Microsoft Purview
Cyberhaven integrates with Microsoft Purview to synchronize your organization’s Microsoft Sensitivity Labels into the Cyberhaven Console. The Purview Cloud Sensor uses Microsoft APIs and a Microsoft Entra Enterprise application to read label definitions and related metadata, ensuring labels are available for use in datasets and detections.
The sensor automatically synchronizes available sensitivity labels from Microsoft Purview every two hours. You can configure and manage multiple Microsoft Purview instances concurrently in the Console.
Requirements
The application requires the following Microsoft Graph and Office 365 Management API permissions:
| Permission | Requirement |
|---|---|
| InformationProtectionPolicy.Read.All (Application) | Read published sensitivity labels and label policies to understand how labels are defined |
| SensitivityLabels.Read.All (Application) | Read label definitions tenant‑wide to list sensitivity labels across all users |
| SensitivityLabel.Read (Application) | Read sensitivity label metadata, including scope and properties, for user‑scoped listings |
| SensitivityLabel.Evaluate (Application) | Discover and evaluate keys applied to labels for the signed‑in user |
| SensitivityLabel.Evaluate.All (Application) | Evaluate sensitivity labels and keys across the entire tenant |
| Organization.Read.All (Application) | Read tenant‑level details (name, domains) to display accurate organizational information |
| User.Read (Delegated) | Sign in and read the current user’s profile to display which account connected the sensor |
| User.ReadBasic.All (Application) | Planned for future use to provide accurate user info for label‑specific activities |
| AuditLogsQuery.Read.All (Application) | Reserved for future use to ingest detailed audit logs from Microsoft 365 services |
| SecurityEvents.Read.All (Application) | Reserved for future enrichment with Microsoft 365 security alerts |
| ActivityFeed.Read (Application, Office 365 Management API) | Reserved for future use to capture events from the Unified Audit Log |
Dependencies
- You must have Global Administrator privileges in Entra ID (Azure AD) to authenticate and approve the Cyberhaven application for integration with your Microsoft 365 tenant.
- The Purview Cloud Sensor is available upon request. Contact Cyberhaven Support to enable the connector on the backend.
- To use synced labels in datasets, ensure the sensor version is 25.08 or higher.
Network
Security exclusions
Limitations
- Do not disconnect the Purview Cloud Sensor if its synced labels are used in any existing datasets. Remove synced labels from all datasets before disconnecting.
- If a sensitivity label is removed in Purview, it may continue to appear in the Sensitivity Labels table; remove deleted labels from any datasets to avoid unexpected behavior.
- Metadata such as label names may continue to appear on lineage events even after the Purview sensor is deleted. This will be addressed in a future patch.
- If you encounter an authentication error during onboarding, verify the user has Global Administrator privileges and try again. If it fails more than twice, contact Cyberhaven Support.
- Changes to sensitivity labels in Purview can take up to two hours to appear in Cyberhaven due to API propagation and the sync interval.