Skip to main content

App Discovery

How to use the App Discovery to discover applications in your organization.

Overview

App Discovery is a shadow IT detection tool. It automatically finds applications your users are accessing via OAuth grants -- apps that may not be officially managed or approved by your organization. Instead of relying on employees to report every tool they sign up for, App Discovery surfaces them for you so you can decide whether to manage, monitor, or block them.

App Discovery

How It Works

When you connect an integration like Google Workspace, ShiftControl periodically scans for OAuth authorizations that your users have granted to third-party apps. Each time a user clicks "Sign in with Google" or grants OAuth permissions to an app, that activity is recorded.

App Discovery collects this data and displays it as a list of discovered apps. For each app, you can see:

  • State -- Pending, Snoozed, Dismissed, or Added. New discoveries start as Pending.
  • Activity -- how many users have authorized the app, how many OAuth grants exist, and how many permission scopes were requested.

This gives you visibility into what apps are being used across your organization without requiring any action from end users.

Common Scenarios

Discovering and managing shadow IT

A developer signs up for a new CI/CD tool using "Sign in with Google." App Discovery detects the OAuth grant and shows the app as Pending. You review it, decide it should be managed, and click "Add to apps" to bring it into your App Management dashboard where you can assign it properly and configure SSO.

Auditing OAuth permissions

You notice a discovered app requested a large number of OAuth scopes. You expand the app details to see exactly which users authorized it and what permissions they granted. This helps you assess whether the app poses a security risk.

Cleaning up unused apps

You filter by Pending and review apps that have been discovered but not yet addressed. Apps with only one user and minimal activity can be dismissed. Apps with broad adoption should be added and managed.

Viewing Discovered Apps

The App Discovery table shows all detected apps with the following information:

  • App -- the app name and icon.
  • State -- the current status (Pending, Snoozed, Dismissed, or Added).
  • Activity -- the number of users, OAuth grants, and scopes associated with the app.

Use the search bar to find a specific app by name. Use the state filter dropdown to show only Pending, Snoozed, Dismissed, or Added apps.

Viewing App Details

Expand any discovered app row to see detailed activity: which users took which actions, what OAuth scopes were granted, and when.

App Discovery details

Adding a Discovered App

Click the Add to apps button next to any discovered app. This takes you to the App Catalog where you can add the app as an SSO app or Bookmark, configure its settings, assign groups, and make it available in the employee portal.

Once added, the app's state in App Discovery changes to "Added."

Discovered App Actions

Each discovered app has a menu with the following actions:

  • Snooze -- temporarily hide the app from the Pending list. It will reappear if new OAuth activity is detected.
  • Dismiss -- permanently remove the app from the Pending list. Use this for apps you've reviewed and decided not to manage.
  • Reset -- return the app to Pending status. Useful if you want to re-evaluate a previously snoozed or dismissed app.

You can view snoozed, dismissed, and added apps at any time using the state filter.

Bulk Actions

Select multiple apps using the checkboxes, then click Bulk Actions to apply Snooze, Dismiss, or Reset to all selected apps at once. This is useful for triaging a large number of newly discovered apps.

App Discovery bulk actions

Things to Know

  • App Discovery currently supports Google Workspace as a detection source. More integrations are planned.
  • Discovery is automatic and periodic. You do not need to trigger scans manually.
  • Discovered apps are not managed apps. They appear in App Discovery only -- they are not shown to employees and have no assignments until you add them.
  • The activity counts (users, grants, scopes) help you prioritize which apps to review first. An app with many users and broad scopes deserves more attention than one with a single user.
  • Dismissing an app does not revoke OAuth access. It only removes the app from the Pending view. To revoke access, you would need to do so in the source platform (e.g., Google Workspace Admin).
  • App Management -- manage all your officially added apps.
  • Adding an App -- add a discovered app to your managed list.
  • Editing an App -- configure app details after adding it.
  • Groups -- assign apps to groups for scalable access management.