Hello and welcome to Activity Explorer in Microsoft 365. In this lesson, you’ll learn what Activity Explorer is, where it’s accessed from, and what you can do with it.

When you browse into Data Classification, within the Microsoft 365 Compliance Center, you’re presented with a few different tabs. You have the Overview tab, the Trainable Classifiers tab, Sensitive Info Types, Exact Data Matches, Content Explorer, and Activity Explorer. Each of these tabs provides different insight into your Microsoft 365 environment.

While, the Overview tab, for example, provides snapshots of how sensitive info and labels are being used across your organization's locations, and the Content Explorer tab allows you to explore emails and documents within your organization that contain sensitive info or have labels applied, the Activity Explorer tab can be used to review activity that’s related to content containing sensitive information or content that has labels applied. You can, for example, use Activity Explorer to see what labels have been changed, or files that have been modified.

I should point out, though, that label activity is only monitored across Exchange, SharePoint, OneDrive, and endpoint devices at the time of this course publication. Microsoft does have plans to add more support for other products, so there may be additional support by the time you watch this video.

In a nutshell, Activity Explorer allows you to monitor what's being done with your labeled content, by providing a historical view of activities on that labeled content. 

The information that Activity Explorer provides comes from the Microsoft 365 unified audit logs. It reports on a maximum of 30 days’ worth of data.

Before you can use Activity Explorer, you need to ensure auditing is enabled in your Microsoft 365 tenant so that it can record user and admin activity within the organization to the audit log. Once this data is recorded, it can be viewed in a report.

In order to enable auditing, you must be assigned the Audit Logs role in Exchange Online, within the Microsoft 365 organization. This role is assigned, by default, to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. I should also mention that Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online by default as well.

You need the proper role assignment in Exchange Online because the underlying PowerShell cmdlet that enables auditing is actually an Exchange Online PowerShell cmdlet.

Once you’ve enabled auditing, you can begin using Activity Explorer.

There are about a dozen and a half filters that are available in Activity Explorer. For example, you have Date Range, Activity Type, Location, User, Sensitivity Label, Retention Label, File Path, and lots of others.

As far as licensing goes, every user that needs to access and use data classification must have a license assigned to them from one of the subscriptions you see on your screen.

Before you can access the Activity Explorer tab in the Compliance Center, you have to be assigned permissions to do so. You must be explicitly assigned membership in any one of these role groups shown on your screen, or you must be explicitly granted one of the roles you see on your screen.

So, before we wrap up this lesson, lets’ just quickly recap. Activity Explorer is used to review activity that’s related to content containing sensitive information or content that has labels applied. You can, for example, use Activity Explorer to see what labels have been changed, or files that have been modified, across Exchange, SharePoint, OneDrive, and endpoint devices.

And before you start using Activity Explorer, you need to ensure auditing is enabled and that you have the proper licensing, permissions, and roles to do so.