Microsoft Purview · Data Loss Prevention

Information Protection Investigators

Access Content Explorer to view in-place rendering of DLP-matched files for deep investigation.

Scope: Deep investigation with file content access for DLP and classification incidents

Permissions

  • All Information Protection Analyst permissions (DLP alerts, Activity Explorer)
  • Access Content Explorer to view actual file content in rendered format
  • View in-place rendering of documents (Word, Excel, PowerPoint, PDF)
  • See classified and labeled file content across SharePoint, OneDrive, Exchange
  • Export evidence files and metadata for formal investigations
  • Review sensitive data in context of DLP policy matches
  • Search Content Explorer by sensitivity label or sensitive info type
  • View file properties, labels, and protection settings
  • Access content from administrative units if scoped
  • Filter content by location, label, sensitive info type, or user

Common use cases

  • Investigating serious data exfiltration incidents and IP theft
  • Legal review of potential trade secret or confidential information leakage
  • Forensic analysis of suspected data breach or insider threat attempts
  • Confirming true versus false positive DLP policy matches before enforcement action
  • Regulatory compliance investigations requiring file content review
  • Insider Risk Management case investigations with file evidence
  • eDiscovery preview of classified documents before full legal hold
  • Sensitive data inventory and classification validation projects

Best practices

  • Access Content Explorer only when truly necessary for investigation
  • Document clear justification for each file view in investigation log
  • Maintain proper chain of custody for all evidence files
  • Coordinate with legal counsel before reviewing sensitive or privileged content
  • Use Privileged Identity Management (PIM) for just-in-time access where possible
  • Export and preserve evidence securely with appropriate encryption
  • Minimize scope of content review to only files necessary for investigation
  • Use search filters to narrow results before viewing content
  • Review Content Explorer audit logs periodically for appropriate use
  • Establish investigation playbooks that define when Content Explorer access is appropriate
  • Consider privacy implications when viewing employee personal files
  • Coordinate with HR and legal on employment law compliance

Security considerations

  • Extremely sensitive - can view actual file content of labeled and classified documents
  • Must comply with privacy laws and employment regulations (GDPR, CCPA, etc.)
  • All Content Explorer access is logged and auditable via unified audit log
  • Should be limited to senior investigators and legal team members only
  • Consider using Privileged Identity Management (PIM) for time-limited access
  • Must maintain separation from Information Protection Admins role for checks and balances
  • Attorney-client privileged content may be visible - coordinate with legal
  • Personal employee data may be accessible - ensure HR coordination
  • Content Explorer results may include executive or board-level documents
  • Administrative units scope content but investigators still need proper authorization

Common questions

When should I assign the Information Protection Investigators role?

Assign Information Protection Investigators when you need to: Investigating serious data exfiltration incidents and IP theft; Legal review of potential trade secret or confidential information leakage; Forensic analysis of suspected data breach or insider threat attempts; Confirming true versus false positive DLP policy matches before enforcement action; and Regulatory compliance investigations requiring file content review. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Information Protection Investigators role do?

The Information Protection Investigators role grants permissions including: All Information Protection Analyst permissions (DLP alerts, Activity Explorer); Access Content Explorer to view actual file content in rendered format; View in-place rendering of documents (Word, Excel, PowerPoint, PDF); See classified and labeled file content across SharePoint, OneDrive, Exchange; Export evidence files and metadata for formal investigations; and Review sensitive data in context of DLP policy matches. See the Permissions section above for the full list.

What are the security risks of the Information Protection Investigators role?

Key considerations when assigning Information Protection Investigators: Extremely sensitive - can view actual file content of labeled and classified documents; Must comply with privacy laws and employment regulations (GDPR, CCPA, etc.); All Content Explorer access is logged and auditable via unified audit log; and Should be limited to senior investigators and legal team members only. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →