Adding Tenants & Consenting the CIPP-SAM Application
Last updated
Was this helpful?
Last updated
Was this helpful?
The Tenant Onboarding Wizard further simplifies the process of getting setup in CIPP by automatically connecting to any tenants found in your GDAP Relationships List to perform the background tasks necessary to manage a tenant in the system. Below is a list of the actions that are performed during Tenant Onboarding:
Verification of GDAP Invite Accepted
Confirmation that required roles are present.
Ensures groups are correctly mapped to roles.
Validates that permissions are updated via a CPV refresh
Verifies Graph API connectivity and access.
CIPP requires its Service Account user to be a member of the specific security groups with the assigned for proper functionality within your GDAP relationship. This step is completed during the prior to tenant onboarding.
If these roles are missing or the groups haven't been applied to the CIPP user, CIPP will not be able to access the tenant, resulting in errors such as: invalid_grant:AADSTS65001: The user or administrator has not consented to use the application.
or
Send an interactive authorization request for this user and resource
We currently support two methods of connecting to Microsoft Tenants, using a direct connection or a GDAP connection. It's recommended to setup a GDAP relationship with your clients, but in some cases this is not always possible due to transaction regions or other potential blockers.
CIPP relies on use of GDAP role templates for proper onboarding of tenants. Prior to using the tenant onboarding wizard, you should create a role template. To create the CIPP Defaults role template navigate to Tenant Administration-> GDAP Management-> Role Templates. Click the "+ Create CIPP Defaults" button. You can alternatively create your own templates but be sure to include the recommended roles for full CIPP functionality.
Navigate to Tenant Administration -> GDAP Management-> Relationships
Now that you've onboarded the tenant, your pre-existing role mapping may not match the role template you used as part of the onboarding.
Navigate to Tenant Administration-> GDAP Management-> Relationships-> Select the Actions menu for the tenant you just onboarded and choose "Reset Role Mapping"
To automate this process even further, enable Partner Webhooks in Application Settings and newly invited tenants will automatically onboard once accepted.
To directly add a tenant go to the Setup Wizard and select "Add a Tenant" - Make sure you log into a tenant using a service account. This tenant is added to the list of managed tenants immediately.
If you see the warning that the relationship does not have all the CIPP recommended roles, do not proceed. See to create a new GDAP relationship to establish a relationship that meets at least the minimum required roles.