Creating the CIPP Service Account
Last updated
Was this helpful?
Last updated
Was this helpful?
Must be a Global Administrator while setting up the integration. These permissions may be removed after the integration has been setup.
Must be added to the AdminAgents group. This group is required for connection to the Microsoft Partner API.
MFA Setup: This account must have Microsoft MFA enforced for each logon.
Use Conditional Access when available or via Per User MFA when not available.
Microsoft MFA is mandatory. Do not use alternative providers like Duo, and ensure it's setup before any login attempts.
Reference this article on Supported MFA options from Microsoft for more details.
This guide walks you through the process from the video of setting up the CIPP Service Account. Follow the instructions on this page to the letter to ensure a seamless setup process down the line.
The CIPP service account will be the account used to execute any actions on your tenants via CIPP.
To get started, head to the Microsoft Entra Portal's user overview at entra.microsoft.com
If you would like to use notifications, webhook triggers, or exporting to other system the account you use must have a mailbox available. This mailbox will be used for outgoing reports, exports, and notifications.
Click on the "New user" button.
Create a new internal user in your organization
Enter a username in the field, we recommend something identifiable like "CIPP Service Account"
Enter "CIPP Service Account" in the Display Name field. Set the password to something strong, and save this password in a secure location
Click on "Next: Properties".
Click on "Next: Assignments".
If you are a Microsoft Partner, and want to manage all your client tenants, click on Add Group.
Select the AdminAgents group. This group is required for connection to the Microsoft Partner API.
Select your GDAP groups
If you have already migrated to GDAP you select your GDAP groups at this stage. If you migrated using CIPP these groups start with M365 GDAP.If you have migrated, but not using CIPP check the latest required GDAP roles check our Recommended Roles page.
If you have not migrated or used GDAP at all, or are planning to onboard your GDAP tenants using CIPP, continue on.
These groups might not exist if you have not yet migrated to GDAP.
If you want to move to using CIPP and Microsoft's best practice recommendation of mapping one role to one security group, you can skip this step for now. CIPP will create the groups when you first setup adding your client tenants in Adding Tenants.
Click "Add role"
Add the Global Administrator Role
Find the Global Admin role. This role is required for the CIPP-SAM application creation, and is recommended to be removed directly after installation.
Click "Next: Review + create"
Click on "Create". This creates the account.
