LogoLogo
Get CIPPJoin Discord
  • ☕CIPP Documentation
  • 🦸Setup
    • Self Hosting Guide
      • Prerequisites
      • Installation
      • Run From Package Mode
      • Post-Install Configuration
      • Configuring Automatic Updates
      • Updating Versions
      • Migrating to Hosted CIPP
      • Self-hosted API Setup
    • Service Account Setup
      • GDAP's Importance in CIPP
      • Creating the CIPP Service Account
      • Conditional Access best practices
      • Recommended Roles
    • Configuring CIPP
      • Adding users to CIPP
      • Executing the SAM Setup Wizard
      • Tenant Onboarding
      • Adding Tenants & Consenting the CIPP-SAM Application
      • User Roles in CIPP
      • Adding a custom domain name
      • I want to manage my own tenant
    • Implementing CIPP
      • Recommended First Steps
      • Standards Setup
    • Resources
      • Professional Onboarding Services
      • Sponsor Quick Start
  • 🙋User Documentation
    • Shared Features
      • Menu Bar
        • Tenant Select
        • Display Mode
        • 🔍Search
        • Bookmarks
        • User Preferences
      • Table Features
      • Speed Dial
      • Keyboard Shortcuts
    • CIPP Dashboard
    • Identity Management
      • Administration
        • Users
          • Bulk Add
          • Invite Guest
          • Add User
          • View Individual User
            • Edit User
            • Exchange Settings
            • Compromise Remediation
            • Conditional Access
        • Risky Users
        • Groups
          • Add Group
          • Edit Group
        • Group Templates
          • Add Group Template
          • Deploy Group Templates
        • Devices
        • Deleted items
        • Roles
        • JIT Admin
          • Add JIT Admin
        • Offboarding Wizard
      • Reports
        • MFA Report
        • Inactive Users
        • Sign Ins Report
        • AAD Connect Report
        • Risk Detections
    • Tenant Administration
      • Administration
        • Tenants
          • Edit Tenant
          • Tenant Groups
            • Add Tenant Group
            • Edit Tenant Group
        • Alert Configuration
          • Add Alert
        • Audit Logs
        • Enterprise Applications
        • Secure Score
        • App Consent Requests
        • Authentication Methods
        • Partner Relationships
      • GDAP Management
        • Relationships
          • Relationship Summary
            • Role Mappings
        • Role Mappings
          • Map GDAP Roles
        • Role Templates
          • Add Template
        • Invites
          • New Invite
        • Onboarding
        • Offboarding
      • Configuration Backup
        • Backups
          • Restore Configuration Backup
          • Add Configuration Backup
      • Standards
        • List Standards Templates
        • Add Standards Template
        • Compare Tenant to Standard
        • Best Practice Analyser
          • Best Practice Templates
          • Custom Reports
        • Domains Analyser
      • Conditional Access
        • CA Policies
          • Deploy CA Policies
        • CA Vacation Mode
          • Add Vacation Schedule
        • CA Templates
        • Named Locations
          • Add Named Locations
      • Reports
        • License Report
        • Sherweb License Report
          • Add Subscription
        • Consented Applications
    • Security & Compliance
      • Incidents & Alerts
        • Incidents
        • Alerts
      • Defender
        • Defender Status
        • Defender Deployment
        • Vulnerabilities
      • Reports
        • Device Compliance
    • Intune
      • Applications
        • Applications
          • Add Application
            • Add MSP App
            • Add Store App
            • Add Choco App
            • Add Office App
        • Application Queue
      • Autopilot
        • Autopilot Devices
        • Add Autopilot Device
        • Profiles
        • Add Profile
        • Status Pages
        • Add Status Page
      • Device Management
        • Devices
        • Configuration Policies
        • Compliance Policies
        • Protection Policies
        • Apply Policy
        • Policy Templates
        • Scripts
      • Reports
        • Analytics Device Score
    • Teams & SharePoint
      • OneDrive
      • SharePoint
        • Add Site
        • Bulk Add Site
      • Teams
        • Teams
          • Add Team
        • Teams Activity
        • Business Voice
    • Email & Exchange
      • Administration
        • Mailboxes
          • Add Shared Mailbox
        • Deleted Mailboxes
        • Mailbox Rules
        • Contacts
          • Add Contact
          • Edit Contact
        • Quarantine
        • Tenant Allow/Block Lists
          • Add Entry
      • Transport
        • Transport rules
          • Deploy Template
        • Transport Templates
        • Connectors
          • Deploy connector Templates
        • Connector Templates
      • Spamfilter
        • Spamfilter
          • Deploy Spamfilter
        • Spamfilter Templates
        • Connection filter
          • Deploy Connection Filter
        • Connection filter templates
      • Tools
        • Mailbox Restore Wizard
        • Mail Test
      • Resource Management
        • Rooms
          • Add Room
          • Edit Room
        • Room Lists
      • Reports
        • Mailbox Statistics
        • Mailbox Client Access Settings
        • Anti-Phishing Filters
        • Malware Filters
        • Safe Link Filters
        • Safe Attachment Filters
        • Shared Mailbox with Enabled Account
        • Global Address List
    • Tools
      • Tenant Tools
        • Graph Explorer
        • Application Approval
        • Tenant Lookup
        • IP Database
        • Individual Domain Check
      • Email Tools
        • Message Trace
        • Mailbox Restores
        • Message Viewer
      • Dark Web Tools
        • Tenant Breach Lookup
        • Breach Lookup
      • Template Library
      • Community Repositories
        • View Repository Templates
      • Scheduler
        • Add Job
    • CIPP
      • Application Settings
        • Permissions
        • Tenants
        • Backend
        • Notifications
        • Partner Webhooks
        • Licenses
        • CIPP Backup
        • Global Variables
      • Logbook
      • SAM Setup Wizard
      • Integrations
        • Integration Sync
        • CIPP-API
        • Sherweb
        • Gradient
        • Halo PSA Ticketing
        • NinjaOne
        • Hudu
        • Password Pusher
        • Have I Been Pwned?
        • Cloudflare
        • GitHub
      • Custom Data
        • Directory Extensions
          • Add Directory Extension
        • Schema Extensions
          • Add Schema Extension
        • Mappings
          • Add Mapping
          • Edit Mapping
      • Advanced
        • Super Admin
          • Tenant Mode
          • Function Offloading
          • Custom Roles
          • SAM App Roles
          • SAM App Permissions
        • Exchange Cmdlets
        • Timers
        • Table Maintenance
  • 📂Troubleshooting
    • Error codes
    • Troubleshooting instructions
      • Refreshing a Specific Tenant's Permissions via CPV API
    • Frequently Asked Questions
      • I got a "Potential Phishing page detected" alert. What do I do with that?
  • 🔐Security
    • CIPP Security and Compliance
      • Security Policy
      • Security reports
    • CIPP Community Vulnerability Disclosure Policy
  • 👩‍💻👩💻 Dev Documentation
    • CIPP Dev Guide
      • Setting Up for Local Development
      • Executing Local Development
      • Project Structure
      • Development Tips
      • CIPP v7 Developer Brief
    • Contributing to the Code
    • Contributing to the Documentation
  • ⚙️API Documentation
    • Setup & Authentication
    • Endpoints
  • 🧰MSP Adoption Toolkit
    • Building a CIPP Business Case
  • ☕Sip & CIPP
    • Conditional Access
    • Autopilot & Intune
  • CIPP New Interface Release Candidate 2 (rc2)
Powered by GitBook
On this page
  • Confirm You’ve Met All Prerequisites
  • Choose Your Deployment Template

Was this helpful?

Edit on GitHub
Export as PDF
  1. Setup
  2. Self Hosting Guide

Installation

Installing Your Self-Hosted CIPP

PreviousPrerequisitesNextRun From Package Mode

Last updated 2 months ago

Was this helpful?

If you choose to sponsor and use the CyberDrain hosted version, you can skip over these steps, and jump over to our guide for further direction.

This guide walks you through deploying your self-hosted instance of CIPP using our Azure Resource Manager (ARM) templates. Once completed, you’ll have a fully functioning CIPP installation, ready to configure.

Confirm You’ve Met All Prerequisites

Before deploying, ensure you’ve completed everything in the section (forks, Azure subscription, GitHub PAT, etc.).


Choose Your Deployment Template

1

Default (Regional) Deployment

When to use:

  • Your Azure region supports (SWA).

  • You want SWA to deploy automatically to the closest supported data center.

This template creates all necessary resources in your local region, including:

  • Azure Function App (API) with a Storage Account

  • Azure Key Vault for CIPP secrets

  • Azure Static Web App (SWA) that auto-selects a supported region near you

After you have completed the prerequisites in, select the button below to run the automated setup.

You must replace the preset "Github Repository" and "Github API Repository" fields with the URL's of your own Github fork of the CIPP repository.

What if the deployment fails? It’s simplest to delete the resource group in the Azure portal and try again. This ensures a clean slate.

2

Alternative (Central US) Deployment

Azure Static Web Apps (SWA) is global by default (it picks the data center closest to you) however some regions don't support deployment. To work around this use the alternative installation button below.

When to use:

  • You need to enforce the SWA resource to deploy in Central US due to deployment issues

  • Your region doesn’t support SWA. Regions that support SWA deployment at the moment are:

    • Central US

    • East US 2

    • East Asia

    • West Europe

    • West US 2

The key difference:

  • SWA is pinned to centralus in the ARM template.

  • The other resources (Key Vault, Function App, Storage) still deploy to the region you choose in the Azure Portal.

  • The SWA remains globally served, so end-user latency is typically minimal.

Steps for deploying via the Azure Portal
  1. Open the Template

    • Click the Deploy to Azure button above based on your deployment needs.

    • The Azure Portal will load a “Custom deployment” form.

  2. Fill in Deployment Parameters

    • GitHub Repository: Replace the default with your fork of the CIPP frontend repo.

    • GitHub Token: Paste your Personal Access Token. (Make sure it has permissions to access and deploy from your forked repo.)

  3. Select a Region

    • Choose the region for your Key Vault, Function App, and Storage.

    • Note: If you’re using the Alternative (Central US) template, SWA will still deploy in centralus automatically, but the rest of your resources honor this selected region.

  4. Review + Create

    • Check your settings, especially the repository URLs.

    • Click Review + create, wait for validation, then Create.

  5. Wait for Completion

    • You can monitor progress in the Azure Portal’s Notifications.

    • If it fails, delete the resource group and try again for a clean slate.

  6. Verify Your Deployment

    • Navigate to the Resource Group to check that the resources (Key Vault, Function App, Storage, SWA) exist.

    • Open the Static Web App and locate the “Primary endpoint” or “URL” field in the SWA resource. Browse to it. If everything’s working, you’ll see the CIPP login screen

What the ARM Template Deploys

Both templates create these resources (unless otherwise noted):

  • Key Vault

    • Stores sensitive data like applicationid, applicationsecret, refreshtoken, and tenantid.

  • Azure Function App

    • Hosts the CIPP-API, deployed via a zip package in Azure Storage (latest.zip from cipp-api releases).

    • Uses a System-Assigned Managed Identity for secure operations.

  • Storage Account

    • Required for the Function App’s logs and file storage.

  • App Service Plan

    • A Y1 (Consumption) plan to keep Function App costs low.

  • Static Web App (SWA)

    • Hosts the frontend (CIPP React app).

    • Defaults to a global distribution, unless you use the Alternative template pinned to centralus.

🦸
Sponsor Quick Start
Prerequisites
Azure Static Web Apps