Have you ever wondered who’s really collaborating on your most sensitive files in Microsoft 365? Most admins see only fragments, but with Graph Explorer, you can trace every connection—from group memberships to the content users actually touch—across services like Teams, SharePoint, and OneDrive. Today, I’ll show you exactly how to map those hidden digital relationships. The patterns you uncover might just surprise you.Why Your M365 Data Isn’t as Isolated as You ThinkIf you’ve ever managed a Microsoft 365 tenant, you already know the basics: SharePoint for files, Teams for chat, OneDrive for personal storage. On the surface, these apps look like separate silos. Most admin centers encourage this thinking, with dashboards and role-based controls that treat each area like its own island. But in the real world, those walls barely exist. Access isn’t just about a file’s location anymore. It’s about who’s connected to whom – and how far those connections reach.Say you find a sensitive contract sitting in a SharePoint library. You run a permissions check, see the owner and maybe a group or two, so you assume you’ve mapped the risk. But is that really the full story? Let’s say half the marketing team swapped links to that contract in Teams only yesterday, or worse, someone dropped a guest link into a group chat. The file you thought was locked down has quietly circulated through channels you’ll never spot with the basic admin tools. That scenario isn’t rare—it’s daily reality in most midsize and large organizations.What really trips people up is how group memberships tie into all of this. Permissions move fluidly. The moment you add a user to a group, you’re not just letting them into the Teams chat—you’ve likely also granted them access to SharePoint sites, OneDrive folders, and maybe even external shares the group had permission to create. These connections branch out in unpredictable ways. Basic dashboards will tell you when a group’s membership changed, maybe even where, but try uncovering which files that person can now access and you’ll be hunting for hours, flipping between audit logs and permission exports.It gets even muddier with group chats and Teams channels. Files don’t just live behind SharePoint URLs anymore. People drop them into chat, pull them down to OneDrive, and push them back up to loop in new collaborators. A quarterly report moves from one SharePoint site to a Teams channel; suddenly it’s stored in multiple places with multiple layers of access. A single file can straddle SharePoint, OneDrive, and Teams all at once—each platform holding a fragment of its activity trail. No wonder admins worry about compliance gaps.One research study out of the UK found that 68% of organizations using Microsoft 365 had at least one significant blind spot—where official permissions did not match actual file access patterns. That’s not always from carelessness; it’s often because changes ripple across the environment in ways the admin tools don’t track. For example, if someone in finance needs access to a sensitive folder for just one project, they might get added to a security group. Suddenly, they gain access not only to the folder, but also to other files the group can see—even if those weren’t on anyone’s radar. The original manager likely isn’t notified. The global admin only sees the group’s new membership, not the downstream file access. The audit trail becomes a mess of partial stories.For organizations under pressure to prove compliance—think finance, healthcare, or any large enterprise—those missed links are a real headache. Regulators don’t care that Microsoft’s admin UI only shows fragments. If data leaks or inappropriate sharing are possible, it’s your job to spot it. Even for internal collaboration, the side effects add up: duplicate files, broken folders, confused users who see content they shouldn’t. You end up spending more time untangling permissions and chasing incomplete audit reports than actually managing strategy.One of the clearest examples I’ve run into was a mid-sized consultancy where a sensitive client folder was sitting inside a locked SharePoint site. Two weeks later, a new consulting hire joined the client’s project group. A week after that, the same folder ended up attached to a Teams chat with an external guest. By the time IT noticed, the folder’s access story included a brand-new group member, a Teams link, an external OneDrive share—and almost no audit log tied all those pieces together. Their admin dashboards showed a neat list of users, but the file’s real history stretched across four services and three different audit logs.This level of interconnectedness isn’t some rare quirk. It’s baked into how Microsoft 365 is architected—a benefit for agile teams, but a minefield for anyone managing governance or risk. Adding a user to a single group or team isn’t just a checkbox. It’s a ripple that touches file permissions, chat access, folder sharing, even the ability to invite external guests. It’s all stitched together under the hood, but unless you know where the threads run, you’ll always be missing part of the map.So if it feels like you’re always one step behind risky file sharing or missed compliance flags, you’re not alone. The default UI and audit tools in M365 only ever tell half the story. But here’s where it starts to get interesting: every user action, every permission change, builds out this “hidden map.” Most tools don’t even acknowledge it exists, let alone trace it. But Graph Explorer? That’s built to shine a light on those hidden connections. Once you see what’s really tied together, you’ll start to spot sharing patterns and risks you never knew were there. And to do that, you’ll need a different approach—one that actually reveals these relationships, step by step.Tracing a User’s Digital Footprint: From ID to Every File TouchpointIf you’ve ever had to answer, “What did this user actually do across our entire environment?” you already know it’s never just mailbox activity or sign-ins. The first thing people reach for is usually audit logs or the Azure portal, maybe a PowerShell script or two. The reality is, that’s the shallow end. Most admins get as far as a login date, or maybe a few items in the user’s mailbox, then stop. But if you need to answer real questions—like why Sarah from sales somehow downloaded a document two levels deep in a SharePoint site she’s never visited before—those basic checks don’t get you far. It’s not about just one area, either. Users cross boundaries all day long. I’ve seen admins try to piece it together from different admin centers, flipping between SharePoint, Teams, and OneDrive, hoping to spot a pattern. Most give up when it stops making sense, or when the raw data just gets overwhelming.So let’s say you’re starting with something simple—a user ID. That’s your anchor. What do you actually do with it? Picture the regular approach: search the user, look for login records, maybe a handful of recent files they touched, and hope nothing jumps out as a red flag. That’s barely scraping the surface. What about their group memberships? Half the time, the files a user can access come from the groups they’re in, not their personal permissions. Did they get added to a “Marketing” group last Tuesday? Congratulations—they probably got access to a dozen SharePoint libraries and a handful of private channels in Teams you didn’t even know were connected. If someone shared a folder or kicked off a Teams discussion tied to that group, there’s every chance the files they can now touch include content far outside their original permissions.Where things get interesting—and more useful—is building out the full map with Graph Explorer. This isn’t just searching through static audit logs. Graph Explorer is like turning on x-ray mode for your organization. You start with the user object. Every user in M365 has one—a tidy little bundle of attributes, none of which tell the full story alone. The real trick is pivoting. With a single query, you can look up all the groups that user is currently a member of. But you’re not limited to just memberships—you can keep following the thread. From each group, you can branch into the files that group has permission to access, and from there, zoom out again to which sharing links exist, who’s accessed those files, or even whether those files showed up in a Teams conversation last week. The beauty is that you’re not guessing anymore—you’re mapping the real digital footprint instead of filling in the blanks.It’s pretty common to run into raw data overload at this point, which is where something like $select comes in. You don’t want every last property of every file or membership; you want specifics. Maybe you just want the timestamp of the last time a file was modified, or a list of sharing links with external permissions. $select lets you call out exactly what you want, so you’re not scrolling forever, or waiting ten minutes for a payload with 60 columns you’ll never use. It’s surgical, not shotgun. For example, let’s walk through a chain: start by querying the user and return just their ID and display name with $select. Next, pivot to their groups—again, pick out just the group IDs and names. Each of those groups may have its own collection of files, typically via SharePoint document libraries linked behind the scenes. Query those file collections, and you can get just the file names and sharing links, if that’s what you care about. With one more step, you pivot to each sharing link and ask: who’s accessed this file, and when? That final detail is the payoff—suddenly, you’re not assuming who saw the contract or the project plan. You’re looking at the actual trail, start to finish.Sometimes, these queries turn into full investigations. In one case, a law firm spotted a data leak. Their logs told them when the file left the tenant, but not how. By pivoting from the user to their group membership, then jumping to files acces

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support.