Microsoft Purview · Data Loss Prevention

Information Protection Investigators

Access Content Explorer to view in-place rendering of DLP-matched files for deep investigation.

Scope: Deep investigation with file content access for DLP and classification incidents

Permissions

  • All Information Protection Analyst permissions (DLP alerts, Activity Explorer)
  • Access Content Explorer to view actual file content in rendered format
  • View in-place rendering of documents (Word, Excel, PowerPoint, PDF)
  • See classified and labeled file content across SharePoint, OneDrive, Exchange
  • Export evidence files and metadata for formal investigations
  • Review sensitive data in context of DLP policy matches
  • Search Content Explorer by sensitivity label or sensitive info type
  • View file properties, labels, and protection settings
  • Access content from administrative units if scoped
  • Filter content by location, label, sensitive info type, or user

Common use cases

  • Investigating serious data exfiltration incidents and IP theft
  • Legal review of potential trade secret or confidential information leakage
  • Forensic analysis of suspected data breach or insider threat attempts
  • Confirming true versus false positive DLP policy matches before enforcement action
  • Regulatory compliance investigations requiring file content review
  • Insider Risk Management case investigations with file evidence
  • eDiscovery preview of classified documents before full legal hold
  • Sensitive data inventory and classification validation projects

Best practices

  • Access Content Explorer only when truly necessary for investigation
  • Document clear justification for each file view in investigation log
  • Maintain proper chain of custody for all evidence files
  • Coordinate with legal counsel before reviewing sensitive or privileged content
  • Use Privileged Identity Management (PIM) for just-in-time access where possible
  • Export and preserve evidence securely with appropriate encryption
  • Minimize scope of content review to only files necessary for investigation
  • Use search filters to narrow results before viewing content
  • Review Content Explorer audit logs periodically for appropriate use
  • Establish investigation playbooks that define when Content Explorer access is appropriate
  • Consider privacy implications when viewing employee personal files
  • Coordinate with HR and legal on employment law compliance

Security considerations

  • Extremely sensitive - can view actual file content of labeled and classified documents
  • Must comply with privacy laws and employment regulations (GDPR, CCPA, etc.)
  • All Content Explorer access is logged and auditable via unified audit log
  • Should be limited to senior investigators and legal team members only
  • Consider using Privileged Identity Management (PIM) for time-limited access
  • Must maintain separation from Information Protection Admins role for checks and balances
  • Attorney-client privileged content may be visible - coordinate with legal
  • Personal employee data may be accessible - ensure HR coordination
  • Content Explorer results may include executive or board-level documents
  • Administrative units scope content but investigators still need proper authorization

Official Microsoft Learn documentation →

Open the interactive RBACMap →