SharePoint
Cyberhaven integrates with Microsoft SharePoint to provide visibility into data movement and user activity within SharePoint sites. The SharePoint Cloud Sensor uses Microsoft APIs and a Microsoft Entra Enterprise application to read events and user information from your organization’s tenant, similar to Exchange Online and OneDrive.
Like other Microsoft 365 Cloud Sensors, the SharePoint sensor maintains data lineage by correlating SharePoint events with events collected by the Cyberhaven browser extensions. Starting with version 25.07, you can configure multiple SharePoint instances concurrently in the Console.
Requirements
The application requires the following permissions to function:
| Permission | Requirement |
|---|---|
| User.ReadBasic.All | Collect basic information of users in the organization |
| Organization.Read.All | Collect tenant ID and domain information |
| User.Read | Sign in and read user profiles |
| ActivityFeed.Read | Track user actions via SharePoint/Office 365 audit logs |
| Files.ReadWrite.All | Reserved for future capabilities — the sensor does not delete or modify files with this permission |
Dependencies
- You must have Global Administrator privileges in Microsoft Entra ID (Azure AD) to authenticate and approve the Cyberhaven application for integration with your Microsoft 365 tenant.
- Office 365 audit logging must be enabled for your organization. The cloud sensor relies on the audit log API to track user activities within SharePoint.
- Event lineage is compatible with all Cyberhaven browser extension versions (including 25.7.1 and newer, and earlier releases). Upgrading to the latest version is recommended.
Network
Security exclusions
Coverage
The SharePoint Cloud Sensor provides visibility into the following activities:
- Downloading, uploading, opening
- Sharing
- Moving, renaming, copying files
Event lineage is compatible with all Cyberhaven browser extension versions; upgrading to the latest extension is recommended.
Metadata collected
The sensor collects the following metadata: cloud app, domain, file path, event ID, file ID, request ID. The request ID helps correlate browser and cloud sensor events.
Limitations
- The SharePoint Cloud Sensor shares the same limitations and expected behaviors as the OneDrive Cloud Sensor (for example, sync client exclusions, lineage gaps when moving multiple files, and API‑driven misclassifications). See the Microsoft OneDrive Cloud Sensor article for the full list.