across your environment. This is one of the most revealing discovery signals available. OAuth-connected apps often have broad permissions, including access to email, calendar, files, and contacts, and many of them were connected once and never revisited. BetterCloud makes the invisible visible: you can see what’s connected, what it can access, and take action directly from the platform.
SSO
If your organization uses an identity provider like Okta, apps accessed through SSO are automatically surfaced in BetterCloud. This gives IT a reliable baseline of the tools employees are using through your managed login infrastructure.
SSO discovery is particularly valuable for understanding your sanctioned stack at scale. When you can see which apps are tied to your IdP, how many users are accessing them, and how frequently, you have the data you need to make smarter decisions about renewals, access policies, and consolidation.
Browser extension
OAuth and SSO only capture what employees connect through managed channels. The BetterCloud browser extension captures everything else.
When deployed to corporate devices, the browser extension monitors app usage in real time, at the point of access. It catches tools employees visit directly, apps they sign into with personal credentials, and shadow IT that never touches your identity provider. For IT teams trying to understand the full scope of SaaS usage across their organization, the browser extension fills in the gaps that other discovery methods leave behind.
ERP and expense integrations
Some of the most consequential shadow IT never shows up in OAuth logs or SSO data. It shows up in an expense report.
Employees regularly pay for SaaS subscriptions on corporate cards, and those costs flow through finance systems long before IT ever hears about them. By connecting BetterCloud to your ERP or expense platform, you can surface software spend that lives entirely outside your managed environment. This method is especially useful for catching paid tools with no IT footprint, duplicate subscriptions across departments, and recurring charges tied to apps that may have already been offboarded.
What to do once you find everything
Discovery is the foundation. What you build on top of it is what actually protects your organization.
BetterCloud pairs its discovery engine with alerts and automated workflows that close the loop between visibility and action. When something changes in your environment, BetterCloud can detect it and respond automatically, without waiting for an IT ticket.
A few examples of what that looks like in practice:
A user grants OAuth access to an unapproved app. BetterCloud detects the new connection, fires an alert, and triggers a workflow to flag it for review or revoke access automatically.
An employee sets up email forwarding from their corporate account. BetterCloud identifies the configuration change and can automatically disable the forwarding rule and notify an admin.
A new app appears in expense data that doesn’t match anything in your SaaS inventory. BetterCloud surfaces it for review so IT can assess the risk and decide whether to bring it into a managed workflow or block it.
The result is a continuous loop: discover, alert, remediate. Running in the background. Without manual intervention.
SaaS app discovery isn’t a one-time project
It’s an ongoing process, and it only works if you’re capturing signals from every angle. OAuth, SSO, browser usage, and financial data each tell part of the story. BetterCloud brings them together in one place so IT has a complete, accurate, and actionable view of the SaaS environment.
Because you can’t manage what you can’t see. And you can’t secure what you can’t manage.
Ready to see everything in your environment? Request a demo of BetterCloud.

