SaaS Sprawl: How to Find the 30+ Apps You’re Paying For

SaaS sprawl is the uncontrolled spread of software-as-a-service subscriptions across a business — the dozens of cloud apps staff sign up for that nobody centrally tracks, approves or pays for through one channel. Most Melbourne SMEs we audit are running 30 to 60 of them, and the finance team can account for fewer than half.

The problem is rarely one big bill. It is a hundred small ones, plus a security exposure nobody is watching. This post explains how sprawl happens, what it actually costs you, and how to run a proper audit — using the tools you already own in Microsoft 365 — so you can see every app, kill the duplicates and put a gate on the front door.

What SaaS sprawl is and how it happens

SaaS sprawl is what you get when buying software becomes frictionless. A decade ago, new software meant a purchase order, an install and an IT ticket. Now any staff member with a corporate card and an email address can have a new tool running before lunch. That convenience is genuinely useful — and it is exactly why the count gets out of hand.

It accumulates through a few predictable channels:

  • Departments self-provisioning. Marketing signs up for Canva, a scheduling tool and three analytics platforms. Sales buys its own CRM add-ons. Each decision is reasonable in isolation; nobody sees the total.
  • Individuals on cards. One person expenses a $15-a-month transcription app, another a PDF editor, another a project board. They are small enough to slip through expense approval without a second look.
  • Free trials that convert. A trial gets set up for a one-off task, the card is entered to “unlock the export”, and twelve months later it is still billing because nobody cancelled it.
  • Duplicate tools. Three teams solve the same problem three different ways — you end up paying for two file-sharing platforms, two e-signature tools and a video conferencing app you already get free with Microsoft 365.

None of this is anyone behaving badly. It is the natural drift of a business where buying software is easier than asking permission.

What it actually costs you

The wasted subscription spend is the obvious cost, and it is real — paying twice for the same capability, paying for seats that left with departed staff, paying for trials that quietly converted. But the spend is usually the smallest part of the bill.

Security risk from unmanaged apps

Every app a staff member connects to your data is a door into it. When someone signs in to a third-party tool “with Microsoft” or “with Google”, they often grant that app standing permission to read mail, files or contacts — an OAuth grant that persists long after they have forgotten the app exists. You cannot defend what you cannot see, and an unmanaged app sitting on a live token to your SharePoint is exactly the kind of thing the Australian Cyber Security Centre (ACSC) warns about in its cloud guidance.

Orphaned accounts and offboarding gaps

This is the one that bites hardest. When a staff member leaves, you disable their Microsoft 365 account — but if they signed up directly to a dozen other tools with their work email and a separate password, those accounts keep working. A former employee can still log in to the marketing platform, the file-sharing app or the customer database weeks after their last day, because that login never touched your central identity. Offboarding is only as complete as your app inventory, and most inventories do not exist.

Data scattered everywhere

Sprawl means your business data ends up spread across systems you do not control and cannot search. Customer details in a trial CRM, contracts in a personal e-signature account, project files in someone’s individual cloud drive. When you need to respond to a privacy request, prove what data you hold, or recover after an incident, you cannot — because you do not know where it all is. Under the Notifiable Data Breaches scheme, “we did not know that app held customer data” is not a defence the Office of the Australian Information Commissioner (OAIC) will accept.

How to run a SaaS audit

You do not need a fancy SaaS-management platform to start. Four sources, cross-referenced, will surface almost everything.

1. Expense and card review

Pull twelve months of card statements and accounts-payable records and flag every recurring software charge. Look specifically for small monthly amounts, USD billing, and anything from a name you do not recognise. Twelve months matters because annual subscriptions only show up once. This is the fastest way to find spend nobody approved.

2. Entra ID enterprise apps and OAuth grants

This is the technical heart of the audit and the bit most businesses skip. In the Microsoft Entra admin centre, the Enterprise applications blade lists every third-party app that has been granted access to your tenant — every “sign in with Microsoft” connection your staff have ever made. Each one shows the permissions it holds and who consented. You will almost certainly find apps nobody can name, with read access to mail or files, that should have been revoked long ago. If you want the wider context on how this identity layer works, we have written a full piece on Microsoft 365 support in Melbourne.

3. Browser and SSO sign-in logs

Entra ID sign-in logs show which applications staff are authenticating to and how often. Cross-reference that against your enterprise apps list. If your business uses a single sign-on portal, its activity log is gold — it tells you what people actually use versus what they signed up for and abandoned. Low or zero usage is your cancellation shortlist.

4. Build a simple inventory

Put it all in one spreadsheet: app name, owner, what data it touches, monthly cost, billing channel, who has access, and whether it uses SSO. That single document is more than most SMEs have ever had, and it becomes the working register for everything that follows.

Rationalising what you find

An audit that produces a list and no decisions is just paperwork. The point is to cut. A construction firm in Box Hill we work with came out of this exercise running 41 SaaS tools; we got them to 23, and roughly $1,900 a month in spend disappeared along the way — before counting the risk we closed off.

Three moves do most of the work:

  • Consolidate onto Microsoft 365 where it already does the job. If you pay for Microsoft 365, you are already paying for video meetings (Teams), file sharing (SharePoint and OneDrive), forms, basic e-signature, task boards and a great deal more. A surprising share of the third-party tools we find are duplicating capability the business already owns. Killing those is free money.
  • Kill the duplicates. Where two tools do the same thing, pick one, migrate, and cancel the other. Two e-signature platforms is one too many.
  • Enforce SSO on what survives. Every retained app that can sit behind Entra ID single sign-on should. That gives you one place to grant access, one place to cut it when someone leaves, and one set of credentials staff are not reinventing weakly across a dozen logins.

Ongoing governance and a procurement gate

Sprawl regrows the moment you stop watching. The fix is not a one-off purge but a light, durable process.

Put a procurement gate on new software: any new SaaS tool gets a quick sign-off that checks whether the business already owns something equivalent, what data the tool will touch, and whether it supports SSO. This does not need to be bureaucratic — a two-minute conversation and a line in the inventory is enough. The aim is simply that no app enters the business completely unseen.

Then review the inventory quarterly: what is unused, what is duplicated, what is up for renewal, and which OAuth grants in Entra ID can be revoked. This is the sort of standing discipline a virtual CIO brings to a business that has no internal IT leadership — turning a chaotic app estate into a managed one.

The security angle: OAuth consent and Conditional Access

Two Microsoft 365 controls do most of the heavy lifting on the security side of sprawl.

App consent settings. By default, many tenants let any user grant a third-party app access to their own data. Tightening this so that risky permissions require admin approval stops the next unvetted app from quietly attaching itself to your tenant. It is a single configuration change with a large payoff, and it is one of the first things we set on a managed tenant.

Conditional Access. Policies that require a managed device or block legacy authentication shrink the ways a leaked credential or rogue app can be abused. Identity is the perimeter now, and Conditional Access is where you enforce it — we cover the detail in our guide to Conditional Access policies in Microsoft 365. Together with tightened app consent, these controls mean sprawl stops being a free-for-all and starts being something you govern.

TechAssist is a Melbourne-based MSP, founded in 2014, with thirteen Australian-employed engineers and a 24/7 NOC in Tecoma. SaaS rationalisation and Entra ID hardening are standard work for our managed clients — and because we bill per user at a fixed monthly rate, this kind of clean-up is in scope rather than a surprise project invoice.

Frequently asked questions

How many SaaS apps does a typical small business actually use?

More than they think. Across Melbourne SMEs we audit, 30 to 60 distinct cloud applications is common, and the finance team can usually account for fewer than half because so many are bought on individual cards and through free trials that converted.

Can I find shadow apps without buying special software?

Yes. The Entra ID enterprise applications list and sign-in logs, cross-referenced against twelve months of card and accounts-payable records, will surface the overwhelming majority. Dedicated SaaS-management platforms add automation and continuous discovery, but you can run a thorough first audit with the tools you already own.

What is the single biggest risk from SaaS sprawl?

Offboarding gaps. When staff sign up to tools directly with a separate password, disabling their Microsoft 365 account does not close those accounts. A departed employee retaining access to a customer database or file-sharing app weeks after leaving is the exposure we see most, and it is invisible without an inventory.

How do I stop sprawl coming back after an audit?

A procurement gate plus a quarterly review. New tools get a quick sign-off that checks for existing capability and SSO support; every quarter you re-check the inventory for unused, duplicated and renewing apps and revoke stale OAuth grants in Entra ID. The process is light, but it has to be standing.

Talk to us about your app estate

If you have no idea how many SaaS tools your business is running — or what they can see — that is the normal starting point, not an embarrassing one. Our managed IT services team can run the audit, rationalise the estate onto Microsoft 365 where it makes sense, and put governance around what is left. Get in touch and we will tell you plainly what we find.

Ready to Make IT Your
Competitive Advantage?

Book a free consultation with our team. No pressure, no jargon — just a clear-eyed look at where you stand and what's possible.