Last updated
Was this helpful?
Last updated
Was this helpful?
If you are coming from v7.1.x or earlier, your Function App identity needs the "Contributor" role assigned to itself ()
Sign in to the Azure portal:
Find your CIPP resource group.
Open the main Function App (this would not be an offloaded Function App if you have multiple).
In the left-hand menu of the subscription, select "Access control (IAM)".
At the top of the Access control (IAM) pane, click "+ Add" .
In the drop-down menu, select "Add role assignment".
Click on Privileged administrator roles.
In the "Role" table, select "Contributor". The Contributor role should allow the identity to create and manage all types of Azure resources but does not allow them to grant access to others.
In the "Assign access to" drop-down menu, select "User, group, or service principal".
In the "Select" field and type "cipp". As you begin typing, the list of options will narrow and you should see the Managed Identity for your Function App.
After you've selected the identity, click "Save" to assign the role.
Navigate to CIPP > Integrations and click on CIPP-API.
Creating an API client:
If you need to create an API Client
Click on Actions > Create New Client.
Fill out the form with the App Name.
If you've already created an App Registration and would like to import it:
Click on Actions > Add Existing Client.
Select the API Client from the list.
Ensure that you Enable the client in order to save it to the Function App authentication settings.
Submit the form to create the client. Remember to copy the Application secret to a secure location.
Once you have the API Client(s) configured, click Actions > Save Azure Configuration, this updates the Function App authentication settings with the new Client IDs.
The IP Range list supports both IPv4 and IPv6 addresses as standalone IP addresses or in CIDR Notation (e.g. 12.34.56.78/24 or 1.1.1.1).
Custom Roles will limit which API endpoints each API Client can access. This can be used to limit all API calls to read only for example.
Navigate to CIPP > Integrations and click on CIPP-API.
Find the API client in the table and click on the 3 dots in the Actions column > Edit.
Flip the Enabled switch off and click Submit.
At the top of the page, go to Actions and click Save Azure Configuration.
Navigate to CIPP > Integrations and click on CIPP-API.
Find the API client in the table and click on the 3 dots in the Actions column > Reset Application Secret.
Copy the new Secret to a secure location.
CIPP uses OAuth authentication to be able to connect to the API using your Application ID and secret. You can use the PowerShell example below to connect to the API
If you are making an OAuth connection with any 3rd party service, make use of the copyable fields on the CIPP-API integration page indicated by a blue outline. You will also need the API Scope, get this from the API Client > Actions > Copy API Scope.
The API actions have a maximum timeout of 10 minutes. There are no active rate limits, but heavy usage of the API can cause frontend operations to slow down.
Each page in the user documentation has a list of the endpoints used to load or create data on that specific page
You can install the CIPP API Powershell module using PowerShell 7.x. The module takes care of all the authentication for you.
You will first need to set your CIPP API Details using the following command:
You can then test its working
Optionally set the and Allowed IP Ranges for additional security.
Further documentation for the module and each of its available functions can be found
We value your feedback and ideas. Please raise any on GitHub.
API Authentication