Skip to main content

OneDrive Deployment

The Microsoft OneDrive Connector uses Microsoft APIs and a Microsoft Entra Enterprise application to provide visibility into data movements within OneDrive. While the Exchange Online Cloud Sensor focuses on email activities and attachments, the OneDrive Sensor provides visibility into activities such as downloading, uploading, opening, sharing, moving, renaming, and copying OneDrive files — including activity from unmanaged devices where the endpoint sensor is not present. The sensor maintains data lineage by correlating OneDrive events with events collected by the Cyberhaven browser extensions.

Before you begin, review prerequisites: Microsoft OneDrive Prerequisites

Connect Cyberhaven to OneDrive

To connect your Microsoft 365 tenant, log in to your Cyberhaven Console and follow these steps:

  1. Click the cloud icon in the left navigation (bottom‑left).
  2. Click Connect next to OneDrive.
  3. In the pop‑up window, authenticate with your Microsoft 365 credentials using an account with Global Administrator rights. Click Next.
    • A Global Administrator is only needed to approve the Cyberhaven app for the integration. No standing service account with global admin privileges is required.
  4. Grant permissions to the Cyberhaven‑OneDrive‑connector application for your tenant. See the prerequisites page for the full list of required permissions.
  5. After successful authorization, you should receive a confirmation that installation was successful. Once installed, the sensor monitors data activity for all users on that instance.

After connection, Cyberhaven begins retrieving OneDrive events for the previous 7 days (maximum supported by Microsoft Management API). It can take up to one hour for events to appear in the Console.

Connect Multiple OneDrive Instances (new sensors only)

Starting with Cloud Sensor version 25.07.01, you can configure and manage multiple OneDrive instances concurrently within the Console to gain visibility across multiple environments.

info

Note: This capability is available only for newly added OneDrive sensors. Existing OneDrive sensors on the legacy platform support a single instance. Cyberhaven will automatically migrate these to the new platform in a future release.

  1. On the Cloud Sensors page, click the + (plus) symbol next to OneDrive to connect an additional instance.
  2. In the authentication window, sign in with credentials for the additional Microsoft 365 tenant (using an account with Global Administrator privileges).
  3. Grant permissions to the Cyberhaven‑OneDrive‑connector application for the additional tenant.

Repeat this process for each additional instance you need to connect. Each instance appears separately in your Cyberhaven Console.

Troubleshooting

  • URL mismatch error: If you see “The reply URL specified does not match the reply URLs configured for the application,” create a support ticket in the Cyberhaven support portal to request that the connector be enabled on the backend.
  • Permissions error: If consent fails due to insufficient privileges, sign in with an account that has Global Administrator rights in Entra ID to complete installation.
  • No events appearing: It may take up to one hour for events to appear. Confirm Office 365 audit logging is enabled (see prerequisites) and that the connector shows as Connected in the Console.

Disconnect and remove

  • To disconnect the OneDrive connector, click DISCONNECT in the connector details on the Cloud Sensors page.
  • To remove the app from Microsoft Entra (Azure):
    1. Sign in to your Azure tenant with administrator rights.
    2. Open Enterprise applications and search for Cyberhaven‑OneDrive‑connector.
    3. Select the application, then go to Manage > Properties.
    4. Click Delete and confirm. If deletion fails, verify you are signed in with sufficient privileges.

Understanding app@sharepoint in event metadata

You may see some events where the user is identified as app@sharepoint. This is a system identity used by Microsoft to represent background access to files by Microsoft services or approved third‑party applications. It is not a real user.

  • Why it appears: Microsoft Audit Logs sometimes record background processes or app‑based access using app@sharepoint when a real user identity is not logged.
  • Can I see the real user? If Microsoft does not include the real user in the audit logs, Cyberhaven cannot infer that information.
  • Common scenarios: system‑level operations, third‑party app access, anonymous link access.