Get started with activity explorer

Note

Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement.

The data classification overview and content explorer tabs give you visibility into what content has been discovered and labeled, and where that content is. Activity explorer rounds out this suite of functionality by allowing you to monitor what's being done with your labeled content. Activity explorer provides a historical view of activities on your labeled content. The activity information is collected from the Microsoft 365 unified audit logs, transformed, and made available in the Activity explorer UI. Activity explorer reports on up to 30 days worth of data.

placeholder screenshot overview activity explorer.

There are over 30 different filters available for use, some are:

  • Date range
  • Activity type
  • Location
  • User
  • Sensitivity label
  • Retention label
  • File path
  • DLP policy

Prerequisites

Every account that accesses and uses data classification must have a license assigned to it from one of these subscriptions:

  • Microsoft 365 (E5)
  • Office 365 (E5)
  • Advanced Compliance (E5) add-on
  • Advanced Threat Intelligence (E5) add-on
  • Microsoft 365 E5/A5 Info Protection & Governance
  • Microsoft 365 E5/A5 Compliance

Permissions

An account must be explicitly assigned membership in any one of these role groups or explicitly granted the role.

Roles and Role Groups in preview

There are roles and role groups in preview that you can test out to fine-tune your access controls.

Here's a list of applicable roles that are in preview. To learn more about them, see Roles in the Security & Compliance Center

  • Information Protection Admin
  • Information Protection Analyst
  • Information Protection Investigator
  • Information Protection Reader

Here's a list of applicable role groups that are in preview. To learn more about the, see Role groups in the Security & Compliance Center

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

Microsoft 365 role groups

  • Global administrator
  • Compliance administrator
  • Security administrator
  • Compliance data administrator

Microsoft 365 roles

  • Compliance administrator
  • Security administrator
  • Security Reader

Activity types

Activity explorer gathers activity information from the audit logs on multiple sources of activities. For more detailed information on what labeling activity makes it to Activity explorer, see Labeling events available in Activity explorer.

Sensitivity label activities and Retention labeling activities from Office native applications, Azure Information Protection add-in, SharePoint Online, Exchange Online (sensitivity labels only), and OneDrive. Some examples are:

  • Label applied
  • Label changed (upgraded, downgraded, or removed)
  • Autolabeling simulation
  • File read

Azure Information Protection (AIP) scanner and AIP clients

  • Protection applied
  • Protection changed
  • Protection removed
  • Files discovered

Activity explorer also gathers DLP policy matches events from Exchange Online, SharePoint Online, OneDrive, Teams Chat and Channel (preview), on-premises SharePoint folders and libraries, and on-premises file shares, and Windows 10 devices via Endpoint data loss prevention (DLP). Some examples events from Windows 10 devices are file:

  • Deletions
  • Creations
  • Copied to clipboard
  • Modified
  • Read
  • Printed
  • Renamed
  • Copied to network share
  • Accessed by unallowed app

Understanding what actions are being taken with your sensitive labeled content helps you see if the controls that you have in place, such as Microsoft Purview Data Loss Prevention policies are effective or not. If not, or if you discover something unexpected, such as a large number of items that are labeled highly confidential and are downgraded general, you can manage your various policies and take new actions to restrict the undesired behavior.

Note

Activity explorer doesn't currently monitor retention activities for Exchange Online.

See also