It started like most of my learning sessions do. I cracked open a cold Dr Pepper and decided to poke around Microsoft 365 Explorer just to see how it really works. Not trying to solve a ticket or check alerts, just digging through the Security & Compliance Center to see what kind of metadata I could pull from email traffic. That’s when I saw it. A Teams meeting link. Right there in the email metadata. Not the email body. Not some phishing attempt. Just… a clean, clickable Teams URL, and that’s where the Global Reader role security concerns really hit me.

See, I didn’t have access to the email content. That part is locked down like it should be. But the URLs? Totally visible. Which means any Teams meeting link that comes through email can technically be seen and opened by someone with Global Reader rights. No secret sauce. No elevated permissions. Just the system doing exactly what it was told to do. I didn’t click it. But I could’ve. That’s what stuck with me.

Nobody talks about this kind of thing. We throw these roles around, Global Reader, Security Reader, assuming they’re “read-only” and safe. But safe for who? Because when that read-only view includes working meeting links, especially the ones that don’t require authentication, you’ve got more than just visibility. You’ve got access. Quiet access. That’s not a broken system. It’s just… something we didn’t think all the way through.

What Explorer Actually Shows You

So for anyone who hasn’t wandered into it before, Explorer lives inside Microsoft 365 Defender at https://security.microsoft.com. You head over to Email & Collaboration, click on Explorer, and boom, you’re staring at mail flow. What came in, who it went to, who clicked what, and when it all happened. It’s surprisingly deep.

Now, I didn’t expect much when I first started messing with it. I thought it would show headers, basic sender and recipient info, that kind of thing. But once I started looking closer, I noticed the URLs section. These aren’t just logs. They’re functional. You see the real URLs from real emails. And if one of those is a Teams meeting? Yep, you can open it. And this is with the Global Reader role. You don’t need to be an Exchange Admin or have a bunch of elevated rights. Just Global Reader. That’s where the Global Reader role security concerns really start to matter.

The assumption is that “read-only” means “safe.” But URLs aren’t static. They’re doorways. And if that doorway leads to a Teams meeting, and the meeting doesn’t require you to be on the invite or authenticate, then yeah; you’re walking into places you probably shouldn’t be. So now I’m sitting here thinking… how many people have this role in our org? And how many of them know what they’re really looking at?

When Metadata Becomes a Backdoor

Let’s be real, this isn’t some obscure flaw buried deep in the Microsoft 365 stack. It’s just… there. Working as designed.

When Explorer pulls up an email trace, you can click into the message summary and find a list of all the URLs Microsoft scraped from that email. They’re broken down under the “URLs” section and logged for security scanning. This is great for catching phishing links. But not so great when those URLs are to internal resources.

That’s how I found the Teams meeting link.

It looked like this:

https://teams.microsoft.com/l/meetup-join/19%3ameeting_YES_THIS_IS_REAL%40thread.v2/0?context=%7b%22Tid%22%3a%22tenant-id%22%2c%22Oid%22%3a%22organizer-id%22%7d

Clean. Clickable. No auth required, depending on how the meeting was set up. Some orgs have meetings open by default. So yeah, I could’ve joined. Muted my mic, changed my name to “System,” and just lurked. Not that I did. But again, the option was right there. And it’s not just meetings.

I’ve seen password reset URLs, temporary sign-in links, private SharePoint shares, direct file download links. All kinds of things that don’t need full message content to be risky. These links are meant for the recipient, but they’re exposed in the metadata. And the kicker? This isn’t some “Exchange Admin has all the power” situation. This is happening with Global Reader role permissions. Read-only, sure, but reading live, sensitive URLs that can sometimes skip authentication entirely.

That’s where Global Reader role security concerns stop being hypothetical and start being real risk. This is metadata turning into a potential access path. Not because the system is broken, but because it’s quietly giving away more than we think.

What You Can Do About It

Let’s say you’ve just realized what I did—that Global Reader isn’t exactly as harmless as it sounds. The good news? You can do something about it. The bad news? Most orgs don’t, because they assume “read-only” is low risk.

First things first. You need to know who actually has this role. It’s not always obvious in the portal, especially if folks got assigned via nested groups or role assignments that were done years ago. PowerShell to the rescue:

# Requires Microsoft Graph PowerShell Module
Get-MgRoleManagementDirectoryRoleAssignment |
Where-Object {$_.RoleDefinitionDisplayName -like "*Global*"} |
Select-Object PrincipalDisplayName, RoleDefinitionDisplayName

This will pull a list of users with any role containing “Global” in the name. Look out for Global Reader, Global Admin, and anything custom that might have full visibility. Once you know who’s got the keys, ask the hard question: Do they still need it? If the answer is no, yank it. If they only need it occasionally, roll out Privileged Identity Management (PIM) and require just-in-time access. Make them activate it, justify it. Then make it expire.

Another overlooked option is role-specific access. Instead of giving someone full tenant visibility with Global Reader, give them Security Reader, Compliance Viewer, or another scoped role that aligns with their actual job. You don’t give someone a master key to your building just because they need to water a plant in one office. Same idea.

Also, while you’re at it, check your Teams meeting policies. Make sure unauthenticated users can’t just join meetings by URL. A lot of companies leave this wide open because it’s the default. Finally, start the culture shift. Just because someone can see a URL doesn’t mean they know what that link leads to. And if it leads to sensitive content or a live session? That’s a problem waiting to happen.

What Can We Learn as a Person

Let’s be honest. Most of us in IT have had that moment. You see something you weren’t supposed to see—an email subject, a calendar event, a shared file name and suddenly your brain starts filling in the blanks. It’s rarely something major. It’s usually a half-story. A piece of a conversation. Just enough to spark a thought like, “Huh, that’s interesting…”

This is where gossip starts. And this is where it can wreck people. Not just the person you’re looking at, but you too. When you’ve got a role like Global Reader, it’s incredibly easy to see things you shouldn’t. Even if you never touch the actual email content, those metadata breadcrumbs can pile up quick. Meeting titles, URLs, file names, sender names. Your brain builds a story whether you want it to or not.

And the worst part? You don’t even have the full picture.

That’s where the danger really is. Partial visibility creates false narratives. It makes you assume things. It can mess with how you view coworkers, how you talk about them, and how you carry yourself as an admin. I’ve caught myself starting to spiral into “what if” scenarios based on a Teams meeting name I wasn’t supposed to see. It’s not healthy. And it’s not professional.

The power to see isn’t just technical. It’s emotional. And if you don’t check yourself, it’ll eat at your mental health before you realize it. So what can we learn? That being trusted with access means being trusted with restraint. That curiosity can turn toxic if it isn’t managed. And that sometimes, the most responsible thing you can do as an admin… is look away.

Additional Links