Get started with activity explorer
The data classification overview and content explorer tabs give you visibility into what content has been discovered and labeled, and where that content is. Activity explorer rounds out this suite of functionality by allowing you to monitor what's being done with your labeled content. Activity explorer provides a historical view of activities on your labeled content. The activity information is collected from the Microsoft 365 unified audit logs, transformed, and made available in the Activity explorer UI. Activity explorer reports on up to 30 days worth of data.
There are over 30 different filters available for use, some are:
- Date range
- Activity type
- Sensitivity label
- Retention label
- File path
- DLP policy
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Every account that accesses and uses data classification must have a license assigned to it from one of these subscriptions:
- Microsoft 365 (E5)
- Office 365 (E5)
- Advanced Compliance (E5) add-on
- Advanced Threat Intelligence (E5) add-on
- Microsoft 365 E5/A5 Info Protection & Governance
- Microsoft 365 E5/A5 Compliance
An account must be explicitly assigned membership in any one of these role groups or explicitly granted the role.
Roles and Role Groups
There are roles and role groups that you can use to fine-tune your access controls. To learn more about them, see Permissions in the Microsoft Purview compliance portal.
|Microsoft Purview Roles||Microsoft Purview Role Groups||Microsoft 365 Roles||Microsoft 365 Role Groups|
|Information Protection Admin||Information Protection||Global Admins||Compliance Administrator|
|Information Protection Analyst||Information Protection Admins||Compliance Admins||Security Administrator|
|Information Protection Investigator||Information Protection Investigators||Security Admins||Security Reader|
|Information Protection Reader||Information Protection Analysts||Compliance Data Admins|
|Information Protection Readers|
Roles other than the Global Admin and Compliance Admin roles can view activities only, not the sensitive content itself.
Activity explorer gathers information from the audit logs of multiple sources of activities.
Some examples of the Sensitivity label activities and Retention labeling activities from applications native to Microsoft Office, the Azure Information Protection (AIP) unified labeling client and scanner, SharePoint Online, Exchange Online (sensitivity labels only), and OneDrive include:
- Label applied
- Label changed (upgraded, downgraded, or removed)
- Autolabeling simulation
- File read
Labeling activity particular to Azure Information Protection (AIP) scanner and AIP clients that comes into Activity explorer includes:
- Protection applied
- Protection changed
- Protection removed
- Files discovered
For more detailed information on what labeling activity makes it into Activity explorer, see Labeling events available in Activity explorer.
In addition, using Endpoint data loss prevention (DLP), Activity explorer gathers DLP policy matches events from Exchange Online, SharePoint Online, OneDrive, Teams Chat and Channel (preview), on-premises SharePoint folders and libraries, on-premises file shares, and Windows 10 devices. Some example events gathered from Windows 10 devices include the following actions taken on files:
- Copy to clipboard
- Copy to network share
- Access by an unallowed app
Understanding the actions that are taken on content with sensitivity labels helps you determine whether the controls that you have in place, such as Microsoft Purview Data Loss Prevention policies, are effective. If not, or if you discover something unexpected—such as a large number of items that are labeled
highly confidential and are downgraded to
general—you can manage your policies and take new actions to restrict the undesired behavior.
Activity explorer doesn't currently monitor retention activities for Exchange Online.
Submit and view feedback for