Skip to main content

SharePoint Deployment

The Microsoft SharePoint Cloud Sensor uses Microsoft APIs and a Microsoft Entra Enterprise application to provide visibility into data movements within SharePoint sites. It is similar to Exchange Online and OneDrive Cloud Sensors and maintains data lineage by correlating SharePoint events with events collected by the Cyberhaven browser extensions.

Before you begin, review prerequisites: Microsoft SharePoint Prerequisites

Connect Cyberhaven to SharePoint

To connect your Microsoft 365 tenant, log in to your Cyberhaven Console and follow these steps:

  1. Click the cloud icon in the left navigation (bottom‑left).
  2. Click the + (plus) symbol next to SharePoint to connect an instance.
  3. In the pop‑up window, authenticate with your Microsoft 365 credentials using an account with Global Administrator rights.
    • A Global Administrator is only needed to approve the Cyberhaven app for the integration. No standing service account with global admin privileges is required.
  4. Grant permissions to the Cyberhaven‑SharePoint‑connector application for your tenant. See the prerequisites page for the full list of required permissions.
  5. After successful authorization, the connected tenant appears in the Cloud Sensors list.

After connection, Cyberhaven begins retrieving SharePoint events for the previous 7 days (maximum supported by Microsoft Management API). It can take up to one hour for events to appear in the Console.

Connect Multiple SharePoint Instances

Starting with Cloud Sensor version 25.07, you can configure and manage multiple SharePoint instances concurrently within the Console to gain visibility across multiple environments.

  1. On the Cloud Sensors page, click the + (plus) symbol next to SharePoint to connect an additional instance.
  2. In the authentication window, sign in with credentials for the additional Microsoft 365 tenant (using an account with Global Administrator privileges).
  3. Grant permissions to the Cyberhaven‑SharePoint‑connector application for the additional tenant.

Repeat this process for each additional instance you need to connect. Each instance appears separately in your Cyberhaven Console.

Troubleshooting

  • URL mismatch error: If you see “The reply URL specified does not match the reply URLs configured for the application,” create a support ticket in the Cyberhaven support portal to request that the connector be enabled on the backend.
  • Permissions error: If consent fails due to insufficient privileges, sign in with an account that has Global Administrator rights in Entra ID to complete installation.
  • No events appearing: It may take up to one hour for events to appear. Confirm Office 365 audit logging is enabled (see prerequisites) and that the connector shows as Connected in the Console.

Disconnect and remove

  • To disconnect the SharePoint connector, click DISCONNECT in the connector details on the Cloud Sensors page.
  • To remove the app from Microsoft Entra (Azure):
    1. Sign in to your Azure tenant with administrator rights.
    2. Open Enterprise applications and search for Cyberhaven‑SharePoint‑connector.
    3. Select the application, then go to Manage > Properties.
    4. Click Delete and confirm. If deletion fails, verify you are signed in with sufficient privileges.