Have you ever wondered who’s really collaborating on your most sensitive files in Microsoft 365? Most admins see only fragments, but with Graph Explorer, you can trace every connection—from group memberships to the content users actually touch—across services like Teams, SharePoint, and OneDrive. Today, I’ll show you exactly how to map those hidden digital relationships. The patterns you uncover might just surprise you.
Why Your M365 Data Isn’t as Isolated as You Think
If you’ve ever managed a Microsoft 365 tenant, you already know the basics: SharePoint for files, Teams for chat, OneDrive for personal storage. On the surface, these apps look like separate silos. Most admin centers encourage this thinking, with dashboards and role-based controls that treat each area like its own island. But in the real world, those walls barely exist. Access isn’t just about a file’s location anymore. It’s about who’s connected to whom – and how far those connections reach.
Say you find a sensitive contract sitting in a SharePoint library. You run a permissions check, see the owner and maybe a group or two, so you assume you’ve mapped the risk. But is that really the full story? Let’s say half the marketing team swapped links to that contract in Teams only yesterday, or worse, someone dropped a guest link into a group chat. The file you thought was locked down has quietly circulated through channels you’ll never spot with the basic admin tools. That scenario isn’t rare—it’s daily reality in most midsize and large organizations.
What really trips people up is how group memberships tie into all of this. Permissions move fluidly. The moment you add a user to a group, you’re not just letting them into the Teams chat—you’ve likely also granted them access to SharePoint sites, OneDrive folders, and maybe even external shares the group had permission to create. These connections branch out in unpredictable ways. Basic dashboards will tell you when a group’s membership changed, maybe even where, but try uncovering which files that person can now access and you’ll be hunting for hours, flipping between audit logs and permission exports.
It gets even muddier with group chats and Teams channels. Files don’t just live behind SharePoint URLs anymore. People drop them into chat, pull them down to OneDrive, and push them back up to loop in new collaborators. A quarterly report moves from one SharePoint site to a Teams channel; suddenly it’s stored in multiple places with multiple layers of access. A single file can straddle SharePoint, OneDrive, and Teams all at once—each platform holding a fragment of its activity trail. No wonder admins worry about compliance gaps.
One research study out of the UK found that 68% of organizations using Microsoft 365 had at least one significant blind spot—where official permissions did not match actual file access patterns. That’s not always from carelessness; it’s often because changes ripple across the environment in ways the admin tools don’t track. For example, if someone in finance needs access to a sensitive folder for just one project, they might get added to a security group. Suddenly, they gain access not only to the folder, but also to other files the group can see—even if those weren’t on anyone’s radar. The original manager likely isn’t notified. The global admin only sees the group’s new membership, not the downstream file access. The audit trail becomes a mess of partial stories.
For organizations under pressure to prove compliance—think finance, healthcare, or any large enterprise—those missed links are a real headache. Regulators don’t care that Microsoft’s admin UI only shows fragments. If data leaks or inappropriate sharing are possible, it’s your job to spot it. Even for internal collaboration, the side effects add up: duplicate files, broken folders, confused users who see content they shouldn’t. You end up spending more time untangling permissions and chasing incomplete audit reports than actually managing strategy.
One of the clearest examples I’ve run into was a mid-sized consultancy where a sensitive client folder was sitting inside a locked SharePoint site. Two weeks later, a new consulting hire joined the client’s project group. A week after that, the same folder ended up attached to a Teams chat with an external guest. By the time IT noticed, the folder’s access story included a brand-new group member, a Teams link, an external OneDrive share—and almost no audit log tied all those pieces together. Their admin dashboards showed a neat list of users, but the file’s real history stretched across four services and three different audit logs.
This level of interconnectedness isn’t some rare quirk. It’s baked into how Microsoft 365 is architected—a benefit for agile teams, but a minefield for anyone managing governance or risk. Adding a user to a single group or team isn’t just a checkbox. It’s a ripple that touches file permissions, chat access, folder sharing, even the ability to invite external guests. It’s all stitched together under the hood, but unless you know where the threads run, you’ll always be missing part of the map.
So if it feels like you’re always one step behind risky file sharing or missed compliance flags, you’re not alone. The default UI and audit tools in M365 only ever tell half the story. But here’s where it starts to get interesting: every user action, every permission change, builds out this “hidden map.” Most tools don’t even acknowledge it exists, let alone trace it. But Graph Explorer? That’s built to shine a light on those hidden connections. Once you see what’s really tied together, you’ll start to spot sharing patterns and risks you never knew were there. And to do that, you’ll need a different approach—one that actually reveals these relationships, step by step.
Tracing a User’s Digital Footprint: From ID to Every File Touchpoint
If you’ve ever had to answer, “What did this user actually do across our entire environment?” you already know it’s never just mailbox activity or sign-ins. The first thing people reach for is usually audit logs or the Azure portal, maybe a PowerShell script or two. The reality is, that’s the shallow end. Most admins get as far as a login date, or maybe a few items in the user’s mailbox, then stop. But if you need to answer real questions—like why Sarah from sales somehow downloaded a document two levels deep in a SharePoint site she’s never visited before—those basic checks don’t get you far. It’s not about just one area, either. Users cross boundaries all day long. I’ve seen admins try to piece it together from different admin centers, flipping between SharePoint, Teams, and OneDrive, hoping to spot a pattern. Most give up when it stops making sense, or when the raw data just gets overwhelming.
So let’s say you’re starting with something simple—a user ID. That’s your anchor. What do you actually do with it? Picture the regular approach: search the user, look for login records, maybe a handful of recent files they touched, and hope nothing jumps out as a red flag. That’s barely scraping the surface. What about their group memberships? Half the time, the files a user can access come from the groups they’re in, not their personal permissions. Did they get added to a “Marketing” group last Tuesday? Congratulations—they probably got access to a dozen SharePoint libraries and a handful of private channels in Teams you didn’t even know were connected. If someone shared a folder or kicked off a Teams discussion tied to that group, there’s every chance the files they can now touch include content far outside their original permissions.
Where things get interesting—and more useful—is building out the full map with Graph Explorer. This isn’t just searching through static audit logs. Graph Explorer is like turning on x-ray mode for your organization. You start with the user object. Every user in M365 has one—a tidy little bundle of attributes, none of which tell the full story alone. The real trick is pivoting. With a single query, you can look up all the groups that user is currently a member of. But you’re not limited to just memberships—you can keep following the thread. From each group, you can branch into the files that group has permission to access, and from there, zoom out again to which sharing links exist, who’s accessed those files, or even whether those files showed up in a Teams conversation last week. The beauty is that you’re not guessing anymore—you’re mapping the real digital footprint instead of filling in the blanks.
It’s pretty common to run into raw data overload at this point, which is where something like $select comes in. You don’t want every last property of every file or membership; you want specifics. Maybe you just want the timestamp of the last time a file was modified, or a list of sharing links with external permissions. $select lets you call out exactly what you want, so you’re not scrolling forever, or waiting ten minutes for a payload with 60 columns you’ll never use. It’s surgical, not shotgun.
For example, let’s walk through a chain: start by querying the user and return just their ID and display name with $select. Next, pivot to their groups—again, pick out just the group IDs and names. Each of those groups may have its own collection of files, typically via SharePoint document libraries linked behind the scenes. Query those file collections, and you can get just the file names and sharing links, if that’s what you care about. With one more step, you pivot to each sharing link and ask: who’s accessed this file, and when? That final detail is the payoff—suddenly, you’re not assuming who saw the contract or the project plan. You’re looking at the actual trail, start to finish.
Sometimes, these queries turn into full investigations. In one case, a law firm spotted a data leak. Their logs told them when the file left the tenant, but not how. By pivoting from the user to their group membership, then jumping to files accessible by that group, and finally tracking files as they moved through Teams channels, they traced the exposure right back to a group membership change the previous week. Graph API made it clear: the file’s journey lined up almost exactly with the user’s new access, and then showed up in a Teams upload the next day.
The main thing to realize is that you don’t need a third-party SIEM or a tangle of separate logs for this. If you chain your queries right in Graph Explorer, you get a direct view—Teams, SharePoint, OneDrive, all tied together through a logical map rather than disconnected fragments. You start to notice things you would have missed: a document a user never opened directly, but could access thanks to a new group; a folder that got linked in a Teams chat fifteen minutes after a project role changed. These aren’t obvious from the dashboards, but they change everything when it comes to understanding risk, compliance, or just plain old collaboration breakdowns.
The best part is, once you’ve got the footprint mapped, you can refine it. Now you can layer on advanced filters, focus in on the last seven days, or trace only external sharing. And if that sounds like it’s going to open the floodgates to way too much data, well, that leads right into our next move—cutting all that noise with precise, advanced filtering so you don’t drown in the details.
Filtering Out the Noise: Advanced Graph Explorer Techniques
So now you’ve got this pile of data out of Graph Explorer—user IDs, file listings, group memberships, timestamps that stretch for pages. The experience is like getting a printout of every key stroke in the building and then being asked, “What matters?” That’s actually where most admins hit a wall. You scroll, you squint, and unless you’re very lucky, your eyes glaze over by line 200. The list just never ends. I’ve seen teams pull twenty thousand file links from SharePoint, only to realize they care about maybe two that left the tenant last week. Everything else is noise. The whole goal here is to figure out what’s actually important, and—just as crucial—what you’re safe to ignore.
The default admin tools rarely help at this point. If you’re just after ‘all files shared in the last month,’ you’ll get a dizzying list that includes everything from the company lunch menu to legal contracts. But sharpen that question a bit—like, “Show me only files with guest links, or just messages that mention ‘confidential’ after business hours”—and suddenly the basic UIs come up short. The search bar only reaches so far. The raw data dump can tell you what’s out there, but it’s not going to sift through patterns or surface the files that need attention. Those dangerous, or at least interesting, outliers get buried fast.
Here’s where Graph Explorer’s real power shows up. Most people never go past the basics, maybe running a GET request and moving on. But Graph API has advanced options—$filter, $top, and nested queries—that let you carve straight through that mountain of irrelevant data. Let’s start simple: $filter is like the admin version of wearing noise-canceling headphones. Instead of “give me every document,” you can say, “give me just the ones shared with external guests.” Suddenly, that list of twenty thousand shrinks to twenty. You see only what actually breaks your compliance policies or creates risk, and you don’t end up wasting time on lunch menus and old PDFs.
And you don’t have to stop there. The real fun comes when you start stacking filters. Let’s say you want to check not just for external sharing, but only files where the link was sent out in the past week. Or you need to identify all Teams messages mentioning “Q4 earnings” that were posted outside business hours. You can use nested queries in Graph Explorer to stack those conditions, drilling down and combining behaviors in a way the admin portals never let you do. It’s not just one filter—it’s several, chained together. Most organizations miss this, and that’s a real shame. I’ve worked with admins who spent hours building Excel pivot tables after exporting CSVs, trying to reverse-engineer patterns they could have surfaced in a single Graph query.
Pair $filter with $top, and you gain even more control. Maybe you only want the most recent twenty items, not the full backlog. $select gives you the power to trim the fat further—grab just the fields you care about, like the share time and user, instead of dragging through every property under the sun. The combination means your datasets stay lean and hyper-focused, making trend spotting and remediation possible instead of painful.
Let’s walk through an actual scenario. Suppose you want to see every file that was shared by any group in the last seven days, but only if someone actually accessed it. Instead of downloading a CSV with every file ever touched, you use $filter to specify created or shared after a certain date, then layer on a check for access logs tied to each file. This pattern is where you get real value: what looks like a simple “who did what” report actually surfaces new sharing behaviors that the vanilla dashboards just don’t pick up on. It’s the difference between being reactive to incidents and being proactive about trends.
I’ve seen some organizations take it further with automation. Once your queries are dialed in, you don’t need to run them by hand every week. Instead, build a flow that exports your results directly to Power BI, where compliance teams can visualize sharing spikes and spot outliers without combing through raw data. Others hook Graph queries into Logic Apps or Power Automate, building lightweight alert systems that ping security if a sensitive term pops up in chat outside office hours or if a guest share looks suspicious. Suddenly, you’re not just hunting through logs—you’re getting actionable analytics dropped right in your lap.
What I find most satisfying is how this approach turns Graph Explorer from another manual chore into a true analytics platform. You don’t chase the data anymore. You build the right questions, automate the grunt work, and focus your effort on the real risks—the events and files nobody spotted before. You’ll start to see patterns emerge, like which teams always push up against sharing limits or which files consistently draw external interest.
But let’s not pretend filters solve everything. As soon as you scale this to a midsize or enterprise tenant, the numbers get out of hand again, fast. Even the sharpest $filter leaves you paging through results that go on for miles, running into API limits and browser timeouts. So, once the filtering’s done and you’ve carved down the dataset, there’s still a problem—you need a way to tackle volume. Luckily, that’s where pagination and smart scaling come in, and for that, you’ll want to know how to keep control even when the numbers explode.
Scaling Up: Pagination and Mapping M365 at Enterprise Scale
If you’ve ever run a seemingly simple query against a large Microsoft 365 tenant and watched your browser grind to a halt, you already know the feeling: this isn’t a boutique problem, it’s just life at scale. In smaller orgs, you can sometimes get away with poking around in the admin center or downloading a CSV. But once you’re dealing with thousands of users and millions of files, everything changes. That classic story—“I’ll just pull a list of files shared in the last month”—can suddenly return 40,000 rows, half a gig in attachments, and a UI that struggles to even scroll. It’s not that the data isn’t there; it’s that getting to it requires a whole different approach.
The main thing people don’t realize is that Graph API politely tries to protect you from yourself—by default, it limits results, but doesn’t flag that you’re only seeing a slice. Most API calls in Graph Explorer give you the first one or two hundred results, and nothing more. You think you’ve hit paydirt, but the rest of the data’s hidden behind a “nextLink,” tucked inside the response, waiting for you to ask for the next page. If you don’t know to look, you’re already missing 90% of what you set out for. And if you’re chasing something rare—say, files shared externally by a hundred-person group—odds are, that needle is on page eight, not page one.
Let’s talk about what actually gets in your way. First, there’s the API throttling. Microsoft wants to keep the entire tenant happy, which means you can’t fire off a thousand requests per second. Batch too aggressively, and you’ll get hit with 429 errors or timeouts. Keep it too leisurely, and you’ll be staring at a spinning indicator all afternoon. Then there’s the problem of tracking those nextLink tokens. Every paginated API response hands you a special URL to fetch the next set of results. If you stop grabbing those and just refresh, you start every query from scratch—new data, different results, sometimes even lost context. One admin I know wondered why his export kept doubling up files; turns out, he was treating every nextLink as a brand new job, not the continuation of an existing one.
Here’s how the process actually works when you want to scale up. Suppose your task is to identify all files shared by groups with 500+ members. You kick off your Graph Explorer query—it returns the first batch, maybe 100 files. But the group’s size guarantees you’re nowhere near the finish line. Instead, you grab the nextLink token from the results and send your next GET request there. Rinse and repeat, sometimes for dozens of pages. The trick is chaining these requests seamlessly, tracking exactly where you are in the dataset without losing your filters and selected fields. I’ve seen this done the hard way—pens and notepads on one monitor and raw JSON on another—and I’ve seen it automated, which is where things start to really move.
Automation is the real game changer. Some admins turn to PowerShell, writing scripts that handle pagination in the background, gracefully collecting each nextLink until the end. Others use Python, leaning on requests libraries to pull data chunk by chunk, sometimes kicking off parallel jobs to move faster without running afoul of throttling limits. I’ve worked with compliance teams who plug Graph API calls into Logic Apps or Power Automate flows, letting Microsoft do the workflow plumbing. Each paginated result gets pushed into a live dashboard—often in Power BI—that compliance or security can check at a glance, seeing new shares, guest access, or even unusual file types appear in real time.
The story changes when you combine these tools with smarter querying from earlier. If your filter already trims the results to the riskiest files—say, guest-shared documents created this week—then pagination just keeps you honest: you’re not sampling, you’re tracking every instance. One global law firm ran into this wall the hard way. Their legacy tools flagged files shared from their SharePoint environment, but always stopped at page one. When they finally moved to paginated Graph queries, they discovered that about ten percent of their most sensitive files—contracts, merger documents, entire project folders—were being shared in ways their compliance portal never surfaced. It wasn’t willful negligence; their old tools simply never finished the job.
There’s real peace of mind in knowing you aren’t just working off a partial list. Paginated queries mean you see the whole tenant, no matter how big it grows. Instead of static snapshots or sample exports, you’re dealing in the full picture—activity across hundreds of teams, thousands of files, millions of messages. For a lot of admins, that’s the difference between a compliance report you hope is right and one you know is comprehensive. And it’s not just about security or risk. Even when it comes to making the case for collaboration tools, being able to prove exactly how your people share and work—across the full sprawl of a modern tenant—gives you leverage with leadership, security, and end users alike.
Pagination is what turns a theoretical map of your M365 environment into an actual, actionable database. The bonus is that you don’t have to become a full-time developer or data scientist to get there. Most scripts are a dozen lines. Most flows can be copied and tweaked from community templates. Once your data collection is routine, you stop firefighting and start planning—because now, you can finally see what’s really going on, not just what fits in a dashboard widget. And with all that hidden activity surfaced, the final step is tying it all back to real strategy: compliance, collaboration, and not missing the opportunities—or the risks—that live in the gaps.
Conclusion
The real value of this hidden map inside Microsoft 365 isn’t just tracking down stray permissions or plugging compliance holes. It’s about building the kind of visibility that makes governance actually work—without turning file management into a full-time job. If you can follow each thread, spot how users and files crisscross your org, and watch those patterns shift over time, you’re not just ahead of the next data leak—you’re actually spotting ways to make collaboration safer and smoother. What you do with that view is up to you. For help, subscribe and tell me your trickiest Graph Explorer problems.
Share this post