Skip to main content
Version: 25.06

OneDrive

The Microsoft OneDrive Cloud Sensor uses Microsoft APIs to provide visibility into data movements within OneDrive. It is designed similarly to the Exchange Online Cloud Sensor (previously Microsoft 365 Cloud Sensor) and uses a Microsoft Entra Enterprise application to read events and user information from your organization's Microsoft Entra tenant. While the Exchange Online Cloud Sensor focuses on email activities and attachments, the OneDrive Sensor gives you visibility into activities such as downloading and sharing OneDrive files, including unmanaged devices where the endpoint sensor is not present.

The sensor maintains the data lineage by correlating these events with those collected by browser extensions.

Prerequisites

Before you connect Cyberhaven to OneDrive, you must have the following

  • Cyberhaven Browser Extension version 25.3 or higher
  • Global Administrator privileges in Entra ID
  • Audit logging enabled in Office 365 for your organization

Cyberhaven requires the following permissions to read the events and collect the metadata.


PermissionRequirement
User.ReadBasic.AllTo collect basic information of users in the organization.
Organization.Read.AllTo collect basic information about the organization, such as tenant ID and domain name.
User.ReadTo collect user information for events.
ActivityFeed.ReadTo track user actions from the OneDrive audit logs
Files.ReadWrite.AllThis permission is not currently used but will be required for future sensor capabilities.

The Onedrive cloud sensor relies on the audit log API to track user activities within OneDrive. To enable audit logging in Office 365, follow the instructions in the official Microsoft documentation.

Connecting Cyberhaven to OneDrive

To connect Cyberhaven with your Microsoft 365 tenant, login to your Cyberhaven console and follow these steps:

  1. Create a support ticket in the Cyberhaven support portal requesting the connector be enabled on the backend.

  2. Click on the cloud icon located near the bottom left of the navigation bar.

  3. Click on Connect next to OneDrive.

  4. In the pop-up window, authenticate with your Office 365 credentials using an account with Global Administrator rights. Please note that you only need a Global Administrator to approve the Cyberhaven app for the purpose of the integration. The integration does not require a service account with global admin privileges. More details are available here.

  5. Grant permissions to the Cyberhaven-OneDrive-connector <customer name> application. For information about the required permissions, see Permissions.

  6. You should receive a message confirming the installation was successful.

  7. Click on the Microsoft 365 tenant from the Cloud Sensors list.

  8. Select Enable automatic monitoring for all users or select from the list of users you want to monitor.


Cyberhaven will begin to retrieve OneDrive events for the last 7 days, which is the maximum duration supported by the Microsoft Management API. Note that it may take up to one hour for the events to start showing in the Cyberhaven console.