search
Get CIPPJoin Discord
githubEdit

Conditional Access Configuration

Setup your Conditional Access policies for CIPP.

To make sure CIPP is able to access your tenants securely we recommend the usage of Conditional Access. Both your, and your clients Conditional Access Policies will need to be configured for optimal usage.

hashtag
Setup of Your Conditional Access Policies

1

hashtag
Open Azure

Browse to the Conditional Access Policiesarrow-up-right blade in Azure.

2

hashtag
Edit Existing Conditional Access Policies

Exclude the CIPP service account from each existing policy, this way we have a dedicated policy for the CIPP service account

3

hashtag
Create CIPP Specific Policy

Create a new policy and include the CIPP user. Enforce Azure Multi-Factor Authentication for each logon (set sign in frequency under session to every time) and for all cloud applications. Do not add any exclusions or trusted locations.

triangle-exclamation

If you have trusted locations under the classic MFA portal you must always remove those.

Save this policy under the name "CIPP Service Account Conditional Access Policy"

hashtag
Setup of Clients' Conditional Access Policies

GDAP is affected by your clients' conditional access policies. To make sure you can access your clients using your CIPP integration user we recommend excluding the MSP from the Conditional Access Policy per Microsoft's Documentationarrow-up-right

1

hashtag
Open Azure

Browse to your client's Conditional Access Policiesarrow-up-right blade in Azure.

2

hashtag
Edit Conditional Access Policies

For each policy listed. Add an exclusion to "Users and Groups" with the following settings:

  • Guest or external users

  • Service Provider Users

  • Selected

  • Enter your tenant ID. If you do not know what your tenant ID is, you can look this up herearrow-up-right.

triangle-exclamation

If you have any Microsoft-Managed Conditional Access policiesarrow-up-right showing up in your client tenants, these are an indication from Microsoft that they do not feel that your client's tenant meets minimum security posture. These policies cannot be deleted but they can be cloned and then disabled.

circle-exclamation

Optional: If you are running in Direct Tenant mode, exclude the CIPP service account for this tenant instead of the tenant exclusion.

PreviousCreating the CIPP Service AccountNextAdding Users and Managing Roles

Last updated

Was this helpful?