This chapter covers Content Explorer and Activity Explorer, two critical tools in Microsoft Purview Information Protection and Data Loss Prevention (DLP). These tools are part of the Microsoft 365 Defender portal and are essential for understanding your data posture and investigating incidents. On the MS-102 exam, questions on these explorers appear in approximately 10-15% of security-related questions, often as part of scenario-based DLP or sensitivity label troubleshooting. Mastering their differences, data sources, and filtering capabilities is key to passing the Security Threats domain.
Jump to a section
Content Explorer and Activity Explorer are like a modern security camera system in a corporate building. The building has hundreds of rooms (SharePoint sites, Exchange mailboxes, Teams chats) and thousands of files and messages. Content Explorer is like a live camera feed that shows you exactly what sensitive items (credit card numbers, health records) are sitting in each room right now. It takes snapshots of the current state, so you can see that Room 201 has a document with 50 credit card numbers visible to all employees. Activity Explorer, on the other hand, is like the DVR playback of all past movements. It records every time someone enters a room, picks up a document, or moves it to another room. It shows you who accessed that sensitive file, from which device, and whether they tried to copy it to a USB drive. The two systems work together: Content Explorer tells you what you have exposed now, and Activity Explorer tells you how it got there and who has been poking around. Without both, you might know you have a vulnerability but not how it was exploited, or you might see suspicious activity but not know which files are actually sensitive. The exam expects you to understand the distinct roles: Content Explorer is for data at rest (static inventory), Activity Explorer is for data in motion (historical audit trail).
What Are Content Explorer and Activity Explorer?
Content Explorer and Activity Explorer are two data investigation tools within the Microsoft Purview compliance portal (formerly Microsoft 365 Compliance Center). They are designed to help administrators discover, classify, and monitor sensitive information across Microsoft 365 services. Content Explorer provides a snapshot of where sensitive data resides at rest, while Activity Explorer provides an audit trail of activities performed on that data over time. Both tools rely on the Microsoft 365 unified audit log and information protection scanning infrastructure.
Content Explorer: Data at Rest
Content Explorer allows you to view a summary of items that have been classified by sensitivity labels or retention labels, or items that match a sensitive information type (SIT). It aggregates data from Exchange Online, SharePoint Online, OneDrive for Business, and Teams (via SharePoint and Exchange). The data is refreshed every 48 hours by default, so it is not real-time. You access it via the Microsoft Purview compliance portal > Data Classification > Content Explorer.
Key features: - Summary tab: Shows the number of items per label type (sensitivity, retention) and per SIT. - Location tab: Breaks down the count by workload (SharePoint, Exchange, OneDrive). - Items tab: Lists individual items with details like location, label, SIT matches, and last modified date. - Export: You can export the list to a CSV file for offline analysis.
The tool uses the Microsoft 365 Information Protection scanner, which indexes content and applies classification. The scanning engine uses exact data match (EDM) and fingerprinting for high-accuracy detection. Content Explorer only shows items that are classified; unclassified items are not visible. This is a common exam trap: candidates think Content Explorer shows all data, but it only shows classified data.
Activity Explorer: Data in Motion
Activity Explorer provides a historical view of activities related to sensitivity labels, retention labels, and DLP policies. It pulls data from the unified audit log and displays it in a filtered, searchable interface. Activities include:
Label applied, changed, or removed
DLP rule matches
Auto-labeling actions
User-defined permissions changes
Activity Explorer retains data for up to 30 days (for most activities) but can be extended with audit retention policies. It is updated within minutes of an activity occurring, making it near real-time. You access it via the Microsoft Purview compliance portal > Data Classification > Activity Explorer.
Key filters: - Date range: Up to 30 days by default. - Activity type: e.g., SensitivityLabelApplied, DlpRuleMatch. - Location: SharePoint, Exchange, OneDrive, Teams. - User: Specific user or group. - Label: Specific sensitivity or retention label. - Sensitive info type: Specific SIT.
How They Work Internally
Both explorers rely on the Microsoft 365 classification pipeline. When a user creates or modifies a document, the following occurs: 1. Client-side labeling: If the user manually applies a label via Office apps, the label metadata is embedded in the file (e.g., using Azure Information Protection SDK). 2. Server-side scanning: For auto-labeling (e.g., auto-labeling policies or DLP), the service scans the content using SITs and applies labels accordingly. 3. Audit logging: Every labeling or DLP action generates an audit record in the unified audit log. Activity Explorer queries this log. 4. Content Explorer indexing: The classification scanner periodically crawls all locations and builds an index of classified items. This index is used by Content Explorer.
Key Components and Defaults
Content Explorer data freshness: 48 hours. This means if you apply a label now, it may not appear in Content Explorer for up to 2 days.
Activity Explorer latency: Typically 5-15 minutes, but can be up to 30 minutes for some activities.
Retention: Activity Explorer retains data for 30 days by default. You can increase this with a custom audit retention policy (e.g., 1 year) if you have the appropriate license (E5 or add-on).
Permissions: To access Content Explorer, you need the Content Explorer List Viewer role or Content Explorer Content Viewer role. For Activity Explorer, you need the Activity Explorer List Viewer role. These are part of the Information Protection admin role group.
Configuration and Verification
To enable the explorers, you must first enable audit logging (if not already). This is done via:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $trueOr in the compliance portal: Audit > Turn on auditing.
To verify that Content Explorer is working, navigate to the Data Classification page and check if the summary shows counts. If it shows zero, ensure that:
Audit logging is enabled.
Sensitivity labels are published and applied.
The classification scanner has run (wait 48 hours).
For Activity Explorer, you can verify by performing a test activity (e.g., apply a label to a document) and then checking the explorer after 15 minutes.
Interaction with Related Technologies
DLP Policies: DLP policy matches appear in Activity Explorer, but not in Content Explorer (since Content Explorer shows labels/SITs, not policy violations).
Sensitivity Labels: Both explorers show sensitivity label usage. Content Explorer shows where labels are applied; Activity Explorer shows when they were applied/changed.
Retention Labels: Content Explorer shows retention labels; Activity Explorer shows label application and removal.
Auto-Labeling: Auto-labeling policies trigger activities that appear in Activity Explorer. Content Explorer will eventually show the newly labeled items.
Exam Trap: Content Explorer vs. Activity Explorer
A common exam question asks: "Which tool shows where sensitive data is currently stored?" Answer: Content Explorer. "Which tool shows who accessed sensitive data?" Answer: Activity Explorer. Another trap: Content Explorer shows only classified items, not all items. Activity Explorer shows only activities that were audited; if audit logging is off, it will be empty.
Specific Numbers and Defaults
Content Explorer refresh interval: 48 hours.
Activity Explorer data retention: 30 days (default).
Activity Explorer latency: 5-30 minutes.
Maximum number of items displayed in Content Explorer: 10,000 per view (pagination).
Supported file types: Word, Excel, PowerPoint, PDF, text, and many others (up to 150+ file types).
Commands and PowerShell
While there is no direct PowerShell cmdlet to query Content Explorer, you can use the following to check audit log status:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabledFor Activity Explorer data, you can use Search-UnifiedAuditLog to retrieve similar data, though the explorer provides a more user-friendly interface.
Summary of Differences
Content Explorer: Snapshot of classified data at rest. Refreshes every 48 hours. Shows labels and SITs. No user activity details.
Activity Explorer: Historical log of activities. Near real-time. Shows who did what, when, and where. Retains data for 30 days.
Enable Audit Logging
Before any data appears in Content Explorer or Activity Explorer, unified audit logging must be enabled. This is a prerequisite. In the Microsoft Purview compliance portal, go to Audit and click 'Start recording user and admin activity.' Alternatively, use PowerShell: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true. Once enabled, it can take up to 24 hours for the audit log to start populating. Without this, both explorers will show zero data. This is a common oversight in exam scenarios where an administrator complains that Activity Explorer is empty.
Configure Sensitivity Labels and Auto-Labeling
Sensitivity labels must be created and published to users. Labels can be applied manually or via auto-labeling policies. For Content Explorer to show items, those items must have a label or match a sensitive information type. Auto-labeling policies scan existing content and apply labels based on conditions (e.g., contains credit card number). This process can take up to 48 hours to complete. Without labels or SITs, Content Explorer will show zero classified items. The exam often tests that you need to have labels in place before Content Explorer becomes useful.
Wait for Content Explorer Data Refresh
Content Explorer refreshes its data every 48 hours. After labels are applied, you must wait up to 48 hours for the changes to appear. This is a hard limit; there is no manual refresh button. The refresh cycle is system-wide and cannot be triggered on demand. An exam question might present a scenario where an admin applies a label but doesn't see it in Content Explorer immediately. The correct answer is to wait up to 48 hours. The wrong answer might be 'restart the classification service' or 'run a PowerShell command to force refresh.'
View Content Explorer Summary
Once data is available, go to Data Classification > Content Explorer. The Summary tab shows the total number of items with sensitivity labels, retention labels, and sensitive info types. You can filter by location (SharePoint, Exchange, OneDrive) and drill down to specific items. The Items tab lists individual files with details such as label name, SIT matches, and last modified date. You can export up to 10,000 items to CSV. This step is critical for understanding your data posture and identifying where sensitive data is stored. The exam may ask you to identify which location has the most sensitive data based on the summary.
Monitor Activities in Activity Explorer
Activity Explorer shows near real-time activities. After enabling audit logging and applying labels, you can see activities like label application, DLP rule matches, and permission changes. Use filters to narrow down by date range, activity type, location, user, or label. For example, to see who applied a 'Confidential' label in the last 7 days, set the date range and filter by activity 'SensitivityLabelApplied' and label 'Confidential.' Data is retained for 30 days by default. The exam might test that you can use Activity Explorer to investigate a DLP incident by finding which user triggered a DLP policy and what file was involved.
In a large enterprise with over 10,000 users, Content Explorer is used monthly to audit the distribution of sensitive data. For example, a financial services company uses Content Explorer to ensure that credit card numbers (PCI-DSS) are only stored in approved SharePoint sites. The administrator exports the list of items containing credit card numbers and cross-references with site permissions. They discovered that a legacy SharePoint site had 500 documents with credit card numbers accessible to all employees. Using Content Explorer, they identified the exact documents and locations, then remediated by restricting permissions or moving the data. The 48-hour refresh was acceptable for this monthly audit.
Activity Explorer is used daily by the security operations center (SOC) to investigate DLP alerts. For instance, when a DLP policy triggers on an email containing a social security number sent externally, the SOC analyst opens Activity Explorer, filters by DlpRuleMatch activity, and sees the sender, recipient, subject, and the specific rule that fired. They can then take action, such as blocking the user or refining the policy. The near real-time nature (5-15 min latency) is sufficient for most investigations. However, during a rapid incident response, the latency can be frustrating; the SOC sometimes uses the unified audit log directly via PowerShell for faster queries.
A common misconfiguration occurs when audit logging is not enabled. In one scenario, a company deployed DLP policies but saw no activities in Activity Explorer. The administrator assumed the policies were not working and spent days troubleshooting. The root cause was that audit logging was off. After enabling it, activities appeared within 30 minutes. This highlights the importance of the prerequisite. Another issue is that Content Explorer shows zero items because sensitivity labels are not applied. The administrator must ensure that auto-labeling policies are running or that users are trained to apply labels manually. In a hybrid environment, Content Explorer does not cover on-premises file servers unless they are scanned by the Microsoft Information Protection scanner, which is a separate deployment.
Performance considerations: In tenants with millions of items, Content Explorer may time out when loading the Items tab. Microsoft recommends using filters to narrow down the scope. For example, filter by location or label to reduce the result set. Exporting to CSV is limited to 10,000 items; for larger datasets, you must use multiple exports with filters. Activity Explorer can handle high volumes but may have slower response times if the date range is too broad. Best practice is to limit queries to 7 days or less.
The MS-102 exam tests Content Explorer and Activity Explorer under Objective 3.3: 'Monitor and investigate data by using Content Explorer and Activity Explorer.' Expect 2-3 questions that differentiate the two tools and their capabilities.
Common wrong answers: 1. 'Content Explorer shows real-time data' – Candidates confuse it with Activity Explorer. Content Explorer refreshes every 48 hours, not real-time. 2. 'Activity Explorer shows data at rest' – It shows activities, not current state. The correct answer is Content Explorer for data at rest. 3. 'Both explorers show all data in the tenant' – They only show classified data (labeled or matched SIT). Unclassified items are not displayed. 4. 'Content Explorer can be used to view DLP policy matches' – DLP matches appear in Activity Explorer, not Content Explorer.
Specific numbers and terms that appear verbatim: - 48 hours (Content Explorer refresh interval) - 30 days (default Activity Explorer retention) - 5-30 minutes (Activity Explorer latency) - 'SensitivityLabelApplied', 'DlpRuleMatch' (activity types) - 'Content Explorer List Viewer' and 'Activity Explorer List Viewer' (required roles)
Edge cases the exam loves: - Audit logging disabled: Activity Explorer shows no data. The solution is to enable audit logging. - No labels applied: Content Explorer shows zero items. The solution is to publish and apply sensitivity labels. - Hybrid environment: Content Explorer does not cover on-premises data unless the Microsoft Information Protection scanner is deployed. - Custom SITs: Content Explorer can show items matching custom sensitive information types, provided they are used in classification.
How to eliminate wrong answers:
If the question asks about 'current location of sensitive data,' eliminate any answer mentioning Activity Explorer.
If the question asks about 'historical activities,' eliminate Content Explorer.
If the question mentions 'real-time' or 'near real-time,' it's Activity Explorer.
If the question mentions '48 hours,' it's Content Explorer.
Look for keywords: 'snapshot' = Content Explorer, 'audit trail' = Activity Explorer.
Content Explorer provides a snapshot of classified data at rest, refreshed every 48 hours.
Activity Explorer provides a near real-time audit trail of activities on classified data, retained for 30 days by default.
Unified audit logging must be enabled for both explorers to function.
Content Explorer only shows items with sensitivity labels, retention labels, or sensitive information type matches.
Activity Explorer shows activities such as SensitivityLabelApplied, DlpRuleMatch, and LabelRemoved.
The 48-hour refresh interval for Content Explorer cannot be manually triggered.
Activity Explorer latency is typically 5-15 minutes but can be up to 30 minutes.
To access Content Explorer, you need the Content Explorer List Viewer or Content Viewer role; for Activity Explorer, you need the Activity Explorer List Viewer role.
These come up on the exam all the time. Here's how to tell them apart.
Content Explorer
Shows data at rest (current state).
Refreshes every 48 hours.
Displays classified items only (labels or SITs).
Useful for data inventory and compliance audits.
Requires Content Explorer List Viewer role.
Activity Explorer
Shows historical activities (data in motion).
Near real-time (5-30 min latency).
Displays audit events (label applied, DLP match, etc.).
Useful for incident investigation and forensics.
Requires Activity Explorer List Viewer role.
Mistake
Content Explorer shows all files in the tenant.
Correct
Content Explorer only shows files that have been classified with a sensitivity label, retention label, or that match a sensitive information type. Unclassified files are not listed.
Mistake
Activity Explorer shows data in real time.
Correct
Activity Explorer is near real-time with a latency of 5-30 minutes. It is not instantaneous.
Mistake
Content Explorer can be used to see who accessed a sensitive file.
Correct
Content Explorer only shows where files are stored, not access history. For access history, use Activity Explorer.
Mistake
Both explorers require the same permissions.
Correct
Content Explorer requires the Content Explorer List Viewer or Content Viewer role. Activity Explorer requires the Activity Explorer List Viewer role. They are separate permissions.
Mistake
Activity Explorer retains data indefinitely.
Correct
By default, Activity Explorer retains data for 30 days. You can extend this with a custom audit retention policy if you have an E5 license or add-on.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Content Explorer shows zero items if no data has been classified with sensitivity labels, retention labels, or sensitive information types. Ensure that audit logging is enabled, labels are published and applied, and wait up to 48 hours for the first refresh. Also verify that the classification scanner has run. If you have applied labels manually, check that the items are in supported locations (SharePoint, OneDrive, Exchange, Teams).
Activity Explorer typically shows activities within 5-15 minutes, but it can take up to 30 minutes in some cases. This latency is due to the time required to process and index audit log entries. If you don't see an activity after 30 minutes, check that audit logging is enabled and that the activity type is supported (e.g., sensitivity label actions, DLP matches).
Yes, you can export up to 10,000 items from Content Explorer to a CSV file. Use the Export button on the Items tab. For larger datasets, you must apply filters to reduce the result set and export multiple times. The export includes details such as file name, location, label, and sensitive info type matches.
You need the Activity Explorer List Viewer role. This role can be assigned in the Microsoft Purview compliance portal under Roles & scopes. Users with this role can view all activities but cannot modify any settings. For Content Explorer, you need the Content Explorer List Viewer role (to see the list) or Content Explorer Content Viewer role (to view the actual content).
By default, no. Content Explorer only covers Microsoft 365 workloads: SharePoint Online, OneDrive for Business, Exchange Online, and Teams. To include on-premises file servers, you must deploy the Microsoft Information Protection scanner, which scans on-premises data and pushes classification metadata to Microsoft 365. That data will then appear in Content Explorer.
There is no direct PowerShell cmdlet for Content Explorer. However, you can use the Search-UnifiedAuditLog cmdlet to retrieve similar data, but it requires manual parsing. Content Explorer is primarily a GUI tool. For automated reporting, you can use the Microsoft 365 compliance center APIs or export CSV files.
Content Explorer does not have a retention period per se; it always shows the current snapshot of classified data. Activity Explorer retains historical activities for 30 days by default. You can extend this to up to 1 year with an appropriate license (E5) and a custom audit retention policy. Content Explorer data is refreshed every 48 hours, so it always reflects the latest classification state.
You've just covered Content Explorer and Activity Explorer — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?