10.2 Content Explorer and Activity Explorer

Content Explorer: Where Sensitive Data Lives

Once classification has tagged content, administrators need to see the results. Microsoft Purview provides two visibility tools in the data-classification area of the portal — Content explorer and Activity explorer — plus an Overview dashboard with classification cards. The exam tests the difference between them, and the simplest memory hook is Content explorer = WHERE; Activity explorer = WHAT HAPPENED.

Content explorer shows a current snapshot of all items in the organization that have been classified. It lets an administrator drill into every file that carries a sensitivity label, a retention label, or that matched a sensitive information type, and it shows the actual location of each item — the specific mailbox, SharePoint site, or OneDrive account. Because Content explorer can reveal the content of a flagged document, access is restricted by two specialized role groups:

• Content Explorer List Viewer — can see the list of items and where they are, but not open them.
• Content Explorer Content Viewer — can open and read the items themselves.

This two-tier permission model is a frequent exam detail: viewing a sensitive item is privileged and is not granted to ordinary global readers by default.

Content explorer is the right answer when a scenario says an analyst needs to locate sensitive content, verify that auto-labeling worked, or see how many items match a SIT. It does not block or remediate — it is purely a window into the classified estate.

Activity Explorer: What Happened to the Data

Activity explorer is the historical companion to Content explorer. Rather than a snapshot of where data is, it shows a timeline of activities performed on classified and labeled content — typically the last 30 days of events. It surfaces actions such as:

• A sensitivity label being applied, changed, or removed (including label downgrades, where a user lowers a label from Confidential to General — a key insider-risk signal).
• Files being shared internally or externally, copied to USB, or printed (when endpoint events are flowing in).
• DLP rule matches and the actions taken (blocked, overridden, audited).
• Retention label application and removal.

Activity explorer pulls these events together so a compliance team can monitor how data is being used and whether label and DLP policies are working as intended. You can filter by activity type, location, user, sensitivity label, sensitive information type, or DLP policy. It feeds investigations but does not start them — it is a reporting surface.

The critical distinction for SC-900: both explorers are visibility only. They report on classification and labeling; they never block, encrypt, retain, or delete. If a scenario asks to prevent an action, the answer is DLP. If it asks to retain or delete on a schedule, the answer is retention. If it asks to search and review for a legal case, the answer is eDiscovery. The explorers only tell you what exists and what has happened.

" The dividing line is scope. Activity explorer focuses narrowly on data classification and labeling activity inside Purview. Sentinel is the enterprise SIEM/SOAR that correlates signals across the whole environment, and the Purview Audit log (covered later in this chapter) records a far broader set of tenant operations. When the prompt centers on labels, sensitivity, and classified content, stay in Purview's Activity explorer; when it centers on incidents, correlation, or org-wide audit search, move on.

The Overview Dashboard and a Worked Example

Alongside the two explorers, the data classification Overview page gives an aggregated, executive view: classification cards that count items by sensitive information type, by sensitivity label, and by retention label, plus the top SITs and top activities in the tenant. It is the leadership summary — how much classified data exists and what is happening to it — without drilling into individual files. Think of the three surfaces as a zoom level: Overview = aggregate counts, Content explorer = the actual items and their locations, Activity explorer = the timeline of actions.

A worked example ties them together. Suppose an organization just turned on auto-labeling for documents containing passport numbers and wants to confirm it is working:

1. Open the Overview dashboard to see whether the count of items carrying the new label is rising — a quick health check.
2. Open Content explorer to drill into the specific SharePoint sites and OneDrive accounts now holding those labeled documents, and spot-check that the right files were caught.
3. Open Activity explorer to confirm the label-applied events are flowing and to watch for label downgrades that might indicate users overriding the automatic label.

Notice none of these steps changes anything — they only reveal state and history. To actually act (block a share, retain a record, run a legal search) you move to DLP, retention, or eDiscovery.

Exam reminders:

• Content explorer needs the Content Explorer List Viewer / Content Viewer roles; ordinary admins do not see file contents by default.
• Activity explorer's window is roughly the last 30 days of activity — it is not a long-term audit store. For long-term "who did what" investigations across the whole tenant, the Purview Audit log (covered later) is the right tool, and Microsoft Sentinel is the right tool for org-wide SIEM correlation.
• Both explorers are read-only visibility: they answer where and what happened, never prevent or retain.