Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Content Explorer (classic) lets you natively view the items summarized on the overview page. When a document is encrypted, you can't access the document preview, and download is disabled to mitigate any security risks.
Prerequisites
Licensing
For information on licensing, see
Permissions
One set of permissions grants access to the content explorer tab, and a more restrictive set grants access to the items in content explorer.
Permissions to access the content explorer tab
To access the content explorer tab, assign an account membership in any one of these Entra ID roles or Purview roles. Membership in these roles doesn't grant permission to view the list of items in content explorer or to view the contents of the items in content explorer.
Entra ID roles
- Compliance administrator
- Security administrator
- Compliance data administrator
Microsoft Purview Roles and Role Groups
You can use roles and role groups to fine tune your access controls beyond the above guidance. Here's a list of applicable roles. To learn more about them, see Permissions in the Microsoft Purview portal.
- Information Protection Admin
- Information Protection Analyst
- Information Protection Investigator
- Information Protection Reader
Here's a list of applicable role groups. To learn more, see Permissions in the Microsoft Purview portal.
- Information Protection
- Information Protection Admins
- Information Protection Analysts
- Information Protection Investigators
- Information Protection Readers
Required permissions to access items in content explorer
Access to content explorer is highly restricted because it lets you read the contents of scanned files. Therefore, you need additional permissions to access content explorer data.
These permissions supersede permissions that are locally assigned to the items, which allow viewing of the content. The roles that grant access to content explorer are:
Content Explorer List viewer: Membership in this role group allows you to see each item and its ___location in list view. The
data classification list viewerrole is preassigned to this role group.Content Explorer Content viewer: Membership in this role group allows you to view the contents of each item in the list. The
data classification content viewerrole is preassigned to this role group. Additionally, this role is also required to view name of items in list view, which might contain sensitive data.
The account you use to access content explorer must be in one or both of the role groups. These are independent role groups and aren't cumulative. For example, if you want to grant an account the ability to view the items and their locations only, grant Content Explorer List viewer rights. If you want that same account to also be able to view the contents of the items in the list, grant Content Explorer Content viewer rights as well.
You can also assign either or both of the roles to a custom role group to tailor access to content explorer.
Role management role holders in Microsoft Purview can assign the necessary Content Explorer List Viewer, and Content Explorer Content Viewer role group membership.
Note
Content Explorer doesn't support administrative units. Members of role groups that have the data classification list viewer or data classification content viewer role receive these respective role permissions at the organization level and aren't restricted by administrative unit assignments within content explorer. For more on administrative unit support in Purview, see Administrative units support in Microsoft Purview.
Content explorer
Content explorer shows a current snapshot of the items that have a sensitivity label, a retention label, or are classified as a sensitive information type in your organization.
Sensitive information types
A DLP policy helps protect sensitive information, which is defined as a sensitive information type. Microsoft 365 includes definitions for many common sensitive information types from across many different regions that are ready for you to use. For example, credit card numbers, bank account numbers, and national ID numbers.
Sensitivity labels
A sensitivity label is a tag that indicates the value of the item to your organization. You can apply it manually or automatically. Once applied, the label gets embedded in the document and follows the document everywhere it goes. A sensitivity label enables various protective behaviors, such as mandatory watermarking or encryption.
You must enable sensitivity labels for files in SharePoint and OneDrive for the corresponding data to surface in the data classification page. For more information, see Enable sensitivity labels for files in SharePoint and OneDrive.
Encrypted sensitivity labels don't surface on content explorer for SharePoint and OneDrive.
Retention labels
A retention label lets you define how long to keep a labeled item and the steps to take before deleting it. You can apply them manually or automatically through policies. They help your organization stay in compliance with legal and regulatory requirements.
How to use content explorer
- Sign in to the Microsoft Purview portal > Solutions > Data Lifecycle Management > Explorers > Content explorer.
- If you know the name of the label or the sensitive information type, type it into the filter box.
- Alternately, you can browse for the item by expanding the label type and selecting the label from the list.
- Select a ___location under All locations and drill down the folder structure to the item.
- Double-click to open the item natively in content explorer.
Export
The export control creates a .csv file that contains a listing of whatever the focus of the pane is.
Note
It can take up to seven days for counts to update in content explorer and 14 days for files that are in SharePoint.
Filter
When you drill down into a ___location, such as an Exchange or Teams folder, or a SharePoint or OneDrive site, the Filter tool appears.
The scope of the search tool is what displays in the All locations pane. What you can search on varies depending on the selected ___location.
When you select Exchange or Teams, you can search on the full email address of the mailbox, for example user@domainname.com.
When you select SharePoint or OneDrive, you can search on site names, folders, and files.
You can search on:
| Value | Example |
|---|---|
| Full site name | https://contoso.onmicrosoft.com/sites/sitename |
| File name | RES_Resume_1234.txt |
| Text at the beginning of file name | RES |
| Text after an underscore character ( _ ) in file name | Resume or 1234 |
| File extension | txt |
Provide match or not a match accuracy feedback in content explorer
In Content explorer, you can see how many matches a sensitive information type (SIT) or trainable classifier has. You can also give feedback on whether an item is actually a match by using the Match and Not a Match feedback options. Use this feedback to improve your classifiers. For more information, see Increase classifier accuracy.
Note
When you update a Sensitive Information Type (SIT) definition, the classification of existing files doesn't change unless you alter those files. This behavior means that the new SIT definition doesn't automatically reclassify the existing files; only the files that you modify are reevaluated and classified based on the updated SIT criteria. However, any new file you create after modifying the SIT definition is evaluated according to the latest SIT definition.
Email attachment preview
For Exchange items, content explorer supports the preview of email attachments without the need to download the email. The following email attachment file types are supported:
.doc, .docx, .xlsx, .xls, .xlsm, .xlsb, .pptx, .pdf, .txt, .csv, .html, .xml, .json, .rtf, .cpp, .cs, .py, .jpg, .png, .jpeg, and .eml
Content explorer document preview supports Excel files up to 25 MB.