The Hidden Map Connecting Users and Files in M365

Have you ever wondered who’s really collaborating on your most
sensitive files in Microsoft 365? Most admins see only fragments,
but with Graph Explorer, you can trace every connection—from
group memberships to the content users actually touch—across
services like Teams, SharePoint, and OneDrive. Today, I’ll show
you exactly how to map those hidden digital relationships. The
patterns you uncover might just surprise you.


Why Your M365 Data Isn’t as Isolated as You Think


If you’ve ever managed a Microsoft 365 tenant, you already know
the basics: SharePoint for files, Teams for chat, OneDrive for
personal storage. On the surface, these apps look like separate
silos. Most admin centers encourage this thinking, with
dashboards and role-based controls that treat each area like its
own island. But in the real world, those walls barely exist.
Access isn’t just about a file’s location anymore. It’s about
who’s connected to whom – and how far those connections reach.Say
you find a sensitive contract sitting in a SharePoint library.
You run a permissions check, see the owner and maybe a group or
two, so you assume you’ve mapped the risk. But is that really the
full story? Let’s say half the marketing team swapped links to
that contract in Teams only yesterday, or worse, someone dropped
a guest link into a group chat. The file you thought was locked
down has quietly circulated through channels you’ll never spot
with the basic admin tools. That scenario isn’t rare—it’s daily
reality in most midsize and large organizations.What really trips
people up is how group memberships tie into all of this.
Permissions move fluidly. The moment you add a user to a group,
you’re not just letting them into the Teams chat—you’ve likely
also granted them access to SharePoint sites, OneDrive folders,
and maybe even external shares the group had permission to
create. These connections branch out in unpredictable ways. Basic
dashboards will tell you when a group’s membership changed, maybe
even where, but try uncovering which files that person can now
access and you’ll be hunting for hours, flipping between audit
logs and permission exports.It gets even muddier with group chats
and Teams channels. Files don’t just live behind SharePoint URLs
anymore. People drop them into chat, pull them down to OneDrive,
and push them back up to loop in new collaborators. A quarterly
report moves from one SharePoint site to a Teams channel;
suddenly it’s stored in multiple places with multiple layers of
access. A single file can straddle SharePoint, OneDrive, and
Teams all at once—each platform holding a fragment of its
activity trail. No wonder admins worry about compliance gaps.One
research study out of the UK found that 68% of organizations
using Microsoft 365 had at least one significant blind spot—where
official permissions did not match actual file access patterns.
That’s not always from carelessness; it’s often because changes
ripple across the environment in ways the admin tools don’t
track. For example, if someone in finance needs access to a
sensitive folder for just one project, they might get added to a
security group. Suddenly, they gain access not only to the
folder, but also to other files the group can see—even if those
weren’t on anyone’s radar. The original manager likely isn’t
notified. The global admin only sees the group’s new membership,
not the downstream file access. The audit trail becomes a mess of
partial stories.For organizations under pressure to prove
compliance—think finance, healthcare, or any large
enterprise—those missed links are a real headache. Regulators
don’t care that Microsoft’s admin UI only shows fragments. If
data leaks or inappropriate sharing are possible, it’s your job
to spot it. Even for internal collaboration, the side effects add
up: duplicate files, broken folders, confused users who see
content they shouldn’t. You end up spending more time untangling
permissions and chasing incomplete audit reports than actually
managing strategy.One of the clearest examples I’ve run into was
a mid-sized consultancy where a sensitive client folder was
sitting inside a locked SharePoint site. Two weeks later, a new
consulting hire joined the client’s project group. A week after
that, the same folder ended up attached to a Teams chat with an
external guest. By the time IT noticed, the folder’s access story
included a brand-new group member, a Teams link, an external
OneDrive share—and almost no audit log tied all those pieces
together. Their admin dashboards showed a neat list of users, but
the file’s real history stretched across four services and three
different audit logs.This level of interconnectedness isn’t some
rare quirk. It’s baked into how Microsoft 365 is architected—a
benefit for agile teams, but a minefield for anyone managing
governance or risk. Adding a user to a single group or team isn’t
just a checkbox. It’s a ripple that touches file permissions,
chat access, folder sharing, even the ability to invite external
guests. It’s all stitched together under the hood, but unless you
know where the threads run, you’ll always be missing part of the
map.So if it feels like you’re always one step behind risky file
sharing or missed compliance flags, you’re not alone. The default
UI and audit tools in M365 only ever tell half the story. But
here’s where it starts to get interesting: every user action,
every permission change, builds out this “hidden map.” Most tools
don’t even acknowledge it exists, let alone trace it. But Graph
Explorer? That’s built to shine a light on those hidden
connections. Once you see what’s really tied together, you’ll
start to spot sharing patterns and risks you never knew were
there. And to do that, you’ll need a different approach—one that
actually reveals these relationships, step by step.


Tracing a User’s Digital Footprint: From ID to Every File
Touchpoint


If you’ve ever had to answer, “What did this user actually do
across our entire environment?” you already know it’s never just
mailbox activity or sign-ins. The first thing people reach for is
usually audit logs or the Azure portal, maybe a PowerShell script
or two. The reality is, that’s the shallow end. Most admins get
as far as a login date, or maybe a few items in the user’s
mailbox, then stop. But if you need to answer real questions—like
why Sarah from sales somehow downloaded a document two levels
deep in a SharePoint site she’s never visited before—those basic
checks don’t get you far. It’s not about just one area, either.
Users cross boundaries all day long. I’ve seen admins try to
piece it together from different admin centers, flipping between
SharePoint, Teams, and OneDrive, hoping to spot a pattern. Most
give up when it stops making sense, or when the raw data just
gets overwhelming.So let’s say you’re starting with something
simple—a user ID. That’s your anchor. What do you actually do
with it? Picture the regular approach: search the user, look for
login records, maybe a handful of recent files they touched, and
hope nothing jumps out as a red flag. That’s barely scraping the
surface. What about their group memberships? Half the time, the
files a user can access come from the groups they’re in, not
their personal permissions. Did they get added to a “Marketing”
group last Tuesday? Congratulations—they probably got access to a
dozen SharePoint libraries and a handful of private channels in
Teams you didn’t even know were connected. If someone shared a
folder or kicked off a Teams discussion tied to that group,
there’s every chance the files they can now touch include content
far outside their original permissions.Where things get
interesting—and more useful—is building out the full map with
Graph Explorer. This isn’t just searching through static audit
logs. Graph Explorer is like turning on x-ray mode for your
organization. You start with the user object. Every user in M365
has one—a tidy little bundle of attributes, none of which tell
the full story alone. The real trick is pivoting. With a single
query, you can look up all the groups that user is currently a
member of. But you’re not limited to just memberships—you can
keep following the thread. From each group, you can branch into
the files that group has permission to access, and from there,
zoom out again to which sharing links exist, who’s accessed those
files, or even whether those files showed up in a Teams
conversation last week. The beauty is that you’re not guessing
anymore—you’re mapping the real digital footprint instead of
filling in the blanks.It’s pretty common to run into raw data
overload at this point, which is where something like $select
comes in. You don’t want every last property of every file or
membership; you want specifics. Maybe you just want the timestamp
of the last time a file was modified, or a list of sharing links
with external permissions. $select lets you call out exactly what
you want, so you’re not scrolling forever, or waiting ten minutes
for a payload with 60 columns you’ll never use. It’s surgical,
not shotgun. For example, let’s walk through a chain: start by
querying the user and return just their ID and display name with
$select. Next, pivot to their groups—again, pick out just the
group IDs and names. Each of those groups may have its own
collection of files, typically via SharePoint document libraries
linked behind the scenes. Query those file collections, and you
can get just the file names and sharing links, if that’s what you
care about. With one more step, you pivot to each sharing link
and ask: who’s accessed this file, and when? That final detail is
the payoff—suddenly, you’re not assuming who saw the contract or
the project plan. You’re looking at the actual trail, start to
finish.Sometimes, these queries turn into full investigations. In
one case, a law firm spotted a data leak. Their logs told them
when the file left the tenant, but not how. By pivoting from the
user to their group membership, then jumping to files accessible
by that group, and finally tracking files as they moved through
Teams channels, they traced the exposure right back to a group
membership change the previous week. Graph API made it clear: the
file’s journey lined up almost exactly with the user’s new
access, and then showed up in a Teams upload the next day.The
main thing to realize is that you don’t need a third-party SIEM
or a tangle of separate logs for this. If you chain your queries
right in Graph Explorer, you get a direct view—Teams, SharePoint,
OneDrive, all tied together through a logical map rather than
disconnected fragments. You start to notice things you would have
missed: a document a user never opened directly, but could access
thanks to a new group; a folder that got linked in a Teams chat
fifteen minutes after a project role changed. These aren’t
obvious from the dashboards, but they change everything when it
comes to understanding risk, compliance, or just plain old
collaboration breakdowns.The best part is, once you’ve got the
footprint mapped, you can refine it. Now you can layer on
advanced filters, focus in on the last seven days, or trace only
external sharing. And if that sounds like it’s going to open the
floodgates to way too much data, well, that leads right into our
next move—cutting all that noise with precise, advanced filtering
so you don’t drown in the details.


Filtering Out the Noise: Advanced Graph Explorer Techniques


So now you’ve got this pile of data out of Graph Explorer—user
IDs, file listings, group memberships, timestamps that stretch
for pages. The experience is like getting a printout of every key
stroke in the building and then being asked, “What matters?”
That’s actually where most admins hit a wall. You scroll, you
squint, and unless you’re very lucky, your eyes glaze over by
line 200. The list just never ends. I’ve seen teams pull twenty
thousand file links from SharePoint, only to realize they care
about maybe two that left the tenant last week. Everything else
is noise. The whole goal here is to figure out what’s actually
important, and—just as crucial—what you’re safe to ignore.The
default admin tools rarely help at this point. If you’re just
after ‘all files shared in the last month,’ you’ll get a dizzying
list that includes everything from the company lunch menu to
legal contracts. But sharpen that question a bit—like, “Show me
only files with guest links, or just messages that mention
‘confidential’ after business hours”—and suddenly the basic UIs
come up short. The search bar only reaches so far. The raw data
dump can tell you what’s out there, but it’s not going to sift
through patterns or surface the files that need attention. Those
dangerous, or at least interesting, outliers get buried
fast.Here’s where Graph Explorer’s real power shows up. Most
people never go past the basics, maybe running a GET request and
moving on. But Graph API has advanced options—$filter, $top, and
nested queries—that let you carve straight through that mountain
of irrelevant data. Let’s start simple: $filter is like the admin
version of wearing noise-canceling headphones. Instead of “give
me every document,” you can say, “give me just the ones shared
with external guests.” Suddenly, that list of twenty thousand
shrinks to twenty. You see only what actually breaks your
compliance policies or creates risk, and you don’t end up wasting
time on lunch menus and old PDFs.And you don’t have to stop
there. The real fun comes when you start stacking filters. Let’s
say you want to check not just for external sharing, but only
files where the link was sent out in the past week. Or you need
to identify all Teams messages mentioning “Q4 earnings” that were
posted outside business hours. You can use nested queries in
Graph Explorer to stack those conditions, drilling down and
combining behaviors in a way the admin portals never let you do.
It’s not just one filter—it’s several, chained together. Most
organizations miss this, and that’s a real shame. I’ve worked
with admins who spent hours building Excel pivot tables after
exporting CSVs, trying to reverse-engineer patterns they could
have surfaced in a single Graph query.Pair $filter with $top, and
you gain even more control. Maybe you only want the most recent
twenty items, not the full backlog. $select gives you the power
to trim the fat further—grab just the fields you care about, like
the share time and user, instead of dragging through every
property under the sun. The combination means your datasets stay
lean and hyper-focused, making trend spotting and remediation
possible instead of painful.Let’s walk through an actual
scenario. Suppose you want to see every file that was shared by
any group in the last seven days, but only if someone actually
accessed it. Instead of downloading a CSV with every file ever
touched, you use $filter to specify created or shared after a
certain date, then layer on a check for access logs tied to each
file. This pattern is where you get real value: what looks like a
simple “who did what” report actually surfaces new sharing
behaviors that the vanilla dashboards just don’t pick up on. It’s
the difference between being reactive to incidents and being
proactive about trends.I’ve seen some organizations take it
further with automation. Once your queries are dialed in, you
don’t need to run them by hand every week. Instead, build a flow
that exports your results directly to Power BI, where compliance
teams can visualize sharing spikes and spot outliers without
combing through raw data. Others hook Graph queries into Logic
Apps or Power Automate, building lightweight alert systems that
ping security if a sensitive term pops up in chat outside office
hours or if a guest share looks suspicious. Suddenly, you’re not
just hunting through logs—you’re getting actionable analytics
dropped right in your lap.What I find most satisfying is how this
approach turns Graph Explorer from another manual chore into a
true analytics platform. You don’t chase the data anymore. You
build the right questions, automate the grunt work, and focus
your effort on the real risks—the events and files nobody spotted
before. You’ll start to see patterns emerge, like which teams
always push up against sharing limits or which files consistently
draw external interest.But let’s not pretend filters solve
everything. As soon as you scale this to a midsize or enterprise
tenant, the numbers get out of hand again, fast. Even the
sharpest $filter leaves you paging through results that go on for
miles, running into API limits and browser timeouts. So, once the
filtering’s done and you’ve carved down the dataset, there’s
still a problem—you need a way to tackle volume. Luckily, that’s
where pagination and smart scaling come in, and for that, you’ll
want to know how to keep control even when the numbers explode.


Scaling Up: Pagination and Mapping M365 at Enterprise Scale


If you’ve ever run a seemingly simple query against a large
Microsoft 365 tenant and watched your browser grind to a halt,
you already know the feeling: this isn’t a boutique problem, it’s
just life at scale. In smaller orgs, you can sometimes get away
with poking around in the admin center or downloading a CSV. But
once you’re dealing with thousands of users and millions of
files, everything changes. That classic story—“I’ll just pull a
list of files shared in the last month”—can suddenly return
40,000 rows, half a gig in attachments, and a UI that struggles
to even scroll. It’s not that the data isn’t there; it’s that
getting to it requires a whole different approach.The main thing
people don’t realize is that Graph API politely tries to protect
you from yourself—by default, it limits results, but doesn’t flag
that you’re only seeing a slice. Most API calls in Graph Explorer
give you the first one or two hundred results, and nothing more.
You think you’ve hit paydirt, but the rest of the data’s hidden
behind a “nextLink,” tucked inside the response, waiting for you
to ask for the next page. If you don’t know to look, you’re
already missing 90% of what you set out for. And if you’re
chasing something rare—say, files shared externally by a
hundred-person group—odds are, that needle is on page eight, not
page one.Let’s talk about what actually gets in your way. First,
there’s the API throttling. Microsoft wants to keep the entire
tenant happy, which means you can’t fire off a thousand requests
per second. Batch too aggressively, and you’ll get hit with 429
errors or timeouts. Keep it too leisurely, and you’ll be staring
at a spinning indicator all afternoon. Then there’s the problem
of tracking those nextLink tokens. Every paginated API response
hands you a special URL to fetch the next set of results. If you
stop grabbing those and just refresh, you start every query from
scratch—new data, different results, sometimes even lost context.
One admin I know wondered why his export kept doubling up files;
turns out, he was treating every nextLink as a brand new job, not
the continuation of an existing one.Here’s how the process
actually works when you want to scale up. Suppose your task is to
identify all files shared by groups with 500+ members. You kick
off your Graph Explorer query—it returns the first batch, maybe
100 files. But the group’s size guarantees you’re nowhere near
the finish line. Instead, you grab the nextLink token from the
results and send your next GET request there. Rinse and repeat,
sometimes for dozens of pages. The trick is chaining these
requests seamlessly, tracking exactly where you are in the
dataset without losing your filters and selected fields. I’ve
seen this done the hard way—pens and notepads on one monitor and
raw JSON on another—and I’ve seen it automated, which is where
things start to really move.Automation is the real game changer.
Some admins turn to PowerShell, writing scripts that handle
pagination in the background, gracefully collecting each nextLink
until the end. Others use Python, leaning on requests libraries
to pull data chunk by chunk, sometimes kicking off parallel jobs
to move faster without running afoul of throttling limits. I’ve
worked with compliance teams who plug Graph API calls into Logic
Apps or Power Automate flows, letting Microsoft do the workflow
plumbing. Each paginated result gets pushed into a live
dashboard—often in Power BI—that compliance or security can check
at a glance, seeing new shares, guest access, or even unusual
file types appear in real time.The story changes when you combine
these tools with smarter querying from earlier. If your filter
already trims the results to the riskiest files—say, guest-shared
documents created this week—then pagination just keeps you
honest: you’re not sampling, you’re tracking every instance. One
global law firm ran into this wall the hard way. Their legacy
tools flagged files shared from their SharePoint environment, but
always stopped at page one. When they finally moved to paginated
Graph queries, they discovered that about ten percent of their
most sensitive files—contracts, merger documents, entire project
folders—were being shared in ways their compliance portal never
surfaced. It wasn’t willful negligence; their old tools simply
never finished the job.There’s real peace of mind in knowing you
aren’t just working off a partial list. Paginated queries mean
you see the whole tenant, no matter how big it grows. Instead of
static snapshots or sample exports, you’re dealing in the full
picture—activity across hundreds of teams, thousands of files,
millions of messages. For a lot of admins, that’s the difference
between a compliance report you hope is right and one you know is
comprehensive. And it’s not just about security or risk. Even
when it comes to making the case for collaboration tools, being
able to prove exactly how your people share and work—across the
full sprawl of a modern tenant—gives you leverage with
leadership, security, and end users alike.Pagination is what
turns a theoretical map of your M365 environment into an actual,
actionable database. The bonus is that you don’t have to become a
full-time developer or data scientist to get there. Most scripts
are a dozen lines. Most flows can be copied and tweaked from
community templates. Once your data collection is routine, you
stop firefighting and start planning—because now, you can finally
see what’s really going on, not just what fits in a dashboard
widget. And with all that hidden activity surfaced, the final
step is tying it all back to real strategy: compliance,
collaboration, and not missing the opportunities—or the
risks—that live in the gaps.


Conclusion


The real value of this hidden map inside Microsoft 365 isn’t just
tracking down stray permissions or plugging compliance holes.
It’s about building the kind of visibility that makes governance
actually work—without turning file management into a full-time
job. If you can follow each thread, spot how users and files
crisscross your org, and watch those patterns shift over time,
you’re not just ahead of the next data leak—you’re actually
spotting ways to make collaboration safer and smoother. What you
do with that view is up to you. For help, subscribe and tell me
your trickiest Graph Explorer problems.


Get full access to M365 Show - Microsoft 365 Digital Workplace
Daily at m365.show/subscribe