Software as a Service (SaaS) is a business model in which customers subscribe to access cloud-hosted applications rather than purchasing them outright.
While this model offers convenience and flexibility, many Managed Service Providers (MSPs) and their clients lack the budget for dedicated SaaS management platforms, creating significant visibility gaps in their SaaS inventory.
This article explores how MSPs can repurpose existing data sources to gain SaaS visibility cost-effectively, without the need for expensive tools.
Building a SaaS inventory with existing tools
Building a SaaS inventory with existing tools and data requires a structured approach. Key steps include collecting usage data, capturing network signals, incorporating financial records, consolidating the inventory, automating updates, visualizing and reporting findings, and embedding the inventory into client governance processes.
📌 Prerequisites:
- Access to client identity provider (IdP) logs
- Firewall, proxy, or secure web gateway logs
- Finance/expense management data or credit card statements
- Reporting tools
Step 1: Collect SaaS usage data from identity providers
IdPs like Okta and Microsoft Entra are the gateways to most SaaS applications. Since users’ login flows through them, these IdPs become the centralized source of SaaS usage data.
📌 Use Case: An MSP managing a 200-seat client wants to understand which SaaS applications are actively used. By pulling login reports from Microsoft Entra, they can quickly identify applications accessed, frequency of use, and licensed users.
Export login activity from IdPs
Pull reports from Okta, Entra ID, or other identity providers configured for single sign-on. These reports usually have the app name, user ID, login frequency, and authentication type.
Capture key SaaS usage details
Track and document the following usage details:
- Application name: The accessed SaaS tool
- User identity: Which employee is logging in, tied to email or account
- Login frequency: How often users engage with the application
- License agreement: Whether the user has an active license
Form a baseline SaaS inventory
Form a baseline SaaS inventory using the login activity and usage details collected. Use the login data as the authoritative dataset for centrally authenticated SaaS usage, then map out adoption trends across departments and roles. Afterward, highlight unused or duplicate tools for cost optimization.
Leverage built-in reporting tools
Microsoft Entra ID has built-in dashboards and exports for application usage insights, while Okta provides application usage reports to track activity across integrated SaaS apps.
⚠️ Important: Apps not tied to IdP may result in incomplete coverage and missed shadow IT. (For more info, refer to: Things to look out for)
Step 2: Capture network and browser-based clues
While many SaaS applications run through an IdP, some employees adopt tools by signing up directly, thus creating shadow IT. Capturing network and browser data helps find these hidden applications.
📌 Use Case: An MSP reviews firewall logs for a client and discovers frequent traffic to Trello, even though it’s not on the approved SaaS list.
Analyze firewall or proxy logs
Scan for outbound traffic to well-known SaaS domains, such as Slack and Zoom, then look for usage patterns that suggest regular employee adoption.
Leverage browser telemetry
Pull browser telemetry to see what SaaS tools employees access. Secure web gateways can enrich this data by categorizing traffic and showing app-specific trends.
Surface apps outside of SSO
Identify SaaS tools not authenticated via IdPs and flag them as potential shadow IT or unmanaged subscriptions for review.
While IdP exports capture centrally authenticated SaaS usage, network analysis exposes missed tools. This step ensures the SaaS inventory reflects sanctioned and unsanctioned applications. Merging the two datasets enables MSPs to present clients with an inventory that covers known and hidden SaaS activity.
Step 3: Add financial and expense data
Finance data allows MSPs to see what people paid for, which is perfect for spotting SaaS that slips past the IT team.
📌 Use Case: An MSP reviews a client’s card statements and finds recurring charges to multiple whiteboarding apps. After reconciling with IdP and network data, they consolidate to one tool and cut duplicate spend.
Collect finance sources
Export from expense and AP systems and pull credit card statements. Include the vendor’s name, transaction date, amount, currency, cardholder, memo, and other helpful information.
Identify recurring SaaS spend
Flag monthly or annual patterns and similar amounts per vendor. Separate subscriptions from one-off charges for better visibility and tracking. Lastly, mark potential auto-renewals based on cadence.
Cross-check with IdP and network datasets
Cross-check by checking the following:
- Match by app: If finance shows Figma, but IdP or network shows no use, investigate shadow IT or unused license.
- Match by user or department: Join cardholder or expense submitted to the directory info to find an owner.
This step expands visibility from ‘what’s used’ (steps one and two) to ‘what’s used and paid for.’ Merging finance with IdP and network enables you to confirm actual adoption (used + paid), waste (paid + unused), and risk (used + unpaid or unactioned).
⚠️ Warning: Vendor name inconsistencies or exposing sensitive finance data may result in client mistrust. (For more info, refer to: Things to look out for)
Step 4: Combine into a central inventory
This step is where you centralize everything into an authoritative SaaS inventory.
📌 Use Case: An MSP gathers multiple exports, but the information is scattered. By consolidating into one structured spreadsheet, they deliver a client-ready inventory that’s easy to manage and present.
- Combine entries into a spreadsheet, documentation tool, or low-code database.
- Normalize app names so variations are unified. For example, Microsoft Teams is sometimes called MS Teams or Teams.
- Deduplicate records across data sources to avoid double-counting.
- Include key fields in the inventory for consistent tracking:
- Application name
- Owner or department
- License status (Active, Trial, Expired)
- Renewal date
- Risk or compliance tag
This step unifies record supports, reporting, automation, and governance while giving MSPs and clients a shared view of the SaaS environment.
Step 5: Automate refreshes where possible
Manual updates are error-prone and time-consuming. Automating this stage ensures the SaaS inventory remains accurate and sustainable.
📌 Use Case: An MSP sets up scheduled exports from Microsoft Entra and QuickBooks. A simple script parses the CSVs and updates the master inventory weekly, ensuring clients see the latest SaaS usage and spend.
- Set scheduled exports from IdPs, finance systems, or secure web gateways.
- Write scripts to clean and import CSV into the central inventory.
- Automate merges so new data aligns with existing app records, owners, and renewal fields.
- Establish weekly or monthly update frequency, depending on client size and SaaS activity.
Automation ensures the inventory is a living system rather than a static report. Limiting manual updates empowers MSPs to deliver continuous visibility, allowing employees to focus on higher-priority tasks.
⚠️ Important: Ensure you monitor automation logs and set alerts for failed runs to avoid outdated or missing data caused by broken scripts. (For more info, refer to: Things to look out for)
Step 6: Visualize and report findings
This step ensures clients gain valuable insight, as you turn the SaaS inventory into clear visuals and reports.
📌 Use Case: An MSP builds a Power BI dashboard showing the SaaS spending by department. During a governance meeting, the client sees that Marketing pays for multiple design apps, prompting a consolidation decision.
This step requires using reporting tools like Microsoft Excel, Google Sheets, or visualization platforms. Create key views that highlight totals by:
- Application
- Department
- License type (Active, Trial, Expired)
- Renewal status and upcoming dates
You also want to highlight trends in usage vs. spending to show underutilization or duplication. Share snapshots with clients during Quarterly Business Reviews (QBRs) or monthly governance calls. Visualization makes the inventory actionable, transforming a static list into a tool clients can interpret. This step helps MSPs demonstrate value.
Step 7: Embed inventory into client governance
A SaaS inventory delivers the most value when it becomes part of ongoing client governance rather than a one-time project.
📌 Use Case: An MSP includes SaaS inventory findings in a client’s QBR. The MSP guides the client toward cost savings and improved compliance by highlighting redundant collaboration tools and upcoming renewals.
Present SaaS inventory during QBRs, monthly governance calls, or compliance reviews. Spotlight the following themes if possible:
- Cost optimization opportunities
- Redundant applications
- Risky or unapproved apps
Afterward, you want to tie the findings to action items so the client leaves with clear next steps. Update governance materials so the inventory becomes a recurring agenda item with endpoint health, backup status, and security posture.
This step turns the inventory into a tool that supports cost control, risk management, and strategic planning.
Best practices when building a SaaS inventory
When building a SaaS inventory, follow these practices to ensure it remains client-friendly, transparent, and accurate.
| Component | Purpose and benefit |
| SSO log analysis | Captures centrally authenticated SaaS usage |
| Network and/or proxy logs | Detects SaaS outside of SSO |
| Expense data integration | Surfaces shadow IT spending |
| Consolidated inventory | Creates one source of truth |
| Enriched metadata | Adds governance and compliance context |
| Scheduled refreshes | Keeps visibility accurate |
| Visualization and reporting | Makes findings client-friendly |
| QBR embedding | Builds governance into regular cadence |
⚠️ Things to look out for when building a SaaS inventory
| Risks | Potential Consequences | Reversals |
| Incomplete coverage, like apps not tied to IdP, may result in misinterpreted login data | This may result in a false sense of visibility or missed shadow IT. | Cross-check with the network or finance data, then validate reports with client stakeholders. |
| Vendor name inconsistencies or sensitive finance data exposure | Duplicate or incorrect app records and client mistrust may stem from inconsistencies and data exposure. | Limit data fields and use secure storage. |
| Scripts may fail after system updates or due to misaligned schedules. | This could result in outdated or missing data, requiring manual rework and inconsistent reporting. | Monitor automation logs, set alerts for failed runs, and return to manual export if needed. |
NinjaOne services that help build a SaaS inventory
You can use NinjaOne’s inventory, customization, and reporting functions to incorporate SaaS tracking into existing workflows without needing new tools.
Device inventory exports
NinjaOne’s device inventory exports let you view endpoint-installed applications across client environments. Combining this endpoint data with SaaS usage records allows MSPs to capture locally installed tools and cloud-hosted services.
Integrating NinjaOne this way helps identify redundancies, unmanaged licenses, or shadow IT.
Customizable fields
NinjaOne has customizable fields to tailor to track SaaS-specific information, such as license owner, subscription renewal dates, cost centers, or security compliance notes.
Incorporating SaaS inventory data into existing documentation or ticketing workflows ensures technicians and account managers have this information ready.
Reporting tools
QBRs let MSPs demonstrate value to clients. Integrating SaaS inventory insights into NinjaOne’s reporting dashboards and slide decks enables MSPs to show clients how their SaaS environment is monitored and optimized.
Highlighting SaaS cost savings, security gaps, or consolidation opportunities adds strategic value.
Strengthen governance by building a DIY SaaS inventory
You can build a SaaS inventory using the tools you have at your disposal. Combining SSO logs, network records, and financial data allows MSPs to construct an inventory that reduces shadow IT risks and optimizes SaaS spend.
And with NinjaOne, you can create an inventory with a strong endpoint and improved software visibility.
Related topics:
