Recommended Roles
As CIPP is an application that touches many parts of M365 selecting the roles might be difficult. The following roles are recommended for CIPP, but you may experiment with less permissive groups at your own risk.
Please note that any relationship that contains the Global Administrator/Company Administrator role will NOT be eligible for auto extend.
The table below outlines the recommended roles for use in CIPP, describing what each role enables. Click on the Role Name to navigate to Microsoft's Entra ID built-in roles page for detailed information about each specific role.
Roles
Can create and manage all applications, service principals, app registration, enterprise apps, consent requests. Cannot manage directory roles, security groups.
Configures authentication methods policy, MFA settings, manages Password Protection settings, creates/manages verifiable credentials, Azure support tickets. Restrictions on updating sensitive properties, deleting/restoring users, legacy MFA settings.
Can perform common billing related tasks like updating payment information.
Manages all aspects of the Defender for Cloud App Security in Azure AD, including policies, alerts, and related configurations.
Enables, disables, deletes devices in Azure AD, reads Windows 10 BitLocker keys. Does not grant permissions to manage other properties on the device.
Can manage domain names in cloud and on-premises.
Manages all aspects of Exchange Online, including mailboxes, permissions, connectivity, and related settings. Limited access to related Exchange settings in Azure AD.
Can read everything that a Global Administrator can but not update anything.
Manages all aspects of Intune, including all related resources, policies, configurations, and tasks.
Sets/resets authentication methods for all users (admin or non-admin), deletes/restores any users. Manages support tickets in Azure and Microsoft 365. Restrictions on managing per-user MFA in legacy MFA portal.
Manages role assignments in Azure AD, Azure AD Privileged Identity Management, creates/manages groups, manages all aspects of Privileged Identity Management, administrative units. Allows managing assignments for all Azure AD roles including Global Administrator.
Can read security information and reports, and manages security-related features, including identity protection, security policies, device management, and threat management in Azure AD and Office 365.
Manages all aspects of SharePoint Online, Microsoft 365 groups, support tickets, service health. Scoped permissions for Microsoft Intune, SharePoint, and OneDrive resources.
Manages all aspects of Microsoft Teams, including telephony, messaging, meetings, teams, Microsoft 365 groups, support tickets, and service health.
Manages all aspects of users, groups, registration, and resets passwords for limited admins. Cannot manage security-related policies or other configuration objects.
*- A previous version of this document merely suggested that these roles were recommended. CIPP is transitioning to requiring these as part of your baseline GDAP deployment given the depth of features being added to the product that require them. It is recommended that these be added to your GDAP Role Mapping and add these three roles to your Role Template.
Handling the Additional Recommended Roles
With v10.1, CIPP added the three previously suggested roles to the core recommended roles as part of the code. This is causing many who have been using CIPP for a while to show the missing roles when doing a permission check. Here's our recommended way to best handle resolving these issues:
Recreate the CIPP Defaults Role Template
In Tenant Administration > GDAP Management > Role Templates, locate your CIPP Defaults role template and delete it. A prompt will show asking if you would like to create the CIPP Defaults template. Click the button to create the defaults. This new template will include all 15 roles.
Generate New GDAP Relationships
You cannot add GDAP roles to an existing relationship and there is no supported way to automate this.
From the Invites tab, use the New Invite action to generate enough invite links with the new CIPP Defaults template to establish new relationships with all your GDAP clients.
Last updated
Was this helpful?