LogoLogo
Get CIPPJoin Discord
  • ☕CIPP Documentation
  • 🦸Setup
    • Setting Up CIPP
      • Prerequisites
      • Installation
      • Setup Automatic API Updates
      • Configuring Automatic Updates
      • Adding Users and Managing Roles
      • Updating Versions
      • Migrating to Hosted CIPP
      • Self-hosted API Setup
    • Configuring CIPP
      • Creating the CIPP Service Account
      • Conditional Access Best Practices
      • Adding Users and Managing Roles
      • Executing the Setup Wizard
      • Tenant Onboarding
      • Adding Tenants & Consenting the CIPP-SAM Application
      • Adding a Custom Domain Name
      • I Want to Manage My Own Tenant
      • Recommended Roles
    • Implementing CIPP
      • Recommended First Steps
      • Standards Setup
    • Resources
      • Professional Onboarding Services
      • Sponsor Quick Start
  • 🙋User Documentation
    • Shared Features
      • Menu Bar
        • Tenant Select
        • Display Mode
        • 🔍Search
        • Bookmarks
        • User Preferences
      • Table Features
      • Speed Dial
      • Keyboard Shortcuts
      • Get Help
    • CIPP Dashboard
    • Identity Management
      • Administration
        • Users
          • Bulk Add
          • Invite Guest
          • Add User
          • View Individual User
            • Edit User
            • Exchange Settings
            • Compromise Remediation
            • Conditional Access
        • Risky Users
        • Groups
          • Add Group
          • Edit Group
        • Group Templates
          • Add Group Template
          • Deploy Group Templates
          • Edit Group Template
        • Devices
        • Deleted Items
        • Roles
        • JIT Admin
          • Add JIT Admin
        • Offboarding Wizard
      • Reports
        • MFA Report
        • Inactive Users
        • Sign-in Report
        • AAD Connect Report
        • Risk Detections
    • Tenant Administration
      • Administration
        • Tenants
          • Edit Tenant
          • Tenant Groups
            • Add Tenant Group
            • Edit Tenant Group
        • Alert Configuration
          • Add Alert
        • Audit Logs
          • View Audit Log
        • Applications
        • App Registrations
        • Permission Sets
          • Add Permission Set
          • Edit Permission Set
        • Templates
          • Add App Approval Template
          • Edit App Approval Template
        • Secure Score
          • Table View
        • App Consent Requests
        • Authentication Methods
        • Partner Relationships
      • GDAP Management
        • Relationships
          • Relationship Summary
        • Role Mappings
          • Map GDAP Roles
        • Role Templates
          • Add Template
          • Edit Template
        • Invites
          • New Invite
        • Onboarding
        • Offboarding
      • Configuration Backup
        • Backups
          • Restore Configuration Backup
          • Add Configuration Backup Task
      • Standards
        • List Standards Templates
        • Add Standards Template
        • View Tenant Report
        • Best Practice Analyser
          • Best Practice Templates
          • Custom Reports
        • Domains Analyser
      • Conditional Access
        • CA Policies
          • Deploy CA Policies
        • CA Vacation Mode
          • Add Vacation Schedule
        • CA Templates
        • Named Locations
          • Add Named Location
      • Reports
        • License Report
        • Sherweb License Report
          • Add Subscription
        • Consented Applications
    • Security & Compliance
      • Incidents & Alerts
        • Incidents
        • Alerts
      • Defender
        • Defender Status
        • Defender Deployment
        • Vulnerabilities
      • Reports
        • Device Compliance
      • Safe Links Policies
        • Add Safe Links Policy
        • Edit Safe Links Policy
      • Safe Links Templates
        • Create Safe Links Template
        • Deploy Safe Links Template
        • Edit Safe Links Template
    • Intune
      • Applications
        • Applications
          • Add Application
            • Add MSP App
            • Add Store App
            • Add Choco App
            • Add Office App
        • Application Queue
      • Autopilot
        • Autopilot Devices
        • Add Autopilot Device
        • Profiles
          • Add Profile
        • Status Pages
        • Add Status Page
      • Device Management
        • Devices
        • Configuration Policies
        • Compliance Policies
        • Protection Policies
        • Apply Policy
        • Policy Templates
        • Scripts
      • Reports
        • Analytics Device Score
        • Work from Anywhere
    • Teams & SharePoint
      • OneDrive
      • SharePoint
        • Add Site
        • Bulk Add Sites
      • Teams
        • Teams
          • Add Team
        • Teams Activity
        • Business Voice
    • Email & Exchange
      • Administration
        • Mailboxes
          • Add Shared Mailbox
        • Deleted Mailboxes
        • Mailbox Rules
        • Contacts
          • Add Contact
          • Edit Contact
        • Contact Templates
          • Deploy Contact Templates
          • Add Contact Template
          • Edit Contact Template
        • Quarantine
        • Tenant Allow/Block Lists
          • Add Entry
      • Transport
        • Transport Rules
          • Deploy Transport Rule Template
        • Transport Templates
        • Connectors
          • Deploy Connector Templates
        • Connector Templates
      • Spamfilter
        • Spamfilter
          • Deploy Spamfilter
        • Spamfilter Templates
        • Connection Filter
          • Deploy Connection Filter
        • Connection Filter Templates
        • Quarantine Policies
          • Edit Global Settings
          • Deploy Custom Policy
        • Quarantine Policies
          • Add Quarantine Policy
      • Resource Management
        • Equipment
          • Add Equipment Mailbox
        • Rooms
          • Add Room
          • Edit Room
        • Room Lists
      • Reports
        • Mailbox Statistics
        • Mailbox Client Access Settings
        • Anti-Phishing Filters
        • Malware Filters
        • Safe Link Filters
        • Safe Attachment Filters
        • Shared Mailbox with Enabled Account
        • Global Address List
    • Tools
      • Tenant Tools
        • Graph Explorer
        • Application Approval
        • Tenant Lookup
        • IP Database
        • Individual Domain Check
      • Email Tools
        • Message Trace
        • Mailbox Restores
        • Message Viewer
      • Dark Web Tools
        • Tenant Breach Lookup
        • Breach Lookup
      • Template Library
      • Community Repositories
        • View Repository Templates
      • Scheduler
        • Add Job
    • CIPP
      • Application Settings
        • Permissions
        • Tenants
        • Backend
        • Notifications
        • Partner Webhooks
        • Licenses
        • CIPP Backup
        • Global Variables
      • Logbook
      • Setup Wizard
      • Integrations
        • Integration Sync
        • CIPP-API
        • Sherweb
        • Gradient
        • Halo PSA
        • NinjaOne
        • Hudu
        • Password Pusher
        • Have I Been Pwned?
        • Cloudflare
        • GitHub
      • Custom Data
        • Directory Extensions
          • Add Directory Extension
        • Schema Extensions
          • Add Schema Extension
        • Mappings
          • Add Mapping
          • Edit Mapping
      • Advanced
        • Super Admin
          • Tenant Mode
          • Function Offloading
          • CIPP Roles
          • SAM App Roles
          • SAM App Permissions
        • Exchange Cmdlets
        • Timers
        • Table Maintenance
  • 📂Troubleshooting
    • Error Codes
    • Troubleshooting Instructions
      • Refreshing a Specific Tenant's Permissions via CPV API
    • Frequently Asked Questions
      • I Got a "Potential Phishing page detected" Alert. What Do I Do With That?
  • 🔐Security
    • CIPP Security and Compliance
      • Security Policy
      • Security Reports
    • CIPP Community Vulnerability Disclosure Policy
  • 👩‍💻👩💻 Dev Documentation
    • CIPP Dev Guide
      • Setting Up for Local Development
      • Executing Local Development
      • Project Structure
      • Development Tips
      • CIPP v7 Developer Brief
    • Contributing to the Code
    • Contributing to the Documentation
  • ⚙️API Documentation
    • Setup & Authentication
    • Endpoints
  • 🧰MSP Adoption Toolkit
    • Building a CIPP Business Case
  • ☕Sip & CIPP
    • Conditional Access
    • Autopilot & Intune
Powered by GitBook
On this page
  • Setup Video for the CIPP Service Account
  • Setup Walkthrough for the CIPP Service Account

Was this helpful?

Edit on GitHub
Export as PDF
  1. Setup
  2. Configuring CIPP

Creating the CIPP Service Account

PreviousConfiguring CIPPNextConditional Access Best Practices

Last updated 21 days ago

Was this helpful?

Setup Video for the CIPP Service Account


When setting up your Service Account, remember:

Administration Requirements

  1. Must be a Global Administrator while setting up the integration. These permissions may be removed after the integration has been setup.

  2. Must be added to the AdminAgents group. This group is required for connection to the Microsoft Partner API.

Multi-factor Authentication

  1. MFA Setup: This account must have Microsoft MFA enforced for each logon.

    1. Use Conditional Access when available or via Per User MFA when not available.

  2. Microsoft MFA is mandatory. Do not use alternative providers like Duo, and ensure it's setup before any login attempts.

    1. Reference this article on Supported MFA options from Microsoft for more details.

Setup Walkthrough for the CIPP Service Account


This guide walks you through the process from the video of setting up the CIPP Service Account. Follow the instructions on this page to the letter to ensure a seamless setup process down the line.

The CIPP service account will be the account used to execute any actions on your tenants via CIPP.

To get started, head to the Microsoft Entra Portal's user overview at entra.microsoft.com

If you would like to use notifications, webhook triggers, or exporting to other system the account you use must have a mailbox available. This mailbox will be used for outgoing reports, exports, and notifications.

  1. Click on the "New user" button.

  1. Create a new internal user in your organization

  1. Enter a username in the field, we recommend something identifiable like "CIPP Service Account"

  1. Enter "CIPP Service Account" in the Display Name field. Set the password to something strong, and save this password in a secure location

  1. Click on "Next: Properties".

  1. Click on "Next: Assignments".

  1. If you are a Microsoft Partner, and want to manage all your client tenants, click on Add Group.

  1. Select the AdminAgents group. This group is required for connection to the Microsoft Partner API.

  1. Select your GDAP groups

If you have already migrated to GDAP you select your GDAP groups at this stage. If you migrated using CIPP these groups start with M365 GDAP.If you have migrated, but not using CIPP check the latest required GDAP roles check our Recommended Roles page.

If you have not migrated or used GDAP at all, or are planning to onboard your GDAP tenants using CIPP, continue on.

These groups might not exist if you have not yet migrated to GDAP.

If you want to move to using CIPP and Microsoft's best practice recommendation of mapping one role to one security group, you can skip this step for now. CIPP will create the groups when you first setup adding your client tenants in Adding Tenants.

  1. Click "Add role"

  1. Add the Global Administrator Role

Find the Global Admin role. This role is required for the CIPP-SAM application creation, and is recommended to be removed directly after installation.

  1. Click "Next: Review + create"

  1. Click on "Create". This creates the account.

preview
preview
preview
preview
preview
preview
preview
preview
preview
preview
preview
preview
preview
🦸