Self-hosted API Setup

For users running CIPP in their own Azure environment.

Assign the “Contributor” Role to the Function App

If you're self-hosting and running your own Azure Function App, you'll need to grant it proper access:

1
2

Open the resource group hosting CIPP.

3

Select the Function App (not an offloaded app).

4

Navigate to Access control (IAM) > + Add > Add role assignment.

5

Click on Privileged administrator roles.

6

Choose:

  • Role: Contributor

  • Assign access to: User, group, or service principal

  • Select: The CIPP Function App identity

The Contributor role should allow the identity to create and manage all types of Azure resources but does not allow them to grant access to others.

In the Select field and type cipp. As you begin typing, the list of options will narrow, and you should see the Managed Identity for your Function App.

7

Click Save.


PowerShell Role Assignment (Alternative)

You can also use Azure Cloud Shell:

$RGName = Read-Host -Prompt "Resource Group Name"
Connect-AzAccount
$Functions = Get-AzResource -ResourceGroupName $RGName -ResourceType 'Microsoft.Web/sites' | Where-Object { $_.Name -match 'cipp' -and $_.Name -notmatch '-' }
$FunctionApp = Get-AzWebApp -ResourceGroupName $Functions.ResourceGroupName -Name $Functions.Name
$Identity = $FunctionApp.Identity.PrincipalId
New-AzRoleAssignment -ObjectId $Identity -RoleDefinitionName 'Contributor' -Scope $FunctionApp.Id
This script can be run in Azure Cloud Shell. Click the link to be taken to the Azure Portal.

Last updated

Was this helpful?