This article summarizes the onboarding requirements for each platform supported by Cyera Access Trail. Use it to verify prerequisites, permissions, and configuration steps before enabling Access Trail for a given platform.
Note: Access Trail requires Cyera DSPM to be deployed and scanning the relevant environment before onboarding can begin. The Access Trail feature must also be licensed and enabled for your organization.
Supported platforms overview
| Platform | Deployment Type | License requirement | Onboarding Requirements |
|---|---|---|---|
| Microsoft 365 (SharePoint, OneDrive) | SaaS/Outpost | Access Trail | See M365 requirements below |
| Microsoft Exchange Online | SaaS/Outpost | Access Trail (DSPM Advanced — 365-day retention) | Included in M365 requirements |
| Google Workspace (My Drive, Shared Drives) | SaaS/Outpost | Access Trail | See GWS requirements below |
Microsoft 365
Access Trail for M365 ingests activity events from SharePoint Online and OneDrive via the Microsoft 365 Management Activity API. Two requirements must be met before Access Trail can collect M365 activity logs.
Requirement 1: Enable Unified Audit Logging
Access Trail requires Microsoft 365 Unified Audit Logging to be enabled for your environment. Unified Audit Logging is an organization-level setting in the Microsoft Purview Compliance Portal that allows Microsoft 365 to record user and admin activity across supported services.
To enable it:
- Sign in to the Microsoft Purview Portal.
- Navigate to Audit.
- If auditing is disabled, click the Start recording user and admin activity banner to enable Unified Audit Logging.
Notice: If Unified Audit Logging is disabled, Access Trail cannot create Microsoft 365 audit subscriptions or ingest activity events.
See Microsoft documentation: Turn auditing on or off
Requirement 2: ActivityFeed.Read API permission
Access Trail requires the following Microsoft 365 API permission to collect activity logs:
| Permission | Purpose |
|---|---|
ActivityFeed.Read |
Allows Cyera to read audit and activity events from Microsoft 365, including user actions across SharePoint Online, OneDrive, and Microsoft Entra ID (formerly Azure AD). |
New deployments: The ActivityFeed.Read permission is automatically included in standard M365 deployments. No additional configuration is required during initial setup.
Existing customers: If your organization is already connected to Microsoft 365, contact Cyera to confirm the ActivityFeed.Read permission is in place.
Microsoft Exchange Online
Access Trail for Exchange Online uses the same Microsoft 365 permissions and Unified Audit Logging setup as M365 (SharePoint/OneDrive). See Microsoft 365 requirements above.
Note: Access Trail for Exchange Online is available exclusively with the DSPM Advanced package and supports 365-day activity log retention.
Google Workspace
Access Trail for GWS ingests Drive activity events from My Drive and Shared Drives via the Google Workspace Reports API. Enabling it requires an additional API scope and a dedicated Google Workspace admin user.
Required API scope
| Scope | Purpose |
|---|---|
https://www.googleapis.com/auth/admin.reports.audit.readonly |
Allows Cyera to read Drive audit activity logs from the Google Workspace Reports API. |
This scope is granted as part of the domain-wide delegation configuration for Cyera's service account. See GWS Cloud Permissions for the full list of scopes required by Cyera.
Add the API scope
- Go to Security > API Controls > Domain-wide Delegation
- Add the API scope to Cyera’s client ID
Required admin role
Access Trail requires a custom Google Workspace admin role assigned to the Cyera user. This role is required to enable activity monitoring in Google Workspace. The assigned permissions allow Cyera to access security and audit investigation tools, analyze user activity and data access patterns, detect risky behavior and policy violations, and support forensic and compliance investigations across your environment.
Create the custom admin role
- Go to Account > Admin roles and click Create new role
- Give the role a logical name (for example, Cyera Audit Role)
-
Grant the following permissions:
Security Center
- Audit and Investigation: View
- Activity / Activity Rules: View & Manage
- Save the role
Assign the admin role
- Go to Admins > Assign admin
- Assign the Cyera user to the newly created admin role
Note: The custom admin role grants only the permissions required for Access Trail functionality
For full GWS deployment steps, see GWS SaaS/Outpost Deployment Guide.