Get CIPP Join Discord

Connecting to your tenants

Setup access to my clients using the SAM Wizard

Failing to adhere precisely to these instructions may result in a malfunctioning CIPP instance where features don't work as expected. Do not deviate from these instructions and follow them to the letter.

Setup Video for SAM Service Account

Authorization requirements

to setup the Graph API, CSP, and Exchange integration CIPP requires a minimum level of permissions. We recommend to setup the account as follows

  1. Create a new account. We recommend to name this account something obvious such as "CIPP Integration" and give it the username "CIPP@domain.tld"

    1. This account must be a Global Administrator while setting up the integration. These permissions may be removed after the integration has been setup.

  2. Add the account to the correct groups

  • The CIPP user must be added to the "AdminAgents" group and the groups you've assigned for GDAP. The minimum GDAP groups & permissions CIPP needs to function are:

    • Application Administrator

    • Authentication Policy Administrator

    • Cloud App Security Administrator

    • Cloud Device Administrator

    • Exchange Administrator

    • Intune Administrator

    • Privileged Role Administrator

    • Security Administrator

    • SharePoint Administrator

    • Teams Administrator

    • User Administrator

    • Privileged Authentication Administrator

  • These groups are not roles in your own tenant. These must be the GDAP assigned groups.

  • Do not over-assign GDAP groups. Too many permissions will stop GDAP functionality. For more information check out Microsoft's documentation here

  1. This account must have Microsoft multi-factor authentication enforced for each logon, either via Conditional Access when available or via Per User MFA when Conditional Access is not available.

  • You may not use any other authentication provider than Microsoft for this account. Duo or other providers will not work. For more information on this see this

The account will be used for all actions performed from the CIPP portal.

Executing the wizard

Make sure you are logged into CIPP under your own account (user@domain.com). The CIPP SAM wizard will prompt you to logon, at this moment you use the CIPP Service Account(CIPP@domain.com).

Your browser MUST allow cookies and have any ad-blocker disabled for the duration of the wizard. Do not use in-private mode.

To setup the connection to your tenants you'll need to run the Sam Wizard. The Sam Wizard can be found under Settings -> SAM Setup Wizard. The Wizard will present you with multiple options. If this is your first setup it is recommended to choose "I'd like CIPP to create a SAM Application for me".

When executing the Sam Wizard with "I'd like CIPP to create a SAM Application for me" you'll be presented with a button to start the Wizard. Do not navigate away from this page and execute all 5 steps that this page will prompt you for.

PreviousRun From Package ModeNextConditional Access best practices

Last updated