πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AB-900 Domain 2
Domain 2 β€” Module 9 of 10 90%
19 of 28 overall

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free
Domain 2: Data Protection & Governance Premium ⏱ ~10 min read

Activity Explorer & Data Monitoring

Activity Explorer shows what's happening to your data β€” who's labelling, sharing, and accessing sensitive content. Combined with alerts from DLP, Insider Risk, and Communication Compliance, it gives you full visibility.

Your data monitoring toolkit

β˜• Simple explanation

Think of three different security camera views.

Content Explorer = the inventory camera β€” shows you WHAT sensitive data exists and WHERE. β€œThere are 340 documents with credit card numbers in the Finance SharePoint site.”

Activity Explorer = the motion camera β€” shows you WHAT’S HAPPENING to that data. β€œ12 users downloaded labelled documents this week. 3 DLP policies triggered.”

Alerts = the alarm system β€” notifies you when something needs immediate attention. β€œSam just tried to email a Confidential file externally.”

Purview provides layered monitoring: Content Explorer discovers and catalogs sensitive data across M365 locations. Activity Explorer tracks user interactions with that data (labelling, sharing, DLP events, policy matches). Alerts from DLP, Insider Risk, and Communication Compliance notify admins of specific incidents requiring action.

Content Explorer β€” what data do you have?

Content Explorer lets you browse sensitive content discovered across your tenant:

What It ShowsExample
Sensitive info type matches847 documents with credit card numbers
Sensitivity label distribution2,400 files labelled Confidential, 180 labelled Highly Confidential
Trainable classifier matches95 documents classified as β€œContracts” by AI
Location breakdownFinance SharePoint: 340 sensitive docs. HR SharePoint: 210 sensitive docs

Key exam concept: Content Explorer answers β€œWHAT sensitive data do we have and WHERE?” β€” it’s the discovery tool. You use it BEFORE setting up DLP policies to understand what you need to protect.

Activity Explorer β€” what’s happening to your data?

Activity Explorer shows real-time data about user activities:

Activity TypeWhat It Tracks
LabellingSensitivity labels applied, changed, or removed
DLP matchesPolicies triggered, actions taken (warn, block)
File activitiesCopies, moves, downloads, prints, uploads
SharingInternal and external sharing events
Endpoint activitiesUSB copies, cloud uploads from devices
πŸ’‘ Scenario: Priya investigates a data trend

Priya (Northwave’s Compliance Officer) uses Activity Explorer weekly:

This week’s findings:

  • πŸ“ˆ 47 β€œlabel removed” events (users removing Confidential labels before sharing)
  • πŸ”΄ 12 DLP blocks (mostly Marketing sharing campaign data externally)
  • πŸ“‹ 3 files copied to USB drives (flagged by endpoint DLP)
  • ⚠️ 1 user removed labels on 15 documents in one hour

Actions:

  • Investigate the label-removal trend β†’ are users deliberately bypassing protection?
  • Review DLP blocks with Marketing β†’ are the policies too strict, or is there a real risk?
  • Follow up on the USB copy events β†’ is this an authorised data transfer?
  • Escalate the single-user label removal β†’ possible Insider Risk case

Alerts across Purview tools

Each Purview tool generates its own alerts:

Alert sources in Microsoft Purview
Alert SourceWhat Triggers ItWhere to Review
DLP alertsSensitive data sharing matches a DLP policyPurview β†’ DLP β†’ Alerts
Insider Risk alertsUser behaviour matches a risk patternPurview β†’ Insider Risk β†’ Alerts
Communication Compliance alertsMessage content matches a compliance policyPurview β†’ Communication Compliance β†’ Alerts
DSPM for AI alertsSensitive data accessed via AI toolsPurview β†’ DSPM for AI

The alert lifecycle

  1. Triggered β†’ automatic based on policy match
  2. Review β†’ admin investigates the alert details
  3. Action β†’ resolve, escalate, dismiss as false positive
  4. Close β†’ mark as resolved with resolution notes

🎬 Video walkthrough

🎬 Video coming soon

Activity Explorer & Monitoring β€” AB-900 Module 19

Activity Explorer & Monitoring β€” AB-900 Module 19

~8 min

Flashcards

Question

What's the difference between Content Explorer and Activity Explorer?

Click or press Enter to reveal answer

Answer

Content Explorer shows WHAT sensitive data exists and WHERE (inventory). Activity Explorer shows WHAT'S HAPPENING to that data β€” labelling, sharing, DLP events, file activities (real-time monitoring).

Click to flip back
Question

Where do you review DLP alerts?

Click or press Enter to reveal answer

Answer

Microsoft Purview β†’ Data Loss Prevention β†’ Alerts. Each alert shows what was detected, who triggered it, which policy matched, and what action was taken (warn, block, audit).

Click to flip back

Knowledge Check

Knowledge Check

Priya wants to understand what types of sensitive data exist across Northwave's SharePoint sites BEFORE creating DLP policies. Which tool should she use first?

Next up: Oversharing in SharePoint β€” the #1 risk for Copilot deployments and the tools to detect and fix it.

← Previous

Compliance Manager & eDiscovery

Next β†’

Oversharing in SharePoint

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.