This chapter covers Content Explorer, a critical tool in Microsoft Purview for discovering and auditing sensitive data across Microsoft 365. Content Explorer is part of the Data Classification dashboard and allows compliance administrators to view files that match sensitive information types, sensitivity labels, or retention labels. On the SC-900 exam, approximately 5-10% of questions touch on data classification and content explorer, often focusing on its purpose, permissions, and how it differs from Activity Explorer. Understanding Content Explorer is essential for mastering the 'Compliance Solutions' domain, specifically objective 4.2: 'Describe the capabilities of data classification.'
Jump to a section
Content Explorer is like a library's card catalog system, but for an organization's digital files. In a library, the card catalog doesn't store the books themselves; it stores index cards that list each book's title, author, subject, and location on the shelves. When a librarian wants to find all books on 'cybersecurity,' they search the catalog and get a list of card entries, each pointing to a specific shelf. Similarly, Content Explorer doesn't copy files; it scans metadata—like file name, owner, sensitivity label, and last modified date—and builds a searchable index. When a compliance officer searches for 'credit card numbers,' Content Explorer queries its index and returns a list of files that match, along with their locations (SharePoint, OneDrive, Exchange). The officer can then drill into each file's properties without opening it. Just as the catalog may be incomplete if a book is mis-shelved, Content Explorer's results depend on proper labeling. If a file has no sensitivity label, it appears as 'unclassified' in the explorer. The library catalog also shows whether a book is checked out; Content Explorer shows whether a file is shared externally. This analogy holds because both systems are metadata-driven discovery tools that do not alter the original items, but provide a centralized view for efficient search and audit.
What is Content Explorer and Why Does It Exist?
Content Explorer is a read-only tool within the Microsoft Purview compliance portal that provides a top-level view of items that have been classified by Microsoft 365's automatic data classification engine. It exists to answer a fundamental compliance question: 'Where is my sensitive data?' Without Content Explorer, administrators would have to manually search through SharePoint Online, OneDrive for Business, and Exchange Online, which is impractical at enterprise scale. Content Explorer aggregates classification results into a single pane of glass, showing which files contain sensitive information types (e.g., credit card numbers, passport numbers), which sensitivity labels have been applied (e.g., Confidential, Highly Confidential), and which retention labels are assigned.
How Content Explorer Works Internally
Content Explorer does not perform real-time scanning. Instead, it relies on the results of scheduled and continuous data classification jobs that run in the background. These jobs are part of the Microsoft Purview Data Classification service, which uses: - Sensitive information types (SITs) – predefined or custom patterns (e.g., regex for credit card numbers, function checks for Luhn algorithm). - Trainable classifiers – machine learning models that identify content based on context (e.g., 'contract' or 'invoice'). - Sensitivity labels – labels published via Microsoft Purview Information Protection that are applied manually or automatically. - Retention labels – labels from Microsoft Purview Records Management.
The classification results are stored in a centralized index within the Microsoft 365 compliance backend. When you open Content Explorer, it queries this index to display:
The total count of classified items.
A breakdown by location (SharePoint, OneDrive, Exchange, Teams).
A list of matched SITs and labels.
For each item, metadata such as file name, path, last modified date, and who has access (if external sharing is enabled).
Key Components and Defaults
Content Explorer interface: Located in the Microsoft Purview compliance portal under Data Classification > Content Explorer. Requires the 'Content Explorer List Viewer' role or the 'Content Explorer Content Viewer' role to view file contents.
Data classification service: Scans content every 24 hours by default for new or changed files. You can manually trigger a full scan using the 'Start scanning' button in the Data Classification dashboard.
Supported locations: SharePoint Online, OneDrive for Business, Exchange Online (mailboxes), and Microsoft Teams (files stored in SharePoint and OneDrive).
Sensitive information types: Over 200 built-in types, including credit card number (credit_card_number), U.S. social security number (ssn), and passport number (passport_number). Each SIT has a defined confidence level (e.g., high, medium, low) based on pattern matching and keyword proximity.
Sensitivity labels: Defined in Microsoft Purview Information Protection. Labels can be applied automatically based on conditions (e.g., 'If credit card number found, apply Confidential label').
Retention labels: Defined in Records Management. They can be auto-applied based on SITs or trainable classifiers.
Configuration and Verification
To use Content Explorer, you must first enable data classification scanning. This is done via: 1. In the Purview compliance portal, go to Data Classification > Overview. 2. Click 'Start scanning' to initiate the first scan. Scanning can take up to 24 hours to complete for large tenants. 3. Ensure the appropriate roles are assigned: 'Content Explorer List Viewer' allows viewing the list of items; 'Content Explorer Content Viewer' allows viewing the actual content of files.
To verify that scanning is working:
Check the 'Data Classification' overview page for the number of classified items.
Use the following PowerShell command to check the status of classification jobs (requires Exchange Online PowerShell v2 module):
Connect-ExchangeOnline
Get-ClassificationRuleCollection | Format-Table Name, State, PriorityNote: The above command gets classification rule collections, not scan status. For scan status, use the compliance portal UI.
Interaction with Related Technologies
Content Explorer works with: - Activity Explorer: While Content Explorer shows a static snapshot of classified items, Activity Explorer shows real-time user activities (e.g., file accessed, label changed). Together they provide both inventory and audit. - Microsoft Defender for Cloud Apps: File policies in Defender for Cloud Apps can be used to detect and protect sensitive data in cloud apps, and results can be viewed in Content Explorer if the files are stored in Microsoft 365. - Microsoft Purview Data Loss Prevention (DLP): DLP policies can be configured to block or warn when sensitive data is shared externally. Content Explorer helps identify which files are at risk before a policy is created. - Microsoft Information Protection (MIP): Sensitivity labels are the cornerstone of MIP. Content Explorer shows which labels have been applied and where.
Detailed Step-by-Step: How a File Appears in Content Explorer
File Creation/Modification: A user creates a document in SharePoint Online containing a credit card number.
Automatic Classification: The next scheduled data classification scan (or a near-real-time scan if the file is modified) runs. The classification engine detects the credit card SIT using pattern matching and Luhn check.
Index Update: The classification result (file path, SIT matched, confidence level) is written to the centralized index.
Label Application (optional): If an auto-labeling policy exists that applies a 'Confidential' sensitivity label when a credit card is found, the label is applied at this point.
Content Explorer Query: When an administrator opens Content Explorer and filters by 'Credit Card Number' SIT, the tool queries the index and returns the file in the results.
Drill Down: The administrator can click on the file to see its metadata, including the exact SIT match, location, and whether it is shared externally.
Important Timers and Thresholds
Initial scan: Can take up to 24 hours for a full tenant scan.
Incremental scan: New or modified files are scanned within 1-2 hours typically, but this is not guaranteed.
Retention of classification data: Classification results are stored for up to 30 days after a file is deleted.
Maximum items displayed: Content Explorer shows up to 1,000 items per page. Use filters to narrow results.
Common Exam Traps
Content Explorer vs Activity Explorer: Content Explorer shows what is classified now; Activity Explorer shows what users did. Many candidates confuse the two.
Permissions: Content Explorer requires specific roles (List Viewer or Content Viewer). The 'Compliance Administrator' role alone is not sufficient.
Real-time: Content Explorer is NOT real-time; it relies on periodic scans. A file created 5 minutes ago may not appear yet.
Labels vs SITs: Content Explorer can be filtered by both sensitivity labels and sensitive information types. The exam may ask which filter to use for a given scenario.
Enable Data Classification Scanning
Before Content Explorer can show any results, the data classification service must be activated. In the Purview compliance portal, navigate to Data Classification > Overview. Click 'Start scanning' to initiate a full scan of all supported locations (SharePoint, OneDrive, Exchange). This scan runs as a background process and may take up to 24 hours for large tenants. During this time, Content Explorer will show 'No data' or partial results. The scan is a one-time initiation; after it completes, incremental scans run automatically every 1-2 hours for new or modified files. There is no PowerShell cmdlet to start this scan; it must be done via the UI.
Assign Required Roles
To view Content Explorer, administrators must be assigned one of two roles in the Microsoft Purview compliance portal: 'Content Explorer List Viewer' (allows viewing the list of files and metadata) or 'Content Explorer Content Viewer' (allows viewing the actual content of files). These roles are part of the 'Data Classification' role group. Without these roles, even a Global Admin cannot see Content Explorer data. The roles are assigned via the 'Permissions' section in the compliance portal under 'Data Classification' role group. Additionally, the user must have appropriate SharePoint or Exchange permissions to access the underlying data, but Content Explorer abstracts this.
Navigate to Content Explorer
Once scanning is active and roles are assigned, go to the Microsoft Purview compliance portal (https://compliance.microsoft.com). Under the 'Data Classification' section, select 'Content Explorer'. The interface loads a summary view showing the total number of classified items, broken down by location (SharePoint, OneDrive, Exchange). Below the summary, there is a filterable list of items. The list shows columns: File Name, Location, Sensitivity Label, Retention Label, Last Modified, and External Sharing. You can sort by any column. The page displays up to 1,000 items at a time; use the page navigation to see more.
Apply Filters to Find Specific Data
To narrow down results, use the filter options at the top of the list. Filters include: Sensitive Information Type (e.g., Credit Card Number, SSN), Sensitivity Label (e.g., Confidential, General), Retention Label (e.g., 7-Year Retention), Location (SharePoint, OneDrive, Exchange), and External Sharing status (Yes/No). The filters are cumulative. For example, selecting 'Credit Card Number' and 'External Sharing = Yes' will show only files containing credit card numbers that are shared externally. This is a common exam scenario: identifying files that pose a high risk. The filter options are dropdown menus populated from the scan results.
Drill Down into File Details
Clicking on a file name opens a details pane on the right side. This pane shows: file name, file path, owner, last modified date, file size, and the specific sensitive information types found (including count and confidence level). If the user has the 'Content Explorer Content Viewer' role, there is also a 'View content' button that opens the file in a read-only viewer. The viewer highlights the matched sensitive data (e.g., the credit card number is highlighted in red). This is useful for verifying false positives. The details pane also shows the sensitivity label and retention label applied to the file. If no label is applied, it shows 'Not classified'.
Export Results for Further Analysis
Content Explorer allows exporting the filtered results to a CSV file. To export, click the 'Export' button at the top of the list. The export includes all columns visible in the list (File Name, Location, Sensitivity Label, etc.), plus additional metadata like the exact SIT matches and confidence levels. The export limit is 100,000 rows. This is useful for integrating with external SIEM tools or for creating compliance reports. The CSV file is downloaded to the local machine. Note: The export does not include the file content itself, only metadata.
Enterprise Scenario 1: Identifying Exposed PII in a Healthcare Organization
A healthcare organization must comply with HIPAA and needs to ensure that patient health information (PHI) is not stored in unsecured locations like personal OneDrive folders or shared externally. The compliance team uses Content Explorer to filter by the 'U.S. Social Security Number' SIT and set 'External Sharing = Yes'. They discover 500 files containing SSNs that are shared with external users. The team then uses the export feature to create a list of these files and works with data owners to revoke external sharing or apply a 'Highly Confidential' sensitivity label that encrypts the files. The challenge is that Content Explorer only shows a snapshot; if a file is modified after the last scan, it may not be captured until the next incremental scan. To mitigate this, the team runs a manual full scan weekly. Performance is generally good for tenants up to 100,000 files; beyond that, filtering is essential to avoid timeouts.
Enterprise Scenario 2: Auditing Label Application in a Financial Services Firm
A financial services firm has deployed sensitivity labels to classify documents as 'Public', 'Internal', 'Confidential', and 'Highly Confidential'. They want to verify that all documents containing credit card information are labeled 'Confidential' or higher. Using Content Explorer, they filter by the 'Credit Card Number' SIT and then look at the 'Sensitivity Label' column. They find 200 files that have no label or are labeled 'Internal'. This indicates a gap in auto-labeling policies. The team then creates an auto-labeling policy that applies the 'Confidential' label whenever a credit card number is detected. After the policy is published, they re-scan and use Content Explorer to confirm that the label has been applied. A common pitfall: auto-labeling policies only apply to new or modified files; existing files require a manual re-scan or a PowerShell script to trigger classification.
Scenario 3: Investigating Data Exfiltration via Exchange
An employee is suspected of sending sensitive customer data via email. The security team uses Content Explorer to look at Exchange Online mailboxes. They filter by the 'Passport Number' SIT and the user's mailbox. Content Explorer shows all emails containing passport numbers in that mailbox, including sent items. They can see the email subject, date, and whether the email was sent externally. This helps the team identify which emails contained sensitive data and to whom they were sent. However, Content Explorer does not show the actual email content unless the user has the Content Viewer role. If the role is not assigned, they must use eDiscovery to retrieve the full email. This scenario highlights the need for proper role assignment before an incident occurs.
What SC-900 Tests on Content Explorer
SC-900 objective 4.2 specifically asks you to 'Describe the capabilities of data classification' within Microsoft Purview. Content Explorer is one of the key tools under this objective. The exam expects you to know:
The purpose of Content Explorer (discovery of classified items).
The difference between Content Explorer and Activity Explorer.
The roles required to access Content Explorer.
The types of data that can be discovered (SITs, sensitivity labels, retention labels).
That Content Explorer is read-only and does not perform actions.
Common Wrong Answers and Why Candidates Choose Them
'Content Explorer can apply sensitivity labels.' – This is wrong because Content Explorer is read-only. Candidates confuse it with auto-labeling policies. The correct answer is that Content Explorer only shows labels that have already been applied.
'Content Explorer shows real-time activity.' – This is wrong because Content Explorer shows a static snapshot based on periodic scans. Activity Explorer shows real-time user actions. Candidates mix up the two explorers.
'Any compliance administrator can view Content Explorer.' – This is wrong because Content Explorer requires specific roles (Content Explorer List Viewer or Content Viewer). The 'Compliance Administrator' role alone does not grant access. Candidates assume that the Compliance Administrator role has all permissions.
'Content Explorer can scan on-premises file shares.' – This is wrong because Content Explorer only works with Microsoft 365 workloads (SharePoint, OneDrive, Exchange, Teams). On-premises data requires Microsoft Purview Information Protection scanner or Azure Information Protection scanner. Candidates overestimate the scope.
Specific Numbers and Terms to Memorize
Roles: 'Content Explorer List Viewer' and 'Content Explorer Content Viewer'.
Scan frequency: Initial scan up to 24 hours; incremental scans every 1-2 hours.
Maximum items per page: 1,000.
Export limit: 100,000 rows.
Supported locations: SharePoint Online, OneDrive for Business, Exchange Online, Microsoft Teams (files in SharePoint and OneDrive).
Edge Cases the Exam Loves
Empty Content Explorer: If no scan has been run, Content Explorer shows 'No data'. The exam may ask why Content Explorer is empty, and the answer is that scanning has not been initiated.
Missing results: If a file was created 10 minutes ago, it may not appear. The exam tests that scanning is not real-time.
Content Viewer role: If a user can see the list but cannot view file content, they lack the 'Content Explorer Content Viewer' role.
How to Eliminate Wrong Answers
If a question asks about a tool that 'shows where sensitive data is located,' and the options include Content Explorer, Activity Explorer, and eDiscovery, remember: Content Explorer = static inventory; Activity Explorer = user activities; eDiscovery = search and export for legal cases. Also, if the question mentions 'real-time', it is not Content Explorer. If it mentions 'applying labels', it is not Content Explorer. Use these elimination rules.
Content Explorer is a read-only tool that shows classified items across Microsoft 365 (SharePoint, OneDrive, Exchange, Teams).
Data in Content Explorer comes from periodic scans (initial up to 24 hours, incremental every 1-2 hours).
Access requires specific roles: 'Content Explorer List Viewer' or 'Content Explorer Content Viewer'.
Content Explorer can filter by sensitive information types (SITs), sensitivity labels, retention labels, location, and external sharing status.
Content Explorer does NOT apply labels or perform actions; it only displays existing classification.
Content Explorer is different from Activity Explorer: Content = static inventory; Activity = real-time user actions.
Export results to CSV (up to 100,000 rows) for external reporting.
Content Explorer supports up to 1,000 items per page; use filters to narrow results.
These come up on the exam all the time. Here's how to tell them apart.
Content Explorer
Shows a static inventory of classified items (files, emails).
Data is based on periodic scans (not real-time).
Filters by sensitive information types, labels, location, external sharing.
Requires 'Content Explorer List Viewer' or 'Content Viewer' role.
Use case: 'Where is my sensitive data?'
Activity Explorer
Shows real-time user activities on classified items (e.g., label applied, file accessed).
Data is streamed in near real-time from audit logs.
Filters by activity type (e.g., label downgrade, file read), user, date range.
Requires 'Audit Log' role and audit logging enabled.
Use case: 'What are users doing with sensitive data?'
Mistake
Content Explorer can apply sensitivity labels to files.
Correct
Content Explorer is read-only. It only displays classification information that has already been applied by auto-labeling policies, manual labeling, or the data classification engine. To apply labels, you must use auto-labeling policies or the Microsoft Purview Information Protection client.
Mistake
Content Explorer shows real-time data and activities.
Correct
Content Explorer shows a snapshot of classified items based on periodic scans (initial scan up to 24 hours, incremental scans every 1-2 hours). Real-time user activities are shown in Activity Explorer, not Content Explorer.
Mistake
Any user with the Compliance Administrator role can access Content Explorer.
Correct
Access to Content Explorer requires specific roles: 'Content Explorer List Viewer' (view list) or 'Content Explorer Content Viewer' (view content). The Compliance Administrator role alone does not include these permissions.
Mistake
Content Explorer can scan on-premises file servers and third-party cloud apps.
Correct
Content Explorer only scans Microsoft 365 workloads: SharePoint Online, OneDrive for Business, Exchange Online, and Microsoft Teams. For on-premises data, use the Microsoft Purview Information Protection scanner. For third-party apps, use Microsoft Defender for Cloud Apps.
Mistake
Content Explorer stores a copy of all files it discovers.
Correct
Content Explorer does not store file copies. It stores metadata (file name, path, SIT matches, labels) in an index. File content is accessed on-demand via the 'View content' feature if the user has the Content Viewer role.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
To view Content Explorer, you need either the 'Content Explorer List Viewer' role (to see the list of files and metadata) or the 'Content Explorer Content Viewer' role (to also view file content). These roles are part of the Data Classification role group. The 'Compliance Administrator' role alone does not grant access. If you cannot see Content Explorer, verify your role assignment in the Purview compliance portal under Permissions > Data Classification.
Content Explorer may show no data if the data classification scan has not been started. Go to Data Classification > Overview and click 'Start scanning' to initiate the first scan. It can take up to 24 hours for the scan to complete. Also, ensure that your tenant has licensed workloads (e.g., SharePoint, OneDrive) and that files exist. If scanning is active but still no data, check that the appropriate roles are assigned.
No, Content Explorer only scans Microsoft 365 workloads: SharePoint Online, OneDrive for Business, Exchange Online, and Microsoft Teams (files stored in SharePoint/OneDrive). For on-premises file servers, you need the Microsoft Purview Information Protection scanner or Azure Information Protection scanner, which can then report to the same classification dashboard but not to Content Explorer.
Content Explorer updates based on periodic scans. The initial full scan can take up to 24 hours. After that, incremental scans run approximately every 1-2 hours to pick up new or modified files. There is no real-time update. If you need to see a file immediately, you can trigger a manual full scan from the Data Classification overview page.
Content Explorer shows a static inventory of classified items (files, emails) based on scans. It answers 'What is classified and where is it?' Activity Explorer shows real-time user activities on those items (e.g., label changes, file access) from audit logs. It answers 'What are users doing with classified data?' Both are under Data Classification in Purview but serve different purposes.
Yes, you can export the filtered results to a CSV file by clicking the 'Export' button. The export includes file metadata (name, location, labels, SITs) but not file content. The maximum export size is 100,000 rows. This is useful for creating compliance reports or integrating with other tools.
Yes, Content Explorer shows all files that have been scanned and matched at least one sensitive information type or have a label. Files that are not labeled and do not contain any sensitive information types may not appear unless they have a retention label. However, the default view includes all classified items; you can filter to show only unlabeled files by selecting 'No label' in the sensitivity label filter.
You've just covered Content Explorer for Data Discovery — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?