LogoLogo
Get CIPPJoin Discord
  • ☕CIPP Documentation
  • 🦸Setup
    • Self Hosting Guide
      • Prerequisites
      • Installation
      • Run From Package Mode
      • Post-Install Configuration
      • Configuring Automatic Updates
      • Updating Versions
      • Migrating to Hosted CIPP
      • Self-hosted API Setup
    • Service Account Setup
      • GDAP's Importance in CIPP
      • Creating the CIPP Service Account
      • Conditional Access best practices
      • Recommended Roles
    • Configuring CIPP
      • Adding users to CIPP
      • Executing the SAM Setup Wizard
      • Tenant Onboarding
      • Adding Tenants & Consenting the CIPP-SAM Application
      • User Roles in CIPP
      • Adding a custom domain name
      • I want to manage my own tenant
    • Implementing CIPP
      • Recommended First Steps
      • Standards Setup
    • Resources
      • Professional Onboarding Services
      • Sponsor Quick Start
  • 🙋User Documentation
    • Shared Features
      • Menu Bar
        • Tenant Select
        • Display Mode
        • 🔍Search
        • Bookmarks
        • User Preferences
      • Table Features
      • Speed Dial
      • Keyboard Shortcuts
    • CIPP Dashboard
    • Identity Management
      • Administration
        • Users
          • Bulk Add
          • Invite Guest
          • Add User
          • View Individual User
            • Edit User
            • Exchange Settings
            • Compromise Remediation
            • Conditional Access
        • Risky Users
        • Groups
          • Add Group
          • Edit Group
        • Group Templates
          • Add Group Template
          • Deploy Group Templates
        • Devices
        • Deleted items
        • Roles
        • JIT Admin
          • Add JIT Admin
        • Offboarding Wizard
      • Reports
        • MFA Report
        • Inactive Users
        • Sign Ins Report
        • AAD Connect Report
        • Risk Detections
    • Tenant Administration
      • Administration
        • Tenants
          • Edit Tenant
          • Tenant Groups
            • Add Tenant Group
            • Edit Tenant Group
        • Alert Configuration
          • Add Alert
        • Audit Logs
        • Enterprise Applications
        • Secure Score
        • App Consent Requests
        • Authentication Methods
        • Partner Relationships
      • GDAP Management
        • Relationships
          • Relationship Summary
            • Role Mappings
        • Role Mappings
          • Map GDAP Roles
        • Role Templates
          • Add Template
        • Invites
          • New Invite
        • Onboarding
        • Offboarding
      • Configuration Backup
        • Backups
          • Restore Configuration Backup
          • Add Configuration Backup
      • Standards
        • List Standards Templates
        • Add Standards Template
        • Compare Tenant to Standard
        • Best Practice Analyser
          • Best Practice Templates
          • Custom Reports
        • Domains Analyser
      • Conditional Access
        • CA Policies
          • Deploy CA Policies
        • CA Vacation Mode
          • Add Vacation Schedule
        • CA Templates
        • Named Locations
          • Add Named Locations
      • Reports
        • License Report
        • Sherweb License Report
          • Add Subscription
        • Consented Applications
    • Security & Compliance
      • Incidents & Alerts
        • Incidents
        • Alerts
      • Defender
        • Defender Status
        • Defender Deployment
        • Vulnerabilities
      • Reports
        • Device Compliance
    • Intune
      • Applications
        • Applications
          • Add Application
            • Add MSP App
            • Add Store App
            • Add Choco App
            • Add Office App
        • Application Queue
      • Autopilot
        • Autopilot Devices
        • Add Autopilot Device
        • Profiles
        • Add Profile
        • Status Pages
        • Add Status Page
      • Device Management
        • Devices
        • Configuration Policies
        • Compliance Policies
        • Protection Policies
        • Apply Policy
        • Policy Templates
        • Scripts
      • Reports
        • Analytics Device Score
    • Teams & SharePoint
      • OneDrive
      • SharePoint
        • Add Site
        • Bulk Add Site
      • Teams
        • Teams
          • Add Team
        • Teams Activity
        • Business Voice
    • Email & Exchange
      • Administration
        • Mailboxes
          • Add Shared Mailbox
        • Deleted Mailboxes
        • Mailbox Rules
        • Contacts
          • Add Contact
          • Edit Contact
        • Quarantine
        • Tenant Allow/Block Lists
          • Add Entry
      • Transport
        • Transport rules
          • Deploy Template
        • Transport Templates
        • Connectors
          • Deploy connector Templates
        • Connector Templates
      • Spamfilter
        • Spamfilter
          • Deploy Spamfilter
        • Spamfilter Templates
        • Connection filter
          • Deploy Connection Filter
        • Connection filter templates
      • Tools
        • Mailbox Restore Wizard
        • Mail Test
      • Resource Management
        • Rooms
          • Add Room
          • Edit Room
        • Room Lists
      • Reports
        • Mailbox Statistics
        • Mailbox Client Access Settings
        • Anti-Phishing Filters
        • Malware Filters
        • Safe Link Filters
        • Safe Attachment Filters
        • Shared Mailbox with Enabled Account
        • Global Address List
    • Tools
      • Tenant Tools
        • Graph Explorer
        • Application Approval
        • Tenant Lookup
        • IP Database
        • Individual Domain Check
      • Email Tools
        • Message Trace
        • Mailbox Restores
        • Message Viewer
      • Dark Web Tools
        • Tenant Breach Lookup
        • Breach Lookup
      • Template Library
      • Community Repositories
        • View Repository Templates
      • Scheduler
        • Add Job
    • CIPP
      • Application Settings
        • Permissions
        • Tenants
        • Backend
        • Notifications
        • Partner Webhooks
        • Licenses
        • CIPP Backup
        • Global Variables
      • Logbook
      • SAM Setup Wizard
      • Integrations
        • Integration Sync
        • CIPP-API
        • Sherweb
        • Gradient
        • Halo PSA Ticketing
        • NinjaOne
        • Hudu
        • Password Pusher
        • Have I Been Pwned?
        • Cloudflare
        • GitHub
      • Custom Data
        • Directory Extensions
          • Add Directory Extension
        • Schema Extensions
          • Add Schema Extension
        • Mappings
          • Add Mapping
          • Edit Mapping
      • Advanced
        • Super Admin
          • Tenant Mode
          • Function Offloading
          • Custom Roles
          • SAM App Roles
          • SAM App Permissions
        • Exchange Cmdlets
        • Timers
        • Table Maintenance
  • 📂Troubleshooting
    • Error codes
    • Troubleshooting instructions
      • Refreshing a Specific Tenant's Permissions via CPV API
    • Frequently Asked Questions
      • I got a "Potential Phishing page detected" alert. What do I do with that?
  • 🔐Security
    • CIPP Security and Compliance
      • Security Policy
      • Security reports
    • CIPP Community Vulnerability Disclosure Policy
  • 👩‍💻👩💻 Dev Documentation
    • CIPP Dev Guide
      • Setting Up for Local Development
      • Executing Local Development
      • Project Structure
      • Development Tips
      • CIPP v7 Developer Brief
    • Contributing to the Code
    • Contributing to the Documentation
  • ⚙️API Documentation
    • Setup & Authentication
    • Endpoints
  • 🧰MSP Adoption Toolkit
    • Building a CIPP Business Case
  • ☕Sip & CIPP
    • Conditional Access
    • Autopilot & Intune
  • CIPP New Interface Release Candidate 2 (rc2)
Powered by GitBook
On this page
  • Manual Permissions
  • Permissions

Was this helpful?

Edit on GitHub
Export as PDF
  1. Setup
  2. Configuring CIPP

CIPP-SAM Permissions

How to ensure your SAM app for CIPP has the correct permissions.

Last updated 1 year ago

Was this helpful?

Manual Permissions

At times you will need to change permissions for the CIPP-SAM application that is used by CIPP to access your tenants. Use the following instructions to update these permissions.

  • Go to the .

  • Select , now select .

  • Find your Secure App Model application. You can search based on the Application ID.

  • Go to API Permissions and select Add a permission.

  • Choose "Microsoft Graph" and "Delegated permission" or "Application Permissions"

  • Add the permission you need

  • Finally, select "Grant Admin Consent" for Company Name.

Permissions

For full functionality, CIPP needs the following permissions for the Secure Application Model registration. You can remove any permissions if you don't want the application to be able to use that functionality. This may cause you to see errors in the application.

Duplicate Permissions Some permissions may appear duplicated in the Delegated and Application permissions tables below. This is by design and you do need to add both permissions!

Some permissions may come from other APIs than just Graph. you will see this both in the application, and the permission list below by having a name between brackets, e.g. (WindowsDefenderATP). This means you will need to click on "APIs my Organisation uses" instead of "Microsoft Graph" when adding these permissions. Look for the exact name between the brackets to find the correct resource to add.

LIST OF DELEGATED PERMISSIONS USED BY CIPP:

API / Permissions name
Description

ActivityFeed.Read (Office 365 Management API)

Read activity data for your organization

AllSites.FullControl (Office 365 SharePoint Online)

Have full control of all site collections

Application.Read.All

Read applications

Application.ReadWrite.All

Read and write all applications

AuditLog.Read.All

Read audit log data

BitlockerKey.Read.All

Read BitLocker keys

Channel.Create

Create channels

Channel.ReadBasic.All

Read the names and descriptions of channels

Channel.Delete.All

Delete Channels

ChannelMember.Read.All

Read the members of channels

ChannelMember.ReadWrite.All

Add and remove members from channels

ChannelMessage.Edit

Edit users' channel messages

ChannelMessage.Read.All

Read users' channel messages

ChannelMessage.Send

Send channel messages

ChannelSettings.Read.All

Read the names, descriptions, and settings of channels

ChannelSettings.ReadWrite.All

Read and write the names, descriptions, and settings of channels

ConsentRequest.Read.All

Read consent requests

DelegatedAdminRelationship.ReadWrite.All

Manage Delegated Admin relationships with customers

Device.Command

Communicate with user devices

Device.Read

Read user devices

Device.Read.All

Read all devices

DeviceLocalCredential.Read.All

Read device local credential passwords

DeviceManagementApps.ReadWrite.All

Read and write Microsoft Intune apps

DeviceManagementConfiguration.ReadWrite.All

Read and write Microsoft Intune Device Configuration and Policies

DeviceManagementManagedDevices.PrivilegedOperations.All

Perform user-impacting remote actions on Microsoft Intune devices

DeviceManagementManagedDevices.ReadWrite.All

Read and write Microsoft Intune devices

DeviceManagementServiceConfig.Read.All

Read Microsoft Intune configuration

DeviceManagementRBAC.ReadWrite.All

Read and write Microsoft Intune RBAC settings

DeviceManagementServiceConfig.ReadWrite.All

Read and write Microsoft Intune configuration

Directory.AccessAsUser.All

Access directory as the signed in user

Domain.Read.All

Read domain data

Group.ReadWrite.All

Read and write all groups

GroupMember.ReadWrite.All

Read and write group memberships

Mail.Send

Send mail as a user

Mail.Send.Shared

Send mail on behalf of others

Member.Read.Hidden

Read hidden memberships

offline_access

Maintain access to data you have given it access to

openid

Sign users in

Organization.ReadWrite.All

Read and write organization information

Policy.Read.All

Read your organization's policies

Policy.ReadWrite.ApplicationConfiguration

Read and write your organization's application configuration policies

Policy.ReadWrite.AuthenticationFlows

Read and write authentication flow policies

Policy.ReadWrite.AuthenticationMethod

Read and write authentication method policies

Policy.ReadWrite.Authorization

Read and write your organization's authorization policy

Policy.ReadWrite.ConditionalAccess

Read and write conditional access policy

Policy.ReadWrite.ConsentRequest

Read and write consent request policy

Policy.ReadWrite.DeviceConfiguration

Read and write your organization's device configuration policies

PrivilegedAccess.Read.AzureResources

Read privileged access to Azure resources

PrivilegedAccess.ReadWrite.AzureResources

Read and write privileged access to Azure resources

profile

View users' basic profile

Reports.Read.All

Read all usage reports

ReportSettings.ReadWrite.All

Read and write admin report settings

RoleManagement.ReadWrite.Directory

Read and write directory RBAC settings

SecurityActions.ReadWrite.All

Read and update your organization's security actions

SecurityEvents.ReadWrite.All

Read and update your organization's security events

SecurityIncident.Read.All

Read incidents

SecurityIncident.ReadWrite.All

Read and write to incidents

ServiceHealth.Read.All

Read service health

ServiceMessage.Read.All

Read service announcement messages

SharePointTenantSettings.ReadWrite.All

Read and change SharePoint and OneDrive tenant settings

Sites.ReadWrite.All

Edit or delete items in all site collections

(Skype and Teams Tenant Admin AP)user_impersonation

Access Microsoft Teams and Skype for Business data as the signed in user

TeamMember.ReadWrite.All

Add and remove members from teams

TeamMember.ReadWriteNonOwnerRole.All

Add and remove members with non-owner role for all teams

TeamsActivity.Read

Read users' teamwork activity feed

TeamsActivity.Send

Send a teamwork activity as the user

TeamsAppInstallation.ReadForChat

Read installed Teams apps in chats

TeamsAppInstallation.ReadForTeam

Read installed Teams apps in teams

TeamsAppInstallation.ReadForUser

Read users' installed Teams apps

TeamsAppInstallation.ReadWriteForChat

Manage installed Teams apps in chats

TeamsAppInstallation.ReadWriteForTeam

Manage installed Teams apps in teams

TeamsAppInstallation.ReadWriteForUser

Manage users' installed Teams apps

TeamsAppInstallation.ReadWriteSelfForChat

Allow the Teams app to manage itself in chats

TeamsAppInstallation.ReadWriteSelfForTeam

Allow the app to manage itself in teams

TeamsAppInstallation.ReadWriteSelfForUser

Allow the Teams app to manage itself for a user

TeamSettings.Read.All

Read teams' settings

TeamSettings.ReadWrite.All

Read and change teams' settings

TeamsTab.Create

Create tabs in Microsoft Teams

TeamsTab.Read.All

Read tabs in Microsoft Teams

TeamsTab.ReadWrite.All

Read and write tabs in Microsoft Teams

TeamsTab.ReadWriteForChat

Allow the Teams app to manage all tabs in chats

TeamsTab.ReadWriteForTeam

Allow the Teams app to manage all tabs in teams

TeamsTab.ReadWriteForUser

Allow the Teams app to manage all tabs for a user

Team.Create

Create teams

Team.ReadBasic.All

Read the names and descriptions of teams

ThreatAssessment.ReadWrite.All

Read and write threat assessment requests

UnifiedGroupMember.Read.AsGuest

Read unified group memberships as guest

User.ManageIdentities.All

Manage user identities

User.Read

Sign in and read user profile

User.ReadWrite.All

Read and write all users' full profiles

UserAuthenticationMethod.Read.All

Read all users' authentication methods

UserAuthenticationMethod.ReadWrite

Read and write user authentication methods

UserAuthenticationMethod.ReadWrite.All

Read and write all users' authentication methods

Vulnerability.Read (WindowsDefenderATP)

Read Threat and Vulnerability Management vulnerability information

LIST OF APPLICATION PERMISSIONS USED BY CIPP:

API / Permissions name
Description

Channel.Create

Create channels

Channel.ReadBasic.All

Read the names and descriptions of channels

ChannelMember.Read.All

Read the members of channels

ChannelMember.ReadWrite.All

Add and remove members from channels

Device.ReadWrite.All

Read and write devices

DeviceManagementApps.ReadWrite.All

Read and write Microsoft Intune apps

DeviceManagementConfiguration.ReadWrite.All

Read and write Microsoft Intune Device Configuration and Policies

DeviceManagementManagedDevices.PrivilegedOperations.All

Perform user-impacting remote actions on Microsoft Intune devices

DeviceManagementManagedDevices.Read.All

Read Microsoft Intune devices

DeviceManagementManagedDevices.ReadWrite.All

Read and write Microsoft Intune devices

DeviceManagementRBAC.Read.All

Read Microsoft Intune RBAC settings

DeviceManagementRBAC.ReadWrite.All

Read and write Microsoft Intune RBAC settings

DeviceManagementServiceConfig.Read.All

Read Microsoft Intune configuration

DeviceManagementServiceConfig.ReadWrite.All

Read and write Microsoft Intune configuration

Directory.Read.All

Read directory data

Domain.Read.All

Read Domains

Exchange.Manage (Office 365 Exchange Online)

Manage Exchange configuration

Files.ReadWrite.All

Read and write files in all site collections

Group.Create

Create groups

Group.Read.All

Read all groups

Group.ReadWrite.All

Read and write all groups

GroupMember.ReadWrite.All

Read and write group memberships

Mail.Send

Send mail as a user

Organization.ReadWrite.All

Read and write organization information

Policy.Read.All

Read your organization's policies

Policy.ReadWrite.ApplicationConfiguration

Read and write your organization's application configuration policies

Policy.ReadWrite.AuthenticationFlows

Read and write authentication flow policies

Policy.ReadWrite.AuthenticationMethod

Read and write authentication method policies

Policy.ReadWrite.ConditionalAccess

Read and write conditional access policy

Policy.ReadWrite.ConsentRequest

Read and write consent request policy

PrivilegedAccess.ReadWrite.AzureADGroup

Read and write privileged access to Azure AD groups

Reports.Read.All

Read all usage reports

RoleManagement.ReadWrite.Directory

Read and write directory RBAC settings

SecurityEvents.Read.All

Read your organization's security events

SecurityIncident.Read.All

Read all security incidents

SecurityIncident.ReadWrite.All

Read and write to all security incidents

SharePointTenantSettings.ReadWrite.All

Read and change SharePoint and OneDrive tenant settings

Sites.FullControl.All

Have full control of all site collections

Team.ReadBasic.All

Read the names and descriptions of teams

TeamMember.ReadWrite.All

Add and remove members from teams

TeamMember.ReadWriteNonOwnerRole.All

Add and remove members with non-owner role for all teams

User.ReadWrite.All

Read and write all users' full profiles

UserAuthenticationMethod.ReadWrite.All

Read and write all users' authentication methods

Vulnerability.Read.All (WindowsDefenderATP)

Read Threat and Vulnerability Management vulnerability information

🦸
Azure Portal
Microsoft Entra ID
App Registrations