Episode Details

Have you ever wondered who’s really collaborating on your most sensitive files in Microsoft 365? Most admins see only fragments, but with Graph Explorer, you can trace every connection—from group memberships to the content users actually touch—across services like Teams, SharePoint, and OneDrive. Today, I’ll show you exactly how to map those hidden digital relationships. The patterns you uncover might just surprise you.Why Your M365 Data Isn’t as Isolated as You ThinkIf you’ve ever managed a Microsoft 365 tenant, you already know the basics: SharePoint for files, Teams for chat, OneDrive for personal storage. On the surface, these apps look like separate silos. Most admin centers encourage this thinking, with dashboards and role-based controls that treat each area like its own island. But in the real world, those walls barely exist. Access isn’t just about a file’s location anymore. It’s about who’s connected to whom – and how far those connections reach.Say you find a sensitive contract sitting in a SharePoint library. You run a permissions check, see the owner and maybe a group or two, so you assume you’ve mapped the risk. But is that really the full story? Let’s say half the marketing team swapped links to that contract in Teams only yesterday, or worse, someone dropped a guest link into a group chat. The file you thought was locked down has quietly circulated through channels you’ll never spot with the basic admin tools. That scenario isn’t rare—it’s daily reality in most midsize and large organizations.What really trips people up is how group memberships tie into all of this. Permissions move fluidly. The moment you add a user to a group, you’re not just letting them into the Teams chat—you’ve likely also granted them access to SharePoint sites, OneDrive folders, and maybe even external shares the group had permission to create. These connections branch out in unpredictable ways. Basic dashboards will tell you when a group’s membership changed, maybe even where, but try uncovering which files that person can now access and you’ll be hunting for hours, flipping between audit logs and permission exports.It gets even muddier with group chats and Teams channels. Files don’t just live behind SharePoint URLs anymore. People drop them into chat, pull them down to OneDrive, and push them back up to loop in new collaborators. A quarterly report moves from one SharePoint site to a Teams channel; suddenly it’s stored in multiple places with multiple layers of access. A single file can straddle SharePoint, OneDrive, and Teams all at once—each platform holding a fragment of its activity trail. No wonder admins worry about compliance gaps.One research study out of the UK found that 68% of organizations using Microsoft 365 had at least one significant blind spot—where official permissions did not match actual file access patterns. That’s not always from carelessness; it’s often because changes ripple across the environment in ways the admin tools don’t track. For example, if someone in finance needs access to a sensitive folder for just one project, they might get added to a security group. Suddenly, they gain access not only to the folder, but also to other files the group can see—even if those weren’t on anyone’s radar. The original manager likely isn’t notified. The global admin only sees the group’s new membership, not the downstream file access. The audit trail becomes a mess of partial stories.For organizations under pressure to prove compliance—think finance, healthcare, or any large enterprise—those missed links are a real headache. Regulators don’t care that Microsoft’s admin UI only shows fragments. If data leaks or inappropriate sharing are possible, it’s your job to spot it. Even for internal collaboration, the side effects add up: duplicate files, broken folders, confused users who see content they shouldn’t. You end up spending more time untangling permissions and chasing incomplete audit reports than actually managing str