Exchange Online
Cyberhaven offers integration with Exchange Online to gain additional insight into data movement within Microsoft for emails that contain attachments. This integration uses an Azure Enterprise application to read events and user information from your organization's Azure tenant.
Establishing this connection is a simple process that requires elevated privileges within your Microsoft Entra environment. No service accounts are required to establish connectivity. Any user with Global Administrator rights in Entra ID can link Cyberhaven with Microsoft Exchange within the Cyberhaven console. So long as a user with the appropriate permissions creates the link, no separate credentials are required for the service to function — the link creates a new application with its own credentials in your Azure tenant.
Requirements
The application requires a number of permissions in order to function properly:
| Permission | Requirement |
|---|---|
| Files.Read.All | List files on a drive |
| Mail.Read | Track sent/received emails |
| User.ReadBasic.All | Ability to scan attachments |
| offline_access | Track local file objects |
| Directory.Read.All | Get a list of users to allow admins to control the tracking |
| Directory.AccessAsUser.All | Get a list of users to allow admins to control the tracking |
| Reports.Read.All | Receive a list of newly uploaded files |
Dependencies
- You must have Global Administrator privileges in Entra ID (formerly Azure Active Directory) to authenticate and approve the Cyberhaven application for integration with your Microsoft 365 tenant.
- The cloud sensor is enabled upon request. Contact Customer Support.
Network
Security exclusions
Coverage
- Track attachments when sending, receiving, and forwarding emails.
- Track email attachments in any mailbox folder except Drafts.
- Track email operations on unmanaged devices in browsers and mail apps.
- DLP content scanning is performed by the Endpoint Sensor.
Note The Cloud Connector tracks sender, recipients, and attachment metadata but does not read email body content.
Limitations
- The Exchange Online Cloud Sensor relies on Microsoft 365 audit logs, so events may take several minutes to appear in Cyberhaven.
- Only email events with attachments are tracked; emails without attachments are not processed.
- Inline images and embedded content may not be recognized as attachments.
- Historical data prior to enabling audit logging or the sensor will not be available.
- Some events may be missed if Microsoft audit logs are incomplete or delayed.