Get CIPP Join Discord

Creating the CIPP Service Account

Setup Video for the CIPP Service Account

When creating a new service account, it's important to remember the following:

  • Must be a Global Administrator while setting up the integration. These permissions may be removed after the integration has been setup.

  • Must be added to the AdminAgents group. This group is required for connection to the Microsoft Partner API.

  • Must be added to your GDAP Groups. If you did the migration through CIPP, these would start with M365 GDAP. These groups are not roles in your own tenant. These must be the GDAP assigned groups. For the latest, check the Recommended Roles

  • Must have Microsoft multi-factor authentication enforced for each logon, either via Conditional Access when available or via Per User MFA when Conditional Access is not available.

Setup Walkthrough for the CIPP Service Account

This guide walks you through the process from the video of setting up the CIPP Service Account. Follow the instructions on this page to the letter to ensure a seamless setup process down the line.

To get started, head to the Microsoft Entra Portal's user overview at entra.microsoft.com

  1. Click on the "New user" button.

  1. Create a new internal user in your organization

  1. Enter a username in the field, we recommend something identifiable like "CIPP Service Account"

  1. Enter "CIPP Service Account" in the Display Name field. Set the password to something strong, and save this password in a secure location

  1. Click on "Next: Properties".

  1. Click on "Next: Assignments".

  1. If you are a Microsoft Partner, and want to manage all your client tenants, click on Add Group.

  1. Select the AdminAgents group. This group is required for connection to the Microsoft Partner API.

  1. Select your GDAP groups

If you have already migrated to GDAP you select your GDAP groups at this stage. If you migrated using CIPP these groups start with M365 GDAP, For the latest required GDAP roles check our Recommended Roles page.

  1. Click "Add role"

  1. Add the Global Administrator Role

Find the Global Admin role. This role is required for the CIPP-SAM application creation, and is recommended to be removed directly after installation.

  1. Click "Next: Review + create"

  1. Click on "Create". This creates the account.

Important Notes

  • Do not over-assign GDAP groups. Too many permissions will stop GDAP functionality. For more information check out Microsoft's documentation here

  • You must enforce multi-factor authentication prior to being ready for Executing the SAM Setup Wizard.

  • You may not use any other authentication provider than Microsoft for this account. Duo or other providers will not work. For more information on this see this

PreviousGDAP Migration RequiredNextExecuting the SAM Setup Wizard

Last updated