AB-900, Data Security, Microsoft Certification, security

Identify user activities reported by Microsoft Purview Activity Explorer (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify user activities reported by Microsoft Purview Activity Explorer

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand how Microsoft Purview Activity Explorer helps administrators investigate user activities involving sensitive information. Activity Explorer provides visibility into how sensitive data is accessed, shared, modified, labeled, or protected across Microsoft 365 services. It is an important investigative tool for identifying potential data protection and governance risks.

What Is Microsoft Purview Activity Explorer?

Microsoft Purview Activity Explorer is an investigation tool that displays activities involving sensitive information and Microsoft Purview protection technologies across Microsoft 365.

Rather than preventing actions, Activity Explorer helps administrators answer questions such as:

  • Who accessed sensitive information?
  • Which files contained sensitive data?
  • Was a sensitivity label applied or removed?
  • Did a Data Loss Prevention (DLP) policy trigger?
  • Was confidential information shared externally?
  • When did a particular activity occur?

Activity Explorer provides a searchable history of events so administrators can investigate potential compliance and security incidents.

Purpose of Activity Explorer

The primary purpose of Activity Explorer is to provide visibility into how organizational data is being used and protected.

It helps organizations:

  • Investigate compliance incidents
  • Monitor sensitive information usage
  • Validate Microsoft Purview policy effectiveness
  • Support audits
  • Identify risky user behavior
  • Understand how sensitive data moves throughout Microsoft 365

How Activity Explorer Fits into Microsoft Purview

Activity Explorer works alongside several Microsoft Purview solutions.

Microsoft Purview SolutionPurpose
Information ProtectionApplies sensitivity labels
Data Loss Prevention (DLP)Prevents inappropriate sharing of sensitive data
Data ClassificationIdentifies sensitive information
Insider Risk ManagementInvestigates risky user behavior
Activity ExplorerDisplays activities involving protected or sensitive content

Think of Activity Explorer as the investigation dashboard that brings many of these activities together.

User Activities Reported by Activity Explorer

Activity Explorer records many different activities related to sensitive information.

1. Sensitivity Label Activities

Administrators can identify when users:

  • Apply sensitivity labels
  • Remove sensitivity labels
  • Change sensitivity labels
  • Automatically receive labels
  • Manually classify documents

Example:

A user changes a document from Confidential to Public.

Activity Explorer records:

  • User
  • File
  • Previous label
  • New label
  • Time of change

2. Data Loss Prevention (DLP) Activities

Activity Explorer reports when DLP policies detect sensitive information.

Examples include:

  • Email blocked
  • File upload blocked
  • USB copy blocked
  • External sharing blocked
  • Policy warning shown
  • Policy override used

Example:

A user attempts to email customer credit card numbers.

The DLP policy detects the data and Activity Explorer records the event.

3. Sensitive Information Detection

Activity Explorer records when Microsoft identifies sensitive information types such as:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Driver’s license numbers
  • Bank account numbers
  • Tax identification numbers
  • Healthcare identifiers

The tool helps administrators understand where sensitive information exists.

4. File Activities

Activity Explorer can display events involving files that contain sensitive information.

Examples include:

  • File created
  • File modified
  • File deleted
  • File copied
  • File downloaded
  • File shared
  • File moved

5. Sharing Activities

Administrators can investigate file-sharing behavior.

Examples:

  • Internal sharing
  • External sharing
  • Anonymous sharing links
  • Sharing permission changes
  • Sharing sensitive documents

These activities help identify potential data exposure risks.

6. Email Activities

Activity Explorer can report events involving protected email messages.

Examples include:

  • Email containing sensitive information
  • Protected email
  • Label changes
  • DLP policy matches

7. Teams Activities

Activity Explorer includes activities related to Microsoft Teams when supported by Microsoft Purview policies.

Examples include:

  • Sensitive information shared in Teams chats
  • Files shared in Teams
  • DLP policy matches
  • Protected documents shared

8. SharePoint and OneDrive Activities

Common activities include:

  • Sensitive file uploads
  • Downloads
  • External sharing
  • Label application
  • DLP events
  • File modifications

Information Displayed for Each Activity

Each event typically includes:

  • Date and time
  • User
  • Workload (Exchange, Teams, SharePoint, OneDrive)
  • Activity type
  • Policy involved
  • Sensitive information detected
  • Sensitivity label
  • File name
  • Location
  • Severity (when applicable)

This information helps investigators quickly understand what occurred.

Filtering Activity Explorer

Administrators can filter results by:

  • User
  • Date range
  • Workload
  • Activity type
  • Policy
  • Sensitive information type
  • Sensitivity label
  • Location
  • Service
  • File name

Filtering makes investigations faster and more targeted.

Common Investigation Scenarios

Scenario 1: External File Sharing

Question:

Has confidential information been shared outside the organization?

Activity Explorer allows investigators to:

  • Find externally shared files
  • Identify the user
  • Determine whether a DLP policy triggered
  • Review sensitivity labels

Scenario 2: Sensitive Information Discovery

Question:

Where are customer Social Security numbers stored?

Activity Explorer can identify:

  • Files
  • Users
  • Locations
  • Labels
  • Detection events

Scenario 3: Label Investigation

Question:

Who removed the Confidential label from a document?

Activity Explorer shows:

  • User
  • Time
  • Original label
  • New label
  • File involved

Scenario 4: DLP Policy Review

Question:

Which users triggered the most DLP alerts this week?

Administrators can filter DLP events by:

  • User
  • Policy
  • Date
  • Severity

Relationship to Microsoft 365 Copilot

As organizations deploy Microsoft 365 Copilot, understanding how sensitive information is used becomes increasingly important.

Activity Explorer helps administrators:

  • Verify that sensitivity labels are being applied
  • Review DLP policy activity
  • Monitor how protected information is handled
  • Investigate suspicious sharing activities
  • Support governance for content that Copilot may reference based on users’ existing permissions

Although Activity Explorer does not monitor Copilot prompts or responses directly, it helps administrators understand the underlying data protection activities associated with Microsoft 365 content.

Difference Between Activity Explorer and Audit Logs

These tools are related but serve different purposes.

Activity ExplorerMicrosoft Purview Audit
Focuses on sensitive information activitiesRecords broad user and administrator activities
Highlights DLP and sensitivity label eventsRecords nearly all Microsoft 365 events
Designed for data protection investigationsDesigned for security, compliance, and auditing
Optimized for Microsoft Purview investigationsOptimized for overall audit history

Best Practices

Organizations should:

  • Regularly review Activity Explorer.
  • Investigate repeated DLP policy matches.
  • Monitor external sharing of sensitive files.
  • Review sensitivity label changes.
  • Use filters to focus investigations.
  • Integrate findings with Insider Risk Management when appropriate.
  • Periodically validate that Purview policies are functioning as expected.

AB-900 Exam Tips

Remember these key points for the exam:

  • Activity Explorer is an investigation tool.
  • It reports activities involving sensitive information and Microsoft Purview protections.
  • It displays DLP events, sensitivity label activities, sharing events, and sensitive information detections.
  • It helps administrators investigate compliance and governance risks.
  • Activity Explorer complements Audit logs but focuses specifically on data protection activities.
  • Administrators can filter activities by user, workload, policy, label, activity type, and date.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Purview Activity Explorer?

A. Create Microsoft 365 user accounts

B. Display activities involving sensitive information and Microsoft Purview protections

C. Configure Conditional Access policies

D. Reset user passwords

Correct Answer: B

Explanation: Activity Explorer helps administrators investigate activities involving sensitive information, DLP events, sensitivity labels, and other Microsoft Purview protection technologies.

Question 2

Which activity would most likely appear in Activity Explorer?

A. BIOS firmware updates

B. Windows device driver installation

C. A user applies a Confidential sensitivity label to a document

D. Printer toner replacement

Correct Answer: C

Explanation: Applying or changing sensitivity labels is one of the primary activities tracked by Activity Explorer.

Question 3

Which Microsoft Purview feature commonly generates events that are visible in Activity Explorer?

A. Microsoft Intune

B. Windows Update

C. Active Directory Sites and Services

D. Data Loss Prevention (DLP)

Correct Answer: D

Explanation: Activity Explorer records DLP policy matches, alerts, overrides, and other related events.

Question 4

An administrator wants to determine who shared a sensitive document externally. Which Microsoft Purview tool should they use?

A. Activity Explorer

B. Windows Event Viewer

C. Device Manager

D. Microsoft Paint

Correct Answer: A

Explanation: Activity Explorer displays sharing activities involving sensitive information, including external sharing events.

Question 5

Which information can administrators use to filter Activity Explorer results?

A. CPU temperature

B. Printer model

C. User name, activity type, and date range

D. Network cable type

Correct Answer: C

Explanation: Activity Explorer supports filtering by user, workload, activity type, policy, label, location, and date range.

Question 6

Which statement best describes Activity Explorer?

A. It permanently blocks sensitive file sharing.

B. It investigates activities involving protected or sensitive information.

C. It replaces Microsoft Defender Antivirus.

D. It encrypts every Microsoft 365 file automatically.

Correct Answer: B

Explanation: Activity Explorer is designed for investigation and reporting rather than prevention.

Question 7

Which Microsoft 365 workloads can contribute activities to Activity Explorer?

A. Only Microsoft Excel

B. Only Microsoft Teams

C. Only Exchange Online

D. Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams

Correct Answer: D

Explanation: Activity Explorer collects supported events from multiple Microsoft 365 workloads to provide a comprehensive view of sensitive data activities.

Question 8

What can an administrator determine by reviewing Activity Explorer?

A. Which BIOS version users are running

B. Which sensitive information types were detected in organizational content

C. The amount of available disk space on each device

D. Which printer is the default printer

Correct Answer: B

Explanation: Activity Explorer displays detections of sensitive information types such as credit card numbers, Social Security numbers, and other classified data.

Question 9

How does Activity Explorer differ from Microsoft Purview Audit?

A. Activity Explorer focuses on sensitive information and data protection activities, while Audit records a broader range of Microsoft 365 events.

B. Activity Explorer stores passwords.

C. Audit only records Teams activities.

D. Both tools provide identical information.

Correct Answer: A

Explanation: Activity Explorer specializes in Microsoft Purview-related activities, while Audit provides broader auditing across Microsoft 365.

Question 10

Why is Microsoft Purview Activity Explorer valuable in organizations using Microsoft 365 Copilot?

A. It records every Copilot prompt entered by users.

B. It replaces Copilot security permissions.

C. It helps administrators monitor the protection and handling of sensitive Microsoft 365 content that Copilot may access based on existing permissions.

D. It automatically blocks all Copilot responses.

Correct Answer: C

Explanation: Activity Explorer helps administrators understand how sensitive content is protected and used within Microsoft 365, supporting governance for data that Copilot can access according to user permissions.

Go to the AB-900 Exam Prep Hub main page

Leave a comment