This course introduces the Activity Explorer feature that’s found in the Microsoft 365 Compliance Center. We’ll start with an introductory look at what Activity Explorer is and then take a look at the labeling actions that get reported in Activity Explorer.
- Understand what Activity Explorer is
- Learn how to access the service
- Use Activity Explorer to view labeling activity in Microsoft 365
This course is intended for those who wish to learn about the Activity Explorer feature that’s found in the Microsoft 365 Compliance Center.
To get the most out of this course, you should already have a basic understanding of Microsoft 365.
Hello and welcome to Activity Explorer in Microsoft 365. In this lesson, you’ll learn what Activity Explorer is, where it’s accessed from, and what you can do with it.
When you browse into Data Classification, within the Microsoft 365 Compliance Center, you’re presented with a few different tabs. You have the Overview tab, the Trainable Classifiers tab, Sensitive Info Types, Exact Data Matches, Content Explorer, and Activity Explorer. Each of these tabs provides different insight into your Microsoft 365 environment.
While, the Overview tab, for example, provides snapshots of how sensitive info and labels are being used across your organization's locations, and the Content Explorer tab allows you to explore emails and documents within your organization that contain sensitive info or have labels applied, the Activity Explorer tab can be used to review activity that’s related to content containing sensitive information or content that has labels applied. You can, for example, use Activity Explorer to see what labels have been changed, or files that have been modified.
I should point out, though, that label activity is only monitored across Exchange, SharePoint, OneDrive, and endpoint devices at the time of this course publication. Microsoft does have plans to add more support for other products, so there may be additional support by the time you watch this video.
In a nutshell, Activity Explorer allows you to monitor what's being done with your labeled content, by providing a historical view of activities on that labeled content.
The information that Activity Explorer provides comes from the Microsoft 365 unified audit logs. It reports on a maximum of 30 days’ worth of data.
Before you can use Activity Explorer, you need to ensure auditing is enabled in your Microsoft 365 tenant so that it can record user and admin activity within the organization to the audit log. Once this data is recorded, it can be viewed in a report.
In order to enable auditing, you must be assigned the Audit Logs role in Exchange Online, within the Microsoft 365 organization. This role is assigned, by default, to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. I should also mention that Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online by default as well.
You need the proper role assignment in Exchange Online because the underlying PowerShell cmdlet that enables auditing is actually an Exchange Online PowerShell cmdlet.
Once you’ve enabled auditing, you can begin using Activity Explorer.
There are about a dozen and a half filters that are available in Activity Explorer. For example, you have Date Range, Activity Type, Location, User, Sensitivity Label, Retention Label, File Path, and lots of others.
As far as licensing goes, every user that needs to access and use data classification must have a license assigned to them from one of the subscriptions you see on your screen.
Before you can access the Activity Explorer tab in the Compliance Center, you have to be assigned permissions to do so. You must be explicitly assigned membership in any one of these role groups shown on your screen, or you must be explicitly granted one of the roles you see on your screen.
So, before we wrap up this lesson, lets’ just quickly recap. Activity Explorer is used to review activity that’s related to content containing sensitive information or content that has labels applied. You can, for example, use Activity Explorer to see what labels have been changed, or files that have been modified, across Exchange, SharePoint, OneDrive, and endpoint devices.
And before you start using Activity Explorer, you need to ensure auditing is enabled and that you have the proper licensing, permissions, and roles to do so.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.