OneDrive
Cyberhaven integrates with Microsoft OneDrive to provide visibility into data movement within OneDrive, including downloads, sharing actions, and activities from unmanaged devices. This integration uses a Microsoft Entra Enterprise application to read events and user information from your organization’s Microsoft Entra tenant.
Like the Exchange Online Cloud Sensor, the OneDrive Cloud Sensor requires elevated privileges within your Microsoft Entra environment. No service accounts are required — a user with Global Administrator rights in Entra ID can link Cyberhaven to OneDrive. Once linked, the integration creates a new application with its own credentials in your Azure tenant.
Requirements
The application requires the following to function properly:
| Permission | Requirement |
|---|---|
| User.ReadBasic.All | Collect basic information of users in the organization |
| Organization.Read.All | Collect tenant ID and domain information |
| User.Read | Sign in and read user profiles |
| ActivityFeed.Read | Track user actions from OneDrive audit logs |
| Files.ReadWrite.All | Reserved for future capabilities — does not modify files |
Dependencies
- You must have Global Administrator privileges in Entra ID (formerly Azure Active Directory) to authenticate and approve the Cyberhaven application for integration with your Microsoft 365 tenant.
- Audit logging must be enabled in Office 365 for your organization. The cloud sensor relies on the audit log API to track user activities in OneDrive.
- Cyberhaven recommends using Browser Extension version 25.3 or higher. Earlier versions are supported but will show device information as “Unmanaged” in event details.
Network
Security exclusions
Coverage
The OneDrive Cloud Sensor provides visibility into the following activities:
- Downloading, uploading, opening
- Sharing
- Moving, renaming, copying files
Cyberhaven correlates cloud sensor and browser extension events to determine if OneDrive data was accessed from an unmanaged device. As a result, file uploads or downloads to endpoints where the Cyberhaven sensor is not present are classified under destination locations as an unmanaged endpoint.
To view events from unmanaged devices, go to the Risks Overview page and filter using the Unmanaged destination category.
Metadata collected
The sensor collects the following metadata: cloud app, domain, file path, event ID, file ID, request ID. For Unmanaged devices, the cloud sensor records the external device IP address (IPv4 or IPv6), as provided by Microsoft Audit Log events. The sensor correlates related events using the request ID.
Limitations
- Events are sourced from Microsoft audit logs and may take several minutes to appear in Cyberhaven.
- Activities performed via the OneDrive Sync Client (local sync folders) are not tracked by the cloud connector.
- Creating a new file in OneDrive in a browser may be reported as “Unmanaged” if the browser extension does not record the creation event.
- Download and upload events may occasionally display the device as “Unmanaged” if event correlation is not possible.
- Moving multiple files at once can break data lineage.
- File previews or views without an explicit download action may not be logged as downloads.
- Exported CSVs for Unmanaged events do not include the Location type.
- Due to changes or delays in Microsoft APIs, some events may be misclassified as downloaded to an unmanaged device even when the device is managed by Cyberhaven.
- The sensor tracks activities for all users via Microsoft audit logs; it does not support filtering or limiting to specific users.