Skip to content
MSP

SaaS Audit for MSP Clients: The AI Tools Will Not Show Up in Your RMM

Scopable Team10 min read
SaaS Audit for MSP Clients: The AI Tools Will Not Show Up in Your RMM

A SaaS audit for MSP clients should not start with the RMM.

The RMM is useful for endpoints, installed desktop software, agents, patch posture, and device-level inventory. It cannot tell you the whole software story anymore.

Most client work now happens in browsers, identity providers, Microsoft 365, cloud apps, finance systems, and whatever AI tool an employee found because a deadline was ugly. Some of that activity touches a managed device. Some of it does not. Some of it creates spend, data exposure, or business dependency before anyone writes it into a standard.

That is why a SaaS audit is not a prettier inventory export. It is a business decision tool.

The point is not to impress a client with a huge app list. The point is to prove what should stay, what should be retired, what should be governed, what should be renewed, and what work needs a quote.

Visibility only matters if it creates a funded decision.

Why RMM data misses the SaaS problem

RMM tools were built around devices. That still matters, but SaaS sprawl is not mainly a device problem.

A client can have:

  • Browser-based apps with no local install.
  • AI tools used through personal accounts.
  • Chrome extensions that touch client data.
  • Former pilot tools still billing on a credit card.
  • Duplicate collaboration tools across departments.
  • OAuth app grants sitting in Microsoft Entra.
  • Contractors using SaaS apps without managed endpoints.
  • Department-owned subscriptions finance pays for, but IT never approved.

Your RMM might see a desktop app. It might see a browser. It might see an extension if the environment is managed tightly enough. It usually will not understand the business owner, contract term, renewal date, department usage, data risk, or whether the client is paying for three tools that solve the same problem.

That is the gap MSPs can turn into advisory work.

ScalePad's recent SaaS Management launch is a useful signal for the market. MSP vendors are starting to admit that hardware lifecycle, endpoint inventory, SaaS usage, shadow IT, and AI adoption belong in the same client conversation. The product announcement is not the story for your client. The story is that the old asset view is no longer enough.

Start with the audit question, not the tool

Before pulling data, decide what the audit is meant to answer.

Use a narrow question set:

  • Which SaaS tools are actively used?
  • Which paid tools have weak adoption?
  • Which tools duplicate an approved tool?
  • Which tools store sensitive client data?
  • Which AI tools are being used?
  • Which apps have broad permissions?
  • Which findings belong in the roadmap?

Do not promise a perfect software census. Promise a useful decision brief tied to spend, risk, renewal pressure, or a governance gap the client understands.

Data sources for an MSP SaaS audit

A good SaaS audit uses overlapping signals. No single source is clean enough by itself.

Microsoft 365 usage reports

Microsoft 365 is usually the first place to look because it already holds identity, productivity, collaboration, and license data for many SMB clients.

Microsoft's own admin documentation describes Microsoft 365 Apps usage reporting across Windows, Mac, web, and mobile, including active users and per-user activity detail. That is useful, but it is still Microsoft-centered. It can help you compare licensed users against actual activity, spot underused apps, and prepare Copilot or Teams cleanup conversations.

Use it for:

  • Inactive or barely active licensed users.
  • Teams, OneDrive, Outlook, and app activity trends.
  • Platform usage, such as web, desktop, and mobile.
  • Adoption gaps before renewing or adding premium seats.

Do not use it as proof that the client has no SaaS sprawl. It only sees what Microsoft sees.

Microsoft Entra enterprise applications

The Enterprise Applications area in Microsoft Entra shows apps added to the tenant and permissions granted through user or admin consent. Microsoft documents review and revocation workflows for application permissions, including admin consent and user consent review paths.

For an MSP SaaS audit, look for:

  • Apps granted broad permissions.
  • Apps with old consent dates.
  • Apps tied to former vendors or abandoned pilots.
  • Apps with many assigned users and no named owner.
  • Apps that touch mail, files, calendar, or directory data.

This is also where AI tools can show up if they use Microsoft identity. That does not mean every AI tool will appear. It means Entra is one high-value signal in a wider audit.

Browser data and extensions

Browser data is often where the real SaaS map lives.

Depending on the client's environment and consent, useful signals can include managed browser extension inventory, browser management reports, DNS or secure web gateway categories, and browser history reporting from approved management tools.

This is sensitive data. Treat it carefully. The audit should answer whether client data is moving into unapproved systems and whether the business is paying for duplicate tools.

Keep the output at the app and category level unless there is a specific security reason to go deeper.

SSO, IdP, and login records

If the client uses single sign-on, it can reveal which SaaS apps are actively accessed, which departments use them, and which tools have not been touched in months.

Useful signals include:

  • Last login date by app.
  • Assigned users versus active users.
  • Groups or departments using each app.
  • Apps outside the approved catalog.
  • Failed login patterns that suggest abandoned tools.

The caveat is simple: not every app uses SSO. The messiest tools are often bought outside IT and logged into with personal or unmanaged accounts.

Finance exports

Finance data catches what identity misses.

Ask for exports from the accounting system, corporate card platform, expense tool, and vendor payment reports. Search for monthly software charges, AI subscriptions, collaboration tools, storage tools, design tools, video tools, automation tools, and odd vendor names that do not appear in IT records.

This is where clients often learn they are paying for the same category three times.

Do not stop at the vendor name. For each charge, ask who owns it, who uses it, what data lives there, when it renews, whether it is approved, and whether it duplicates a standard tool.

A finance export turns a technical audit into a renewal conversation.

Endpoint inventory

The RMM still belongs in the audit. Use endpoint inventory for installed desktop apps, unmanaged utilities, local sync clients, remote access tools, browser installs, and device-level evidence that supports the wider SaaS picture.

Endpoint data is especially useful when paired with finance and identity data. If finance shows a paid tool, Entra shows no SSO, and endpoint inventory shows local use across twenty devices, you have a real finding.

SaaS management tools

Dedicated SaaS management products can speed up discovery by combining browser, desktop, usage, app catalog, AI visibility, and shadow IT signals. ScalePad's SaaS Management page, for example, talks about desktop application usage, browser engagement visibility, AI tool detection, shadow IT surfacing, license optimization, and QBR or renewal workflows.

The buying test is practical: does the tool help your team create a better decision with less manual cleanup, or does it only produce a prettier app list?

Client interviews

Do not skip the human part.

Interview finance, operations, department leads, and a few power users. Ask where work actually happens, which tools are annoying, which tools are essential, what renewals are coming up, and where people use AI because the official process is too slow.

The interview often explains the data. A duplicate tool might be waste, or it might be the only thing keeping a department moving because the approved tool was never configured correctly.

Score findings by action, not drama

A SaaS audit can create a giant risk list fast. That is not helpful.

Use a simple scoring model:

Finding typeAction
Unused paid licenseRemove, downgrade, or reassign before renewal.
Duplicate subscriptionConsolidate or document the exception.
Unapproved AI toolReview data exposure, policy, training, and approved alternatives.
Broad app permissionsReview consent, owner, business need, and revocation plan.
Department-owned toolAssign owner, support boundary, and renewal path.
Critical tool with no ownerAdd to roadmap, documentation, and vendor management.
Tool outside backup or retention planDecide whether to protect, migrate, or accept the risk.

Then translate each finding into one of four client decisions:

  1. Stop paying. Cancel, downgrade, or consolidate.
  2. Keep and govern. Assign owner, policy, access, and renewal rules.
  3. Fix and fund. Quote cleanup, migration, training, security, or adoption work.
  4. Accept the risk. Document the decision and revisit it later.

That last option matters. Not every finding deserves a project. Some deserve a note, a date, and an owner.

Turn the audit into QBR notes, roadmap work, and renewal cleanup

The audit is not complete until the findings land somewhere useful.

For each client, create three outputs.

1. QBR notes

Write the client-facing story in plain language:

  • "You are paying for two project-management tools. One has 4 active users and renews next month."
  • "Twenty-three users touched unapproved AI tools in the last 30 days. We need an acceptable-use decision before this becomes normal."
  • "A third-party app has broad Microsoft 365 permissions and no business owner."

This is the difference between a technical report and an executive conversation. If your QBRs already struggle, read why MSP QBRs fail before the meeting starts.

2. Roadmap items

Move the durable work into the roadmap:

  • SaaS catalog cleanup.
  • AI governance policy.
  • Microsoft Entra app consent review.
  • License optimization before renewal.
  • Tool consolidation project.
  • Browser and extension management rollout.
  • SaaS backup or retention decision.
  • Department owner and renewal register.

A roadmap item should have an owner, timing, rough budget, and reason.

3. Quoted cleanup

Some findings should become quotes.

Good quote candidates include:

  • Microsoft 365 license cleanup.
  • Entra app permission review.
  • AI governance package.
  • SaaS consolidation project.
  • Browser management rollout.
  • Tool migration or decommissioning.
  • Renewal cleanup sprint before a major contract date.

This is where Scopable fits: turning assessment evidence, client context, roadmap timing, and service boundaries into quote-ready work. If that is the part your team keeps doing manually, join the Scopable early access.

A field checklist for MSPs

Use this sequence on the first client before trying to make it perfect:

  1. Pick one client with visible software spend or renewal pressure.
  2. Define the audit question and date range.
  3. Pull Microsoft 365 usage data.
  4. Review Entra enterprise apps and permissions.
  5. Export finance software charges.
  6. Review endpoint installed apps and browser signals.
  7. Interview finance, operations, and one department lead.
  8. Group findings by duplicate, unused, unapproved, risky, and ownerless.
  9. Attach each finding to a decision: stop, govern, fund, or accept.
  10. Convert the funded items into roadmap notes and quote candidates.

The first audit should prove whether the client will make decisions from the evidence.

Sources checked

Related reading

Frequently Asked Questions

Ready to stop guessing?

Scopable automates quoting, roadmaps, and QBRs for MSPs. Join the alpha and help shape the platform you actually want.

Quote Your Next Project In Minutes

Get MSP insights weekly

No spam. Unsubscribe anytime.