Get started with activity explorer

The data classification overview and content explorer tabs give you visibility into what content has been discovered and labeled, and where that content is. Activity explorer rounds out this suite of functionality by allowing you to monitor what's being done with your labeled content. Activity explorer provides a historical view of activities on your labeled content. The activity information is collected from the Microsoft 365 unified audit logs, transformed, and made available in the Activity explorer UI. Activity explorer reports on up to 30 days worth of data.

placeholder screenshot overview activity explorer.

There are over 30 different filters available for use, some are:

  • Date range
  • Activity type
  • Location
  • User
  • Sensitivity label
  • Retention label
  • File path
  • DLP policy


If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.


Every account that accesses and uses data classification must have a license assigned to it from one of these subscriptions:

  • Microsoft 365 (E5)
  • Office 365 (E5)
  • Advanced Compliance (E5) add-on
  • Advanced Threat Intelligence (E5) add-on
  • Microsoft 365 E5/A5 Info Protection & Governance
  • Microsoft 365 E5/A5 Compliance


An account must be explicitly assigned membership in any one of these role groups or explicitly granted the role.

Roles and Role Groups

There are roles and role groups that you can use to fine-tune your access controls.

Here's a list of applicable roles that you can use. To learn more about them, see Permissions in the Microsoft Purview compliance portal.

  • Information Protection Admin
  • Information Protection Analyst
  • Information Protection Investigator
  • Information Protection Reader

Here's a list of applicable role groups that you can use. To learn more about the, see Permissions in the Microsoft Purview compliance portal.

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

Microsoft 365 role groups

  • Global administrator
  • Compliance administrator
  • Security administrator
  • Compliance data administrator

Microsoft 365 roles

  • Compliance administrator
  • Security administrator
  • Security Reader

Activity types

Activity explorer gathers activity information from the audit logs on multiple sources of activities. For more detailed information on what labeling activity makes it to Activity explorer, see Labeling events available in Activity explorer.

Sensitivity label activities and Retention labeling activities from Office native applications, the Azure Information Protection (AIP) unified labeling client and scanner, SharePoint Online, Exchange Online (sensitivity labels only), and OneDrive. Some examples are:

  • Label applied
  • Label changed (upgraded, downgraded, or removed)
  • Autolabeling simulation
  • File read

Azure Information Protection (AIP) scanner and AIP clients

  • Protection applied
  • Protection changed
  • Protection removed
  • Files discovered

Activity explorer also gathers DLP policy matches events from Exchange Online, SharePoint Online, OneDrive, Teams Chat and Channel (preview), on-premises SharePoint folders and libraries, and on-premises file shares, and Windows 10 devices via Endpoint data loss prevention (DLP). Some examples events from Windows 10 devices are file:

  • Deletions
  • Creations
  • Copied to clipboard
  • Modified
  • Read
  • Printed
  • Renamed
  • Copied to network share
  • Accessed by unallowed app

Understanding what actions are being taken with your sensitive labeled content helps you see if the controls that you have in place, such as Microsoft Purview Data Loss Prevention policies are effective or not. If not, or if you discover something unexpected, such as a large number of items that are labeled highly confidential and are downgraded general, you can manage your various policies and take new actions to restrict the undesired behavior.


Activity explorer doesn't currently monitor retention activities for Exchange Online.

See also