Adding Tenants & Consenting the CIPP-SAM Application
Last updated
Was this helpful?
Last updated
Was this helpful?
The Tenant Onboarding Wizard further simplifies the process of getting setup in CIPP by automatically connecting to any tenants found in your GDAP Relationships List to perform the background tasks necessary to manage a tenant in the system. Below is a list of the actions that are performed during Tenant Onboarding:
Verification of GDAP Invite Accepted
Confirmation that required roles are present.
Ensures groups are correctly mapped to roles.
Validates that permissions are updated via a CPV refresh
Verifies Graph API connectivity and access.
CIPP requires its Service Account user to be a member of the specific security groups with the assigned for proper functionality within your GDAP relationship. This step is completed during the prior to tenant onboarding.
If these roles are missing or the groups haven't been applied to the CIPP user, CIPP will not be able to access the tenant, resulting in errors such as: invalid_grant:AADSTS65001: The user or administrator has not consented to use the application.
or
Send an interactive authorization request for this user and resource
CIPP relies on use of GDAP role templates for proper onboarding of tenants. Prior to using the tenant onboarding wizard, you should create a role template. To create the CIPP Defaults role template navigate to Tenant Administration
-> GDAP Management
-> Role Templates
. Click the "+ Create CIPP Defaults" button. You can alternatively create your own templates but be sure to include the recommended roles for full CIPP functionality.
Navigate to Tenant Administration
-> GDAP Management
-> Relationships
Now that you've onboarded the tenant, your pre-existing role mapping may not match the role template you used as part of the onboarding.
Navigate to Tenant Administration
-> GDAP Management
-> Relationships
-> Select the Actions menu for the tenant you just onboarded and choose "Reset Role Mapping"
To automate this process even further, enable Partner Webhooks in Application Settings and newly invited tenants will automatically onboard once accepted.
If you see the warning that the relationship does not have all the CIPP recommended roles, do not proceed. See to create a new GDAP relationship to establish a relationship that meets at least the minimum required roles.