Content Explorer & Activity Explorer: A Complete Guide for SC-900
Why Are Content Explorer and Activity Explorer Important?
Content Explorer and Activity Explorer are two critical tools within the Microsoft Purview compliance portal that help organizations understand and monitor their sensitive data. In today's regulatory environment, organizations must know what sensitive data they have, where it resides, and how it is being used. These two tools address those exact needs and are essential topics on the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam.
Understanding these tools demonstrates your knowledge of how Microsoft helps organizations achieve data visibility and governance — a core pillar of Microsoft's compliance solutions.
What Is Content Explorer?
Content Explorer is a feature within the Microsoft Purview compliance portal that provides a current snapshot of the items across your organization that have sensitivity labels, retention labels, or have been classified as a sensitive information type. It allows administrators and compliance officers to:
• View the actual content of items that contain sensitive data across Exchange, SharePoint, and OneDrive.
• See how many items match specific sensitive information types (e.g., credit card numbers, Social Security numbers).
• Drill down from a high-level summary into individual documents and emails.
• Browse by label or sensitive information type to understand the distribution of sensitive data.
Key points about Content Explorer:
- It shows a point-in-time view of classified or labeled data.
- Access requires specific role permissions: Content Explorer List Viewer (to see items in a list) and Content Explorer Content Viewer (to view the actual contents of files).
- It helps answer the question: "What sensitive data do we have and where is it?"
- Content Explorer is read-only — you cannot modify data from within it.
What Is Activity Explorer?
Activity Explorer provides visibility into what activities are being performed on content that has been labeled or classified. While Content Explorer tells you what data exists, Activity Explorer tells you what is happening to that data over time. It allows you to:
• Monitor activities such as labeling changes, file modifications, file moves, and data loss prevention (DLP) policy matches.
• Filter activities by date range, activity type, location, user, sensitivity label, and retention label.
• Track historical trends in how sensitive data is being handled across the organization.
• Detect potentially risky behavior related to sensitive content, such as label downgrades.
Key points about Activity Explorer:
- It provides a historical view of activities — not just a snapshot.
- Activities tracked include: label applied, label changed, label removed, DLP policy match, files read, files copied, files moved, files printed, and more.
- It works across Exchange, SharePoint, OneDrive, and endpoint devices.
- It helps answer the question: "What are users doing with our sensitive data?"
- Audit logging must be enabled for Activity Explorer to function properly.
How Do Content Explorer and Activity Explorer Work Together?
Think of these two tools as complementary:
1. Content Explorer = The "What" and "Where" — It identifies and locates sensitive content across your organization's workloads. It gives you the current state of your data landscape.
2. Activity Explorer = The "What's Happening" — It monitors and logs the actions taken on that sensitive content over time. It gives you the behavioral and historical context.
Together, they form the data classification overview in Microsoft Purview. The data classification dashboard in the compliance portal typically shows:
- An overview with top sensitive information types and top sensitivity/retention labels.
- Content Explorer for drilling into specific data.
- Activity Explorer for reviewing activities related to classified data.
How They Fit Into Microsoft's Compliance Framework
Both tools are part of the Know Your Data pillar in Microsoft's information protection framework, which consists of:
1. Know your data — Understand your data landscape (Content Explorer and Activity Explorer).
2. Protect your data — Apply sensitivity labels and encryption.
3. Prevent data loss — Implement DLP policies.
4. Govern your data — Retain, delete, and manage data lifecycle.
Roles and Permissions
This is a frequently tested area:
• Content Explorer List Viewer: Can see the list of items and their locations but cannot view the actual content of files.
• Content Explorer Content Viewer: Can view the actual content of the files. This is a highly privileged role.
• Global Admin and Compliance Admin roles do not automatically have Content Explorer Content Viewer access — it must be explicitly granted.
• Activity Explorer requires the Activity Explorer reader role or equivalent.
Exam Tips: Answering Questions on Content Explorer and Activity Explorer
Here are specific strategies to help you answer SC-900 questions on this topic:
1. Know the Key Distinction
The most common question type will test whether you can distinguish between the two tools. Remember:
- Content Explorer = See the data itself (what sensitive items exist and where).
- Activity Explorer = See the activities on the data (what users are doing with sensitive items).
If a question asks about viewing labeled documents, the answer is Content Explorer. If a question asks about tracking what happened to labeled documents, the answer is Activity Explorer.
2. Focus on Roles and Permissions
Expect questions about which roles allow viewing content vs. listing content. Remember that the Content Explorer Content Viewer role is required to see actual file contents, while the Content Explorer List Viewer role only lets you see the list/metadata.
3. Remember the Data Classification Dashboard
Both Content Explorer and Activity Explorer are accessed through the Data Classification section of the Microsoft Purview compliance portal. If a question mentions the data classification overview or dashboard, think of these two tools.
4. Audit Logging Dependency
Activity Explorer depends on audit logging being turned on. If a question presents a scenario where Activity Explorer shows no data, consider whether audit logging has been enabled.
5. Sensitive Information Types and Labels
Content Explorer displays items classified by:
- Sensitive information types (built-in and custom)
- Sensitivity labels
- Retention labels
- Trainable classifiers
If a question asks which tool shows items matching a sensitive information type, the answer is Content Explorer.
6. Scenario-Based Questions
Common scenarios include:
- "An admin wants to see how many documents contain credit card numbers" → Content Explorer
- "An admin wants to know if a user downgraded a sensitivity label on a document" → Activity Explorer
- "An admin needs to view the actual contents of a sensitive email" → Content Explorer with Content Explorer Content Viewer role
- "An admin wants a historical view of DLP policy matches" → Activity Explorer
7. Read-Only Nature
Both tools are read-only — they are for visibility and monitoring, not for applying or changing labels. If a question implies modifying labels or policies, these tools are not the correct answer.
8. Locations Covered
Both tools cover content across Exchange Online, SharePoint Online, OneDrive for Business, and for Activity Explorer, also endpoint devices (Windows 10/11). Remember this for questions about supported workloads.
9. Watch for Distractors
Common distractors in questions might include:
- Microsoft Defender for Cloud Apps (focuses on cloud app security, not data classification visibility)
- Compliance Manager (focuses on compliance posture and assessments, not data content)
- eDiscovery (focuses on legal discovery and holds, not ongoing data classification monitoring)
- Audit log search (provides raw audit logs, whereas Activity Explorer provides a curated, filtered view specific to labeled/classified content)
10. Key Vocabulary Cues
When you see these words in exam questions, map them to the right tool:
- "snapshot," "browse," "view items," "drill down" → Content Explorer
- "monitor," "track," "activities," "over time," "historical," "trend" → Activity Explorer
Summary Table
Content Explorer:
- Purpose: View what sensitive data exists and where
- Type of view: Point-in-time snapshot
- Key roles: Content Explorer List Viewer, Content Explorer Content Viewer
- Key question it answers: What sensitive data do we have?
Activity Explorer:
- Purpose: Monitor activities performed on sensitive data
- Type of view: Historical activity log
- Key roles: Activity Explorer reader
- Key question it answers: What is happening to our sensitive data?
By mastering these distinctions and tips, you will be well-prepared to answer any SC-900 question related to Content Explorer and Activity Explorer with confidence.
