OneDrive
Cyberhaven integrates with Microsoft OneDrive to provide visibility into data movement within OneDrive, including downloads, sharing actions, and activities from unmanaged devices. This integration uses a Microsoft Entra Enterprise application to read events and user information from your organization’s Microsoft Entra tenant.
Like the Exchange Online Cloud Sensor, the OneDrive Cloud Sensor requires elevated privileges within your Microsoft Entra environment. No service accounts are required — a user with Global Administrator rights in Entra ID can link Cyberhaven to OneDrive. Once linked, the integration creates a new application with its own credentials in your Azure tenant.
Requirements
The application requires the following to function properly:
| Permission | Requirement |
|---|---|
| User.ReadBasic.All | Collect basic information of users in the organization |
| Organization.Read.All | Collect tenant ID and domain information |
| User.Read | Sign in and read user profiles |
| ActivityFeed.Read | Track user actions from OneDrive audit logs |
| Files.ReadWrite.All | Reserved for future capabilities — does not modify files |
Dependencies
- You must have Global Administrator privileges in Entra ID (formerly Azure Active Directory) to authenticate and approve the Cyberhaven application for integration with your Microsoft 365 tenant.
- Audit logging must be enabled in Office 365 for your organization. The cloud sensor relies on the audit log API to track user activities in OneDrive.
- Cyberhaven recommends using Browser Extension version 25.3 or higher. Earlier versions are supported but will show device information as “Unmanaged” in event details.
Network
Security exclusions
Limitations
- The OneDrive Cloud Sensor relies on Microsoft audit logs, so events may take several minutes to appear in Cyberhaven.
- Activities performed in OneDrive through local sync folders (e.g., OneDrive desktop client) may not be captured.
- Download and upload events may occasionally display the device as “Unmanaged” if event correlation is not possible.
- File previews or views without an explicit download action may not be logged as downloads.
- The sensor tracks activities for all users via Microsoft audit logs; it does not support filtering or limiting to specific users.