Content Explorer and Activity Explorer
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Understanding Content Explorer and Activity Explorer in Microsoft Purview
In the modern digital workplace, data is created at a staggering rate. Most organizations struggle not only with the sheer volume of information but also with understanding what that information contains and how employees are interacting with it. Without visibility, data protection strategies are essentially guesswork. This is where Microsoft Purview’s data classification tools, specifically Content Explorer and Activity Explorer, become indispensable.
These two tools provide the "what, where, and how" of your organization's sensitive data. Content Explorer allows you to see what sensitive information exists and where it lives across your environment, such as in SharePoint, OneDrive, or Exchange. Activity Explorer, on the other hand, provides a historical record of what is happening to that data—who is labeling it, who is removing protection, and how files are being moved or modified. Together, they transform data governance from a reactive process into a proactive, visibility-driven strategy.
The Role of Data Classification
Before diving into the explorers, we must understand the foundation they sit upon: data classification. Microsoft Purview uses Sensitive Information Types (SITs), Trainable Classifiers, and Sensitivity Labels to identify data. A SIT might look for patterns like credit card numbers or social security numbers, while a Trainable Classifier uses machine learning to identify documents like resumes, source code, or legal agreements.
Content Explorer and Activity Explorer are the primary interfaces for viewing the results of these classification efforts. Without these tools, you might create a policy to protect "Financial Data," but you would have no way of knowing if that policy is actually catching the right files or if users are finding ways to bypass your security controls.
Content Explorer: Visibility into Data at Rest
Content Explorer is designed to give administrators a high-level view of the sensitive information that has been discovered within the organization. It acts as a centralized inventory. If you have ever wondered, "How many documents containing credit card numbers are sitting in our public SharePoint sites?" Content Explorer is the tool that provides the answer.
How Content Explorer Works
Content Explorer scans your organization's cloud locations—Exchange, SharePoint, and OneDrive—and aggregates the findings based on the Sensitive Information Types and labels you have configured. It does not require you to set up specific "scan jobs" for cloud locations; the indexing happens automatically as part of the Microsoft 365 service.
When you open Content Explorer, you are presented with a list of all the SITs and labels found in your tenant. Next to each type is a count of how many instances have been detected. You can then drill down into these categories to see the specific locations where the data resides.
Permissions and Privacy
One of the most critical aspects of Content Explorer is the permission model. Because this tool allows you to see sensitive data, Microsoft has implemented a two-tiered Role-Based Access Control (RBAC) system to ensure privacy.
- Content Explorer List Viewer: This role allows a user to see the names of the sensitive information types and the counts of items. They can see that there are 500 files with "Passport Numbers," but they cannot see the files themselves or the specific text within them.
- Content Explorer Content Viewer: This is a much more powerful role. Users with this permission can drill down to the individual file level and actually view the content of the document in a preview pane.
Callout: The Principle of Least Privilege
It is a common mistake to grant the "Content Viewer" role to all IT administrators. In a well-governed environment, only a small group of privacy or compliance officers should have the ability to view actual file content. Most IT staff only need the "List Viewer" role to identify where high concentrations of sensitive data exist so they can apply the appropriate technical controls.
Practical Example: Finding Orphaned PII
Imagine a scenario where a department head left the company three years ago. Their old SharePoint site is still active, but no one has looked at it in years. By using Content Explorer, a compliance officer can filter by the "U.S. Social Security Number" SIT.
They might discover that this old site contains 200 documents with SSNs. Because the site is no longer managed, it represents a significant security risk. Content Explorer allows the officer to identify this specific location, drill down to see the filenames, and then work with the IT department to either archive the site or apply a "Highly Confidential" label to the files automatically.
Activity Explorer: Tracking Data in Motion
While Content Explorer tells you what you have, Activity Explorer tells you what is happening to it. It is a historical log of actions taken on labeled or sensitive data. This is essential for understanding user behavior and ensuring that your information protection policies are being followed.
Monitoring the Lifecycle of a Label
Activity Explorer tracks a wide range of events. Some of the most common activities include:
- Label applied: When a user or an automated process assigns a sensitivity label to a document or email.
- Label changed: When a user upgrades a label (e.g., from Public to Confidential) or downgrades it.
- Label removed: A high-risk activity where a user removes protection entirely.
- File read: When a labeled file is opened.
- DLP policy match: When a user's action triggers a Data Loss Prevention rule, such as trying to share a sensitive file with an external guest.
Filtering and Analysis
The power of Activity Explorer lies in its filtering capabilities. You can filter by date range, activity type, user, file extension, or specific sensitivity label. This allows you to perform forensic investigations or monitor general trends.
For instance, if you notice a sudden spike in "Label removed" activities, you can filter for that specific action to see which users are doing it and which files are affected. If the removals are all happening within the Finance department, it might indicate that a specific business process is being hindered by your current labels, leading users to bypass them.
Note: Activity Explorer data can take up to 24 hours to appear in the dashboard after an event occurs. If you perform a test action and don't see it immediately, this latency is expected behavior within the Microsoft Purview ecosystem.
Practical Example: Investigating a Potential Leak
Suppose an automated alert triggers because a user downloaded a large volume of "Confidential" files. You can turn to Activity Explorer to investigate. By filtering for that specific user and the "Label applied" or "File downloaded" activities, you can see the exact timeline.
You might find that the user first downgraded the labels from "Confidential" to "General" (which might bypass certain export restrictions) and then downloaded them. This granular detail allows you to provide concrete evidence to HR or Legal teams when investigating internal data theft or policy violations.
Technical Implementation and Configuration
To get the most out of these tools, you need to ensure your environment is configured correctly. This involves more than just clicking through the portal; it requires understanding how the underlying data is collected.
Prerequisites for Activity Tracking
Activity Explorer relies on the Unified Audit Log. If auditing is not enabled in your Microsoft 365 tenant, Activity Explorer will have no data to display. While auditing is turned on by default for most new tenants, it is a best practice to verify this via PowerShell.
# Connect to the Exchange Online PowerShell module
Connect-ExchangeOnline
# Check if Unified Auditing is enabled
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
If the result is False, you must enable it using the following command:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Configuring Sensitive Information Types (SITs)
Content Explorer only shows what it is told to look for. If you have custom sensitive data—like a specific format for internal Project Codes—you must create a custom SIT. Once created, Microsoft's crawlers will begin identifying these patterns, and they will eventually appear in Content Explorer.
Here is an example of what a custom SIT definition might look like in XML format, which can be uploaded to Purview:
<Entity id="f1b2c3d4-e5f6-7a8b-9c0d-e1f2a3b4c5d6" patternsProximity="300" recommendedConfidence="85">
<Pattern confidenceLevel="85">
<IdMatch idRef="ProjectCodeRegex" />
<Any minMatches="1">
<Match idRef="Keyword_Project" />
</Any>
</Pattern>
</Entity>
<Regex id="ProjectCodeRegex">PRJ-[0-9]{4}-[A-Z]{2}</Regex>
<Keyword id="Keyword_Project">
<Group>
<Term>Project ID</Term>
<Term>Project Number</Term>
<Term>Internal Code</Term>
</Group>
</Keyword>
Once this SIT is active, Content Explorer will begin showing you every file in your environment that follows the PRJ-1234-AB format.
Step-by-Step: Navigating the Explorers
For those new to the Microsoft Purview compliance portal, finding and using these tools can be overwhelming. Follow these steps to conduct a basic data audit.
Step 1: Accessing the Dashboard
- Navigate to the Microsoft Purview compliance portal.
- In the left-hand navigation pane, expand Data classification.
- You will see Content explorer and Activity explorer listed as sub-items.
Step 2: Using Content Explorer for Data Discovery
- Click on Content explorer.
- On the main screen, look at the "Sensitive info types" tab. You will see a list of SITs like "Credit Card Number" or "IP Address."
- Click on a SIT to see the locations (SharePoint, OneDrive, Exchange).
- Click on a specific SharePoint site URL. This will show you the folders and eventually the specific files containing that data.
- If you have the "Content Viewer" role, click on a file to see the content in the preview pane. The sensitive strings will be highlighted.
Step 3: Using Activity Explorer for Auditing
- Click on Activity explorer.
- Use the filter bar at the top to narrow down the results. For a general overview, set the "Activity" filter to Label changed.
- Look for instances where the "New label" is less restrictive than the "Old label."
- Click on an activity to see the "Details" pane. This provides the user's IP address, the device they used, and the exact timestamp of the change.
Comparison: Content Explorer vs. Activity Explorer
It is helpful to view these two tools as complementary sides of the same coin. The following table summarizes their primary differences.
| Feature | Content Explorer | Activity Explorer |
|---|---|---|
| Primary Focus | Data at rest (What do we have?) | Data in motion (What is happening?) |
| Data Source | Indexed content in M365 locations | Unified Audit Log events |
| Main Use Case | Risk assessment and cleanup | Forensic investigation and behavior monitoring |
| Visibility | Shows SITs, labels, and file content | Shows actions, users, and label changes |
| Latency | Updated as data is crawled | Updated within 24 hours of event |
| Permissions | Requires List Viewer or Content Viewer | Requires Activity Explorer Reader |
Best Practices for Information Protection
Using these tools effectively requires more than just knowing where the buttons are. You should integrate them into a broader governance workflow.
1. Perform Regular "Data Sweeps"
Set a monthly schedule to review Content Explorer. Look for high concentrations of sensitive data in unexpected places, such as "Public" Teams channels or "Everyone except external users" SharePoint sites. This helps you identify where your automated labeling policies might need to be more aggressive.
2. Monitor "Label Downgrades" and "Removals"
In Activity Explorer, create a filtered view specifically for when users remove or downgrade labels. This is often where the most significant insider threats occur. If a user downgrades a "Highly Confidential" file to "Public," they should have a valid business justification. Activity Explorer allows you to see if they provided one (if you have configured justification prompts in your label policy).
3. Use Content Explorer to Validate SITs
Before deploying a new Data Loss Prevention (DLP) policy that blocks emails, use Content Explorer to see how many "hits" your SIT gets. If a custom SIT for "Employee IDs" is triggering on thousands of random numbers that aren't actually IDs, you know you need to refine your regex or keywords before you start blocking legitimate work.
4. Implement the "List Viewer" Role for Most Staff
Protect the privacy of your employees by limiting who can see the actual content of files. Most compliance tasks can be managed just by knowing that a file contains sensitive data, without needing to see the data itself.
Callout: False Positives
No classification engine is perfect. Content Explorer will occasionally show "False Positives"—files that appear to contain sensitive data but actually don't. For example, a random string of numbers might look like a credit card. When you find these in Content Explorer, use the information to tune your Sensitive Information Types by adding "Supporting Elements" or "Exclusions" to make them more accurate.
Common Pitfalls and How to Avoid Them
Even with powerful tools, it is easy to make mistakes that lead to gaps in visibility or security.
Pitfall 1: Assuming Real-Time Reporting
Many administrators perform an action (like applying a label) and immediately check Activity Explorer to see if it worked. When they see nothing, they assume the system is broken.
- The Fix: Remember the 24-hour latency. Build your reporting and investigation workflows around this delay. For real-time alerts, use Activity Alerts or Microsoft Defender for Cloud Apps instead.
Pitfall 2: Neglecting On-Premises Data
Content Explorer and Activity Explorer are primarily focused on the Microsoft 365 cloud. If you have a large amount of data on local file servers, it won't show up here unless you are using the Microsoft Purview Information Protection Scanner.
- The Fix: Deploy the scanner to your on-premises environment. It can feed information back into the Purview portal, allowing Content Explorer to give you a more holistic view of your entire estate.
Pitfall 3: Overlooking the "Unlabeled" Data
Content Explorer is great at showing you where labels and SITs are, but it's equally important to think about where they aren't. If you have a site that should contain sensitive data but Content Explorer shows nothing, your classification rules might be too narrow, or users might be saving data in formats that aren't being scanned (like encrypted ZIP files).
- The Fix: Regularly review your SIT definitions and ensure they cover the various ways sensitive data might be formatted in your specific industry.
Pitfall 4: Ignoring the "Why"
Activity Explorer tells you what happened, but it doesn't always tell you why. If you see a user downloading 50 confidential files, don't immediately assume they are stealing data.
- The Fix: Use Activity Explorer as a starting point for a conversation. Reach out to the user or their manager to understand the context. There may be a legitimate project requiring that data access that you weren't aware of.
Advanced Usage: Integrating with PowerShell
For larger organizations, manually clicking through the portal isn't always efficient. You can use PowerShell to extract data that informs your work in Content Explorer and Activity Explorer.
While you cannot directly "query" the Content Explorer via a simple PowerShell command in the same way you view the UI, you can use the Get-LabelActivity and Get-ComplianceTag commands to get a sense of how labels are being used across the tenant.
# Get a summary of labeling activity for the last 7 days
$Activities = Get-LabelActivity -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)
# Filter for label removals
$Removals = $Activities | Where-Object { $_.Action -eq 'LabelRemoved' }
# Export to CSV for further analysis in Excel
$Removals | Export-Csv -Path "C:\Reports\LabelRemovals.csv" -NoTypeInformation
This type of automation allows you to create custom reports that supplement what you see in the Activity Explorer dashboard.
Summary and Key Takeaways
Content Explorer and Activity Explorer are the "eyes" of your Microsoft Purview compliance suite. Without them, you are managing data in the dark. By understanding how to navigate these tools, assign the correct permissions, and interpret the data they provide, you can significantly reduce your organization's risk profile.
- Content Explorer provides a snapshot of data at rest, showing you where sensitive information lives across SharePoint, OneDrive, and Exchange.
- Activity Explorer provides a chronological log of events, tracking how users interact with labeled and sensitive files.
- Permissions are granular. Use the "List Viewer" role for general administration and the "Content Viewer" role only for specific, authorized investigations.
- Data latency is real. Expect up to a 24-hour delay for activities to appear in the Explorer dashboards.
- Customization is key. To see data specific to your business, you must create custom Sensitive Information Types (SITs) or Trainable Classifiers.
- Context matters. Use Activity Explorer to identify trends and anomalies, but always investigate the business context before taking disciplinary action.
- Hygiene is a process. Use Content Explorer to find "orphaned" or misplaced sensitive data and move it to more secure locations.
By mastering these tools, you move beyond simple "data protection" and into the realm of true Data Intelligence. You gain the ability to prove to auditors where your data is, demonstrate to leadership how it is being protected, and ensure that your users are handling the organization's most valuable information with the care it deserves.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons