Connecting to Microsoft 365
No surprises at the Microsoft consent screen. Below: every permission UserDesk asks for, what we use it for, and what we deliberately don't do with it.
Only an admin can grant the initial consent. After that, you assign delegates — HR, office staff, team leads — with scoped roles that don't need admin rights.
You'll see the same list of permissions we explain below. Microsoft is showing them; UserDesk is asking for them. Nothing is hidden.
Pick the person, pick the scope (a department, an OU, or specific users), assign their role. Takes about a minute.
Permissions, demystified
These are the four Microsoft Graph scopes you'll see on the consent screen. We list each one alongside what UserDesk actually does with it — and the things people often assume we do, but don't.
| Microsoft Graph scope | What UserDesk does with it | What UserDesk doesn't do |
|---|---|---|
User.ReadWrite.All | Create new hires, update profile fields (manager, department, title), disable departing accounts. | Read passwords or mailbox contents, access OneDrive/SharePoint files, read calendar data. |
Directory.ReadWrite.All | Read directory structure and Administrative Unit memberships to scope delegates correctly. | Modify tenant settings, change Conditional Access, alter domain config, edit branding. |
Group.ReadWrite.All | Add/remove group members, manage distribution lists, attach users to Teams. | Delete groups, modify dynamic group rules, change Teams ownership. |
UserAuthenticationMethod.ReadWrite.All | Reset passwords on behalf of delegates, revoke active sessions when someone leaves or loses a device. | See MFA secrets, modify MFA enforcement policies, view auth method history beyond reset events. |
We never see or store your password. Microsoft holds the session; we hold a refresh token that you can revoke from Entra ID at any time.
Every action a delegate takes is logged with their identity, the target user, the action, and a timestamp. Exportable from the dashboard.
Entra ID → Enterprise Applications → UserDesk → Remove. Access stops immediately. We don't have standing access outside an active OAuth session.
Clicking the button below sends you to login.microsoftonline.com to sign in and approve the permissions above. After that you land in UserDesk's onboarding to set up your first delegate.
14-day free trial · no credit card · cancel any time in Entra ID
Want to walk through it together first?
I'm Christian — built UserDesk after 15 years inside MSPs. If you want me on a call to walk through the consent screen, demo the delegate experience, or answer any permission question before you click — pick a time:
Not the Global Admin?
That's fine — the admin only has to grant consent once. Forward this page to your IT lead, MSP, or whoever holds Global Admin. Once consent is granted, you'll get added as a delegate and never need admin rights again.