Labeling activities that are available in Activity explorer
Article
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Sensitivity label applied
This event is generated each time an unlabeled document is labeled or an email is sent with a sensitivity label.
It's captured when saved in native Microsoft Office applications and web applications.
It's captured when a label is applied for the Microsoft Purview Information Protection client.
Upgrade and downgrade labels actions can also be monitored via the Label event type field and filter.
Source
Reported in Activity explorer
Note
Word, Excel, PowerPoint
Yes
Outlook
Yes
If a sensitivity label has been applied to any email in an email thread, the same label is automatically applied to subsequent replies on the thread. These labeling events appear in activity explorer as automatic labeling events, even when automatic labeling hasn't been configured.
SharePoint, OneDrive
Yes
Exchange
Yes
Microsoft Purview Information Protection client and scanner
Yes
The new label action is mapped to label applied in activity explorer
Microsoft Information Protection (MIP) SDK
Yes
The new label action is mapped to label applied in activity explorer
Rights Management Service (RMS)
Not applicable
Power BI desktop and web
No
Accessible in the Microsoft 365 audit logs
Microsoft Defender for Cloud Apps
No
Sensitivity label changed
This event is generated each time a sensitivity label is updated on the document or email.
For the Microsoft Purview Information Protection client and scanner, and MIP SDK sources, the upgrade label and downgrade label action maps to Activity explorer label changed.
It's captured when the action is saved in native Microsoft Office applications and web applications.
It's captured when the action occurs for the Microsoft Purview Information Protection client and scanner enforcements.
Upgrade and downgrade labels actions can also be monitored via the Label event type field and filter. The justification text is also captured, except for SharePoint and OneDrive.
Sensitivity labeling in Microsoft Office apps: Outlook collects the last action that was generated before file save/email send actions. For example, if the user changes label on an email multiple times before sending, the last label found on the email when it is sent is captured in the audit log and then reported in activity explorer.
Source
Reported in Activity explorer
Note
Word, Excel, PowerPoint
Yes
Outlook
Yes
SharePoint, OneDrive
Yes
Exchange
Yes
Microsoft Purview Information Protection client
Yes
Microsoft Purview Information Protection scanner
Yes
MIP SDK
Yes
RMS service
Not applicable
Power BI desktop and Web
No
Accessible in the Microsoft 365 audit logs
Microsoft Defender for Cloud Apps
No
Sensitivity label removed
This event is generated each time a sensitivity label is removed from a file or document.
This event is captured when the document is saved in Microsoft Office applications and web applications.
It's captured when the label is removed for the Microsoft Purview Information Protection client.
Sensitivity labeling in Microsoft Office: Outlook collects the last labeling event that was generated before file save/email send actions.
Source
Reported in Activity explorer
Note
Word, Excel, PowerPoint
Yes
Outlook
Yes
SharePoint, OneDrive
Yes
Exchange
Yes
Microsoft Purview Information Protection client
Yes
The remove label action is mapped to the label removed action in activity explorer
Microsoft Purview Information Protection scanner
Yes
The remove label action is mapped to the label removed action in activity explorer
MIP SDK
Yes
The remove label action is mapped to the label removed action in activity explorer
RMS service
Not applicable
Power BI desktop and Web
No
Accessible in the Microsoft 365 audit logs
Microsoft Defender for Cloud Apps
No
Sensitivity label file read
This event is generated each time a sensitivity labeled or protected document is opened.
Source
Reported in Activity explorer
Note
Word, Excel, PowerPoint
Yes
Outlook
No
SharePoint, OneDrive
No
Exchange
No
Microsoft Purview Information Protection client
Yes
The access action is mapped to the file read action in activity explorer
Microsoft Purview Information Protection scanner
Yes
The access action is mapped to the file read action in activity explorer
MIP SDK
Yes
The access action is mapped to the file read action in activity explorer
RMS service
Yes
The access action is mapped to the file read action in activity explorer
Power BI desktop and Web
No
Accessible in the Microsoft 365 audit logs
Microsoft Defender for Cloud Apps
No
Files discovered
This event is generated each time files are discovered when the Microsoft Purview Information Protection scanner is used for scanning sensitive data in various locations and finds files.
Source
Reported in Activity explorer
Note
Word, Excel, PowerPoint
Not applicable
Outlook
Not applicable
SharePoint, OneDrive
Not applicable
Exchange
Not applicable
Microsoft Purview Information Protection client
Not applicable
Microsoft Purview Information Protection scanner
Yes
The discover action is mapped to the files discovered action in activity explorer
MIP SDK
Yes
The discover action is mapped to the file discovered action in Activity explorer
RMS service
Not applicable
Power BI desktop and Web
Not applicable
Microsoft Defender for Cloud Apps
Not applicable
Sensitivity label file renamed
This event is generated each time a document with a sensitivity label is renamed.
Source
Reported in Activity explorer
Note
Word, Excel, PowerPoint
Yes
Outlook
Not applicable
SharePoint, OneDrive
No
Exchange
Not applicable
Microsoft Purview Information Protection client
No
Microsoft Purview Information Protection scanner
No
MIP SDK
No
RMS service
No
Power BI desktop and Web
No
Microsoft Defender for Cloud Apps
No
File removed
This event is generated each time the Microsoft Purview Information Protection scanner detects that a previously scanned file has been removed.
Source
Reported in Activity explorer
Note
Word, Excel, PowerPoint
Not applicable
Outlook
Not applicable
SharePoint, OneDrive
Not applicable
Exchange
Not applicable
Microsoft Purview Information Protection client
Not applicable
Microsoft Purview Information Protection scanner
Yes
MIP SDK
Not applicable
RMS service
Not applicable
Power BI desktop and Web
Not applicable
Microsoft Defender for Cloud Apps
Not applicable
Protection applied
This event is generated the first-time protection is added manually to an item that doesn't have a label.
Source
Reported in Activity explorer
Note
Word, Excel, PowerPoint
No
Outlook
No
SharePoint, OneDrive
Not applicable
Exchange
No
Microsoft Purview Information Protection client
Yes
Microsoft Purview Information Protection scanner
Not applicable
MIP SDK
Yes
RMS service
Not applicable
Power BI desktop and Web
Not applicable
Microsoft Defender for Cloud Apps
Not applicable
Protection changed
This event is generated each time the protection on an unlabeled document is changed manually.
Source
Reported in Activity explorer
Word, Excel, PowerPoint
No
Outlook
No
SharePoint, OneDrive
Not applicable
Exchange
No
Microsoft Purview Information Protection client
Yes
Microsoft Purview Information Protection scanner
Not applicable
MIP SDK
Yes
RMS service
Not applicable
Power BI desktop and Web
Not applicable
Microsoft Defender for Cloud Apps
Not applicable
Protection removed
This event is generated each time the protection on an unlabeled document is changed manually.
Source
Reported in Activity explorer
Word, Excel, PowerPoint
No
Outlook
No
SharePoint, OneDrive
Not applicable
Exchange
No
Microsoft Purview Information Protection client
Yes
Microsoft Purview Information Protection scanner
Not applicable
MIP SDK
Yes
RMS service
Not applicable
Power BI desktop and Web
Not applicable
Microsoft Defender for Cloud Apps
Not applicable
DLP policy matched
This event is generated each time a DLP policy is matched on a document or an email.
Source
Reported in Activity explorer
Exchange
Yes
SharePoint
Yes
OneDrive
Yes
Teams
Yes
Windows 10, Windows 11, and macOS devices
Yes
MAC
No
On-premises
No
Microsoft Defender for Cloud Apps
No
The Endpoint DLP events for devices running Windows 10, Windows 11, and any of the three most recently released major versions of macOS are:
File deleted
File created
File copied to clipboard
File modified
File read
File printed
File renamed
File copied to network share
File accessed by unallowed app
Retention label applied
This event is generated each time an unlabeled document is labeled or an email is sent with a retention label.
It's captured at the time of save for a document and at time of sending for an email.
Source
Reported in Activity explorer
Exchange
No
SharePoint
Yes
OneDrive
Yes
Retention label changed
This event is generated each time a label is updated on a document or email.
It's captured at the time of save for a document and at time of sending for an email.
Source
Reported in Activity explorer
Exchange
No
SharePoint
Yes
OneDrive
Yes
Retention label removed
This event is generated each time a label is removed from a file or document.
It's captured at the time of save for a document and at time of sending for an email.
Source
Reported in Activity explorer
Exchange
No
SharePoint
Yes
OneDrive
Yes
Known issues
When the recommended label tool tip is shown to an end user, it isn't captured. However, if the user chooses to apply the recommended label, the label is shown under the How applied field as Recommended.
Justification text isn't currently available when downgrading sensitivity labels from SharePoint and OneDrive.
Sensitive information types are currently not available for autolabeling activities from Word, Excel, PowerPoint, and Outlook, SharePoint, and OneDrive.
This module examines how sensitivity labels from the Microsoft Information Protection solution let you classify and protect your organization's data, while making sure that user productivity and collaboration isn't hindered.
The data Microsoft Purview compliance classification dashboard provides visibility into how much sensitive data has been found and classified in your organization.
This article gives an overview of sensitive information types and how they detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items.