Helpdesk Console relies on identity, calendar, directory, and audit signals to verify users and securely complete sensitive helpdesk actions such as password resets.
The required permissions depend on the identity provider configured in your environment. This article outlines the permissions required when using Microsoft Entra ID or Google Workspace.
Before You Begin
Before reviewing Helpdesk permissions, review:
Important notes
These permissions are required to ensure secure identity verification and helpdesk workflow completion.
During deployment, additional temporary permissions may be requested by the identity provider.
Any permissions not required after deployment can be safely removed.
If certain permissions are unnecessary for your implementation, contact support@imper.ai for guidance.
Microsoft Entra ID permissions
When Microsoft Entra ID is used as the identity provider, imper.ai requests the following permissions to support helpdesk verification and secure password reset workflows.
User.ReadBasic.All
Used for: Retrieving basic user information to add users to the protected users list.
User.Read.All
Used for: Fetching full user profile data required to initiate and complete verification flows.
Calendars.Read
Used for: Building calendar-based verification questions (for example, “Who did you meet with this week?”).
Group.Read.All
Used for: Building group-based verification questions (for example, “Name a group you belong to”).
Directory.Read.All
Used for: Building verification questions related to the organizational hierarchy.
Chat.Read.All
Used for: Building verification questions based on recent chats.
Contacts.Read
Used for: Building contact-based verification questions (for example, “Name a starred contact”).
AuditLog.Read.All
Used for: Reading previous sign-in activity to detect anomalies during the verification flow.
Used for: Reading email metadata to generate verification questions.
RoleManagement.Read.Directory
Used for: Associating roles and groups for role-based verification questions.
User-PasswordProfile.ReadWrite.All
Used for: Resetting user passwords after successful verification.
Google Workspace permissions
When Google Workspace is used as the identity provider, imper.ai requests the following permissions.
Permissions requested from all monitored users (including admins)
googleapis.com/auth/userinfo.email
Description: Allows access to the user’s email address.
Used for: Identifying the user and linking their Google account to imper.ai.
googleapis.com/auth/userinfo.profile
Description: Allows access to basic profile information (name and profile image).
Used for: User identification and improved verification context.
googleapis.com/auth/meetings.space.readonly
Description: Provides read-only access to Google Meet spaces.
Used for: Monitoring active meetings and enabling protective features.
googleapis.com/auth/meetings.space.created
Description: Allows access to Google Meet spaces created by the user.
Used for: Tracking new meetings and associating them with the user context.
googleapis.com/auth/calendar.readonly
Description: Provides read-only access to calendar settings and events.
Used for: Synchronizing calendar data for analysis and verification.
googleapis.com/auth/calendar.events
Description: Allows creating and modifying calendar events.
Used for: Creating or updating meetings so they can be monitored and protected.
Permissions requested from administrators only
googleapis.com/auth/admin.directory.user.readonly
Description: Provides read-only access to users in the Google Workspace directory.
Used for: Reading organizational users to enable monitoring and protection.
googleapis.com/auth/admin.reports.audit.readonly
Description: Provides read-only access to Google Workspace audit logs.
Used for: Monitoring user activity, security events, and compliance signals.
Read-only vs write access
imper.ai requests write access only where required, such as calendar updates or password resets after verification.
imper.ai does not modify users, groups, or directory objects beyond the scope explicitly described.
All permissions are used exclusively to support identity verification and secure helpdesk operations.