As of our January 16th, 2024 release, Block 64 will now be able to detect SaaS usage by monitoring authentication logs of popular SSO and OAuth providers. Currently, Block 64 only supports this type of monitoring for Entra ID, but support for vendors like Google and Okta is planned for subsequent releases.
These products keep track of when a user leverages them to authenticate with third-party applications. By aggerating these logs over time, organizations can identify which products are being used in their environment, which users are leveraging them, and when the products are being leveraged. This data is essential for managing SaaS products.
To begin gathering this data, a customer must first enter their Entra ID credentials either into the Block 64 Windows Application or the Block 64 Insights Platform. Upon entering credentials, users will be prompted to consent to data discovery. A data pull will occur soon after, and a daily pull be scheduled as well.
After authentication, going to the SaaS Management -> SSO Applications section of the Combine users can see the data that has been discovered. This section starts by listing the most prevalent applications logged into by users.
The table below provides additional details. Users can identify all services that have been authenticated against, the number of users that have logged in, the source of the data, and the last time each user authenticated. Last Login is important as it can be used to identify if a product is in use, and if there may be reclaimable licenses.
Selecting a specific service will let users drill down to see the usage details for that application. The graph at the top of the page shows log ins over the last 30 days. No usage is an important metric that can be used to determine if licenses are recoverable and therefore worth additional investigation.
The data from each individual user can be seen in the table below the graph.
It is important to note that the authentication providers may only provide limited historical details. For example, Entra ID only provides logs over the last 30 days. Ongoing discovery is required to paint a full picture of what is in use.