githubEdit

Tenant Onboarding

You'll continue to use the Setup Wizard to onboard your client tenants. You can either


Wizard Steps for GDAP Tenants

spinner
1

Click on "Add a Tenant"

To get started, we click the "Add a Tenant" button and "Next Step".

2

Select Tenant Add Method of "Add GDAP Template"

Select "Add GDAP Tennant" and click "Next Step"

3

Select GDAP Role Template

Select the GDAP Role Template you would like to use for this onboarding. This will automatically map your GDAP security groups with the GDAP roles.

circle-info

If this is your first GDAP tenant, you will be prompted to optionally add the CIPP Default role template. This role template will automatically create the 15 GDAP groups matching the Recommended Roles.

4

This will generate a unique GDAP invite URL with the associated roles selected from your template. This link will need to be consented by your client's Global Administrator in order to accept the contractual relationship. Once completed, check the box that the invite has been accepted and click "Next Step".

5

Tenant Onboarding

On this step, you can review the relationship info. Before clicking "Start Onboarding", decide if you want to have the tenant excluded from All Tenants standards to allow you time to review the tenant before those are applied. Once done, click "Start Onboarding". CIPP will now automatically complete the tenant onboarding. This includes verifying the relationship was accepted, the roles are present in the relationship, the security groups are mapped to the tenant, and the tenant is accessible via Graph API.

6

Confirm

The final page is a confirmation that shows you what you've completed.

Wizard Steps for Direct Tenants

spinner

CIPP will also allow you to manage tenants that you do not have a GDAP relationship with.

1

Click on "Add a Tenant"

To get started, we click the "Add a Tenant" button and "Next Step".

2

Click on "Add Direct Tenant"

Select "Add Direct Tenant" and click "Next Step"

3

Click "Connect to Tenant"

Click the "Connect to Tenant" button. Use a service account with equivalent permissions as the partner tenant. More information on these roles can be found under Recommended Roles.

circle-info

Be sure to Consent on behalf of the organization to prevent any prompting for future users that may log into CIPP, such as a comanaged client technician.

4

Confirm

The final page is a confirmation that shows you what you've completed.

circle-exclamation

Limitations of Direct Tenants

There are limitations to what CIPP can do with directly added tenants due to some features relying on Lighthouse, Partner Center APIs, etc.

  • Permissions errors during addition of the tenant

    • Consent can only be granted for permissions the direct tenant is licensed for.

    • To work around this until a more robust method can be devised, if you see one of these errors, remove the offending permission (NOT THE CONSENT) from the CIPP-SAM app registration in your tenant.

  • Universal Search - This relies on Lighthouse to search for users

  • Admin Portal Links - These utilize the GDAP relationship to log in as your CSP user. You will have to log in to the portal with an account native to the tenant

  • Alerts - There are certain alerts that will only work with GDAP/Lighthouse

    • Alert if Defender is not running

    • Alert if Defender Malware found

  • Inactive Users Report - Relies on a CSP report

Role Management Considerations

Any additional users who need access to your Microsoft CSP Tenants via the admin portals must be manually added to the relevant security groups. These groups start with "M365 GDAP".

Last updated

Was this helpful?