Get started with data explorer

Data explorer allows you to natively view the items that were summarized on the overview page.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.

Prerequisites

For licensing requirements, see Information Protection: Data Classification Analytics: Overview Content & Activity Explorer

Permissions

In order to get access to the data explorer tab, an account must be assigned membership in any one of these roles or role groups.

Microsoft Entra ID roles

• Global administrator
• Compliance administrator
• Security administrator
• Compliance data administrator

Important

Membership in these roles doesn't allow you to view the list of items in content explorer or to view the contents of the items in data explorer.

Required permissions to access items in data explorer

Access to data explorer is highly restricted because it lets you read the contents of scanned files.

Important

These permissions supersede permissions that are locally assigned to the items, which allow viewing of the content. There are two roles that grant access to data explorer and it's granted using the Microsoft Purview compliance portal:

• Data Explorer List viewer: Membership in this role group allows you to see each item and its location in list view. The data classification list viewer role has been pre-assigned to this role group.

• Data Explorer Content viewer: Membership in this role group allows you to view the contents of each item in the list. The data classification content viewer role has been pre-assigned to this role group. Additionally, this role is also required to view name of items in list view, which may contain sensitive data.

Note

Data Explorer doesn't support administrative units. Members of role groups that have the data classification list viewer or data classification content viewer role will receive these respective role permissions at the organization level and will not be restricted by administrative unit assignments within content explorer. For more on administrative unit support in Purview, see Administrative units support in Microsoft Purview. The account you use to access data explorer must be in one or both of the role groups. These are independent role groups and aren't cumulative. For example, if you want to grant an account the ability to view the items and their locations only, grant Data Explorer List viewer rights. If you want that same account to also be able to view the contents of the items in the list, grant Data Explorer Content viewer rights as well.

You can also assign either or both of the roles to a custom role group to tailor access to content explorer.

Role management role holders in Microsoft Purview can assign the necessary Data Explorer List Viewer, and Data Explorer Content Viewer role group membership.

Microsoft Purview Roles and Role Groups

There are roles and role groups that you use to fine tune your access controls.

Here's a list of applicable roles. To learn more about them, see Permissions in the Microsoft Purview compliance portal.

• Information Protection Admin
• Information Protection Analyst
• Information Protection Investigator
• Information Protection Reader

Here's a list of applicable role groups. To learn more, see Permissions in the Microsoft Purview compliance portal.

• Information Protection
• Information Protection Admins
• Information Protection Analysts
• Information Protection Investigators
• Information Protection Readers

Data explorer

Data explorer shows a current snapshot of the items that have a sensitivity label, a retention label or have been classified as a sensitive information type in your organization.

Sensitive information types

A DLP policy can help protect sensitive information, which is defined as a sensitive information type. Microsoft 365 includes definitions for many common sensitive information types from across many different regions that are ready for you to use. For example, a credit card number, bank account numbers, and national ID numbers.

Sensitivity labels

A sensitivity label is simply a tag that indicates the value of the item to your organization. It can be applied manually, or automatically. Once applied, the label gets embedded in the document and will follow the document everywhere it goes. A sensitivity label enables various protective behaviors, such as mandatory watermarking or encryption.

Sensitivity labels must be enabled for files that are in SharePoint and OneDrive in order for the corresponding data to surface in the data classification page. For more information, see Enable sensitivity labels for files in SharePoint and OneDrive.

Retention labels

A retention label allows you to define how long a labeled item is kept and the steps to be taken prior to deleting it. They're applied manually or automatically via policies. They can play a role in helping your organization stay in compliance with legal and regulatory requirements.

Trainable Classifiers

A trainable classifiers allows you to identify sensitive data by using examples of the data you're interested in rather than identifying elements in the item (pattern matching). You can use built-in classifiers or train a classifier with your own content.

How to use data content explorer

1. Depending on the portal you're using, navigate to one of the following locations:

   • Sign in to the Microsoft Purview portal > Solutions > Data Lifecycle Management > Explorers > Data explorer.

   • Sign in to the Microsoft Purview compliance portal > Solutions > Data classification > Data explorer.

2. If you know the name of the label, classifiers or the sensitive information type, you can type that into the filter box.

3. Alternately, you can browse for the item by expanding the type and selecting the type from the list.

4. Select a data source under Data source and drill down the folder structure to the item.

5. Double-click to open the item natively in data explorer.

Export

The export control will create a .csv file that contains a listing of whatever the focus of the pane is.

Note

It can take up to seven days for counts to be updated in data content explorer, fourteen days for files that are in SharePoint.

Filter

When you drill down into a location, such as an Exchange or Teams folder, or a SharePoint or OneDrive site, the Filter tool appears.

The scope of the search tool is what is displaying in the All locations pane and what you can search on varies depending on the selected location.

When Exchange or Teams is the selected location, you can search on the full email address of the mailbox, for example user@domainname.com.

When either SharePoint or OneDrive are selected location, the search tool will appear when you drill down to site names, folders and files.

You can search on:

value	example
full site name	https://contoso.onmicrosoft.com/sites/sitename
file name	RES_Resume_1234.txt
text at the beginning of file name	RES
text after an underscore character ( _ ) in file name	Resume or 1234
file extension	txt

Provide match/not a match accuracy feedback in data explorer

You can view the number of matches a SIT or trainable classifier has in Data explorer. You can also provide feedback on whether an item is actually a match or not using the Match, Not a Match feedback mechanism and use that feedback to tune your classifiers. See, Increase classifier accuracy for more information.

See also

• Learn about sensitivity labels
• Learn about retention policies and retention labels
• Sensitive information type entity definitions.md
• Learn about Microsoft Purview Data Loss Prevention