Frequently Asked Questions

SELF-HOSTED NOTE: Be sure to verify that your repo is actually up to date. Instructions for updating self-hosted CIPP can be found in Updating Versions.

CIPP-HOSTED NOTE: Updates can take several hours to roll out to all instances depending on how well GitHub and Azure are communicating at the time the release is pushed. If it's been more than 48 hours, follow these instructions and then reach out to CIPP's helpdesk if still not resolved.

CIPP v7+ heavily relies on caching. Because of this it is necessary to clear your browser's cookies and cache to pull in the most up to date version of CIPP's frontend.

• Chrome/Edge - Open DevTools (F12), right click on the refresh button, select "Empty cache and hard reset"

• Firefox - Click the padlock in the URL bar and select "Clear cookies and site data..."

Assuming you're running on the click-to-deploy configuration and average usage patterns it should cost $15 - $20 or £17 - £22 per month. You can check the costs, and estimated costs, for the resource group on the Azure Portal.

Please note it is your responsibility to ensure you are keeping an eye on costs within your instances.

We know, you love CIPP. You want everything to integrate with CIPP. Unfortunately, CIPP's business model doesn't allow us to take on the development, documentation, and help desk training to support every integration out there. In order for a vendor to integrate with CIPP, we need them to sponsor CIPP at the integration level.

Vendor sponsorship pays for that development, training, and support. If you have a vendor that you want to see integrated with CIPP, please reach out to your Account Manager at the vendor and let them know that you are interested.

Here's a couple of options for emails that you can send to licensing provider vendors. Modify these as you see fit for other vendors.

Email 1: You love CIPP and would switch distributors based on who we integrate with:

Hi,

I hope you're doing well! I'm reaching out to you today as I'm a user of a tool called CIPP(https://cipp.app). It has greatly enhanced my Microsoft 365 experience and is now our core tool when it comes to performing M365 management. 
We understand you might be having discussions with their team already, but we just want to amplify that our choice of distributor is dependant on which one integrates with CIPP

Regards,

Email 2: You love CIPP and would like your distributor to integrate

Hi,

I hope you're doing well! I'm reaching out to you today as I'm a user of a tool called CIPP(https://cipp.app). It has greatly enhanced my Microsoft 365 experience and is now our core tool when it comes to performing M365 management. 
We understand you might be having discussions with their team already, but we just want to amplify that our preference is to use CIPP to transact licenses.

Regards,

Performance issues in CIPP are not expected. If your performance appears impacted, you can follow these steps to diagnose and resolve the issue:

1. Check Your Deployment Region:

   • Ensure that you deployed to the nearest region. You can verify this at Azure Speed.

2. Enable Function Offloading

   • For more information, refer to the documentation on Function Offloading for limitations and setup.

If users in your organization have not accessed CIPP in a while, the Static Web App will put itself into a sleep state to save on resource usage. It's normal to see an initial 15-20 second delay on the first results being called from the CIPP-API backend. This is sometimes known as a cold start.

If you want to avoid cold starts, it's possible to utilize the API Documentation and an RPA such as CIPP sponsor Rewst to make a basic call to keep activity on the function app. A basic call to /PublicPing every 3-5 minutes will complete quickly and ensure that your function app stays in a warm state. It is recommended that you limit your RPA cron to only during expected business hours to limit the number of additional function app calls you are making. The /PublicPing endpoint does not require the full authentication setup for the API.

Self-hosted clients should see minimal impact to their overall costs.

To add Conditional Access to CIPP, follow the below steps:

1. Go to your Conditional Access Policies

2. Select which users to apply the policy to, default suggestion is "All Users"

3. Select Azure Static Web Apps as the included app under "Cloud Apps or actions"

4. Configure any condition you want. For example, Trusted Locations, specific IPs, specific platforms.

5. At Access Controls you must enable Grant, with MFA access.

6. Select Save

Your app is now protected with Conditional Access.

Beginning with v7, CIPP relies on the tenant's name at the time a GDAP relationship was created. Much of the tenant naming and renaming API capabilities were deprecated. As such, it will no longer pull in live information if you rename a tenant through your Microsoft Partner Portal.

To have the new tenant's name show up in CIPP, you have two options

Establish a New Relationship

1. After renaming the tenant, create a new GDAP relationship. You can use the Tenant Onboardingwizard to expedite this process.

2. Terminate the old GDAP relationship. This can be accomplished by locating the old relationship on the GDAP Relationshipspage and selecting terminate relationship from the per-row actions or Bulk Actions with the row selected.

3. Cleare your tenant cache from Application Settings.

Utilize the Tenant Alias Functionality

CIPP can also set an alias via the Properties section of Edit Tenant.

The CIPP alert "Alert on admins without any form of MFA" is based on checking a report created by Microsoft. This report is only updated once every 7 days. As such, CIPP recommends only running this alert every 7 days. It's possible the user may still show up on the report after remediation if the report has not refreshed since you completed your remediation steps.

Typically, this error means you're using tokens that don't have a "strong auth claim" or similar. This could be because you're using non-Azure AD MFA or you didn't complete MFA when creating your tokens for one or more of the authentication steps. Make sure you're using a supported MFA method and that you've completed the MFA steps when creating your tokens.

Check the Multi-Factor Authentication Troubleshooting details in the Troubleshootingsection for more information.

1. Perform a CPV Permissions Refresh:

   1. Navigate to Settings -> CIPP -> Application Settings

   2. Click on the Tenants tab.

   3. Click the blue refresh button in the "Actions" column for the relevant tenant.

2. Perform Permissions Check:

   1. Navigate to Settings -> CIPP -> Application Settings

   2. Select "Perform Permissions Check"

3. Conduct GDAP Check

   1. Navigate to CIPP -> Application Settings -> GDAP Check.

   2. After the Permissions Check, perform the GDAP check

4. Perform an Access Check:

   1. Navigate to CIPP -> Application Settings -> Access Check.

   2. Select the relevant tenant and click "Run access check".

Complete all checks for effective troubleshooting. If you still have issues or for detailed instructions, refer to theRefreshing a Specific Tenant's Permissions via CPV API page, the Troubleshooting Instructions page, and the relevant sections on our Error Codes page.

Sometimes when you are running a permissions check, you may encounter specific errors that you are missing some of the API permissions required for CIPP to perform as expected.

To ensure full functionality of CIPP, follow these steps to add the necessary API permissions:

1. Click the Details button on the Permissions Check section of CIPP Settings > Permissions

2. Click Repair Permissions. CIPP will automatically add newly added or missing permissions to your CIPP-SAM application.

3. CIPP will queue up CPV refreshes to push the update permissions to your client tenants.

This error occurs because the user who authorized the CSP or Graph API connection has had their password changed, sessions revoked, or account disabled. Reauthorization is required.

To resolve this, execute the SAM Wizard with Option 4:

• Go to CIPP -> Application Settings -> Setup Wizard.

• Select "Refresh Tokens for existing application registration"

Important: Ensure your browser allows cookies, disable any ad-blockers, and do not use in-private mode.

For more details, refer to:

• Troubleshooting

1. Perform a Permissions Check:

   • Go to CIPP -> Settings -> Permissions

   • A Permissions Check will automatically run on page load

2. Confirm the UserPrincipalName matches the expected service account.

3. If not, go to the Setup Wizard and select the option to "Refresh Tokens for existing application registration.

4. Review the remaining Permissions Check output after replacing the incorrect account.

   • The refresh token matches key vault. This may take a little while to update after first changing the account due to caching.

   • The user should be a service account.

   • The user needs to be a member of the AdminAgents group.

   • The application has all the required permissions. If you have an error here, review I'm getting missing permissions errors when performing the Permissions Check on my CIPP-SAM application. How can I fix this?

If there are issues with the GDAP relationship, follow these steps:

1. Check GDAP Relationships:

   • Go to Microsoft Partner Center.

   • Select the client you are testing with and look at the relationships.

2. Verify Access:

   • If you only see a relationship with "MLT_", you do not have write-access to the tenant.

   • If you see other relationships, click into them and check if the roles are mapped to groups.

3. Create Role Mapping:

   • If roles are not mapped, create the mapping by clicking the + icon.

   • Assign these groups to the CIPP service account.

4. Identify the CIPP Service Account:

   • Go to CIPP -> Application Settings -> Permissions -> Permissions Check.

   • Review the results for the UserPrncipalName to identify the CIPP service account.

This error may occur because the user is not in any of the GDAP groups. To resolve this:

1. Check Recommended GDAP Roles and Relationships:

   • Refer to the Recommended Roles document.

2. Perform a Tenant Access Check:

   • Go to CIPP -> Settings -> Tenants -> perform a Tenant Access Check from the Actions.

   • This will show you which roles might be missing.

No, CIPP can work with any M365 license in your partner tenant. For specific features CIPP will of course only function if the tenant is licensed correctly, e.g. to manage Intune, the tenant must have Intune Licensing.

Please see the standard "Enable Usernames instead of pseudo anonymized names in reports" in List Standards Templates.

If you're experiencing issues with installation, please report these in #cipp-community-help on the CIPP Discord

If your Azure Tenant requires admin approval for user apps, add consent by following the below steps:

1. Go to Azure Enterprise Applications

2. Find Azure Static Websites

3. Grant Admin Consent for all

This permits users the ability to grant consent when access CIPP now.

For the CIPP application:

No, CIPP's branding is compiled into the code. Additionally, the branding isn't just a decorative feature, it plays a role in helping maintain visibility and community growth.

For CIPP reports:

Yes, please set up the Branding Settings in Application Settings

You can use our management portal to add or change a domain name. Follow these steps:

1. Set CNAME:

   • First, set any CNAME you want to use to your current portal domain.

   • For example, set "CIPP.MyMsp.com" to "Proud-Dolphin01928.azurewebsites.net".

2. Use the Management Portal:

   • After setting the CNAME, use the management portal to finish the setup and add it on the platform.

To find the correct AppID for CIPP:

1. Run a Permissions Check:

   • Go to CIPP -> Application Settings -> Permissions -> Permissions Check.

2. Locate the Correct AppID:

   • There will be a direct link to the application registration CIPP currently uses.

   • You can safely delete the other AppIDs.

To generate a HAR file while performing an action, follow these steps:

1. Open Chrome DevTools:

   • Right-click in the browser window or tab.

   • Select Inspect.

2. Capture Network Traffic:

   • Click the Network tab in the panel that appears.

3. Export the HAR File:

   • Click the download button (tooltip will say "Export HAR").

   • Name the file and click Save.

For more details, refer to the Chrome DevTools guide.

1. Check for a Lighthouse License:

   • Ensure you have a Lighthouse license enabled by following the instructions here.

2. Check for a New EULA:

   • Go to Microsoft Lighthouse and check if there is a new EULA waiting for you to accept.

For more details, refer to the Lighthouse sign-up guide.

Q: How long does it typically take for new standards to be applied to a tenant?

A: It usually takes between 0 to 3 hours for new standards to be applied to a tenant. This timeframe depends on the scheduling of a cron job that automatically initiates the application of standards.

Q: Can I apply standards immediately instead of waiting for the cron job?

A: Yes, you can apply standards immediately by clicking the "Run Now" buttons located in the top right corner of the interface. This action bypasses the scheduled cron job and applies the standards right away.

This error can mean two things;

• You migrated using different tools, such as Microsoft Lighthouse.

• You didn't assign the groups to the user after migrating.

Make sure you assign the correct groups to the CIPP service account. For more information see our best practices in Recommended Roles.

Auto Extend is only available for relationships without the Global Administrator role. If your relationship contains the Global Administrator role you cannot enable this feature. This means that you will need to renew the relationship by reinviting the tenant every 2 years. If your relationships contain at least the Recommended Roles in addition to Global Administrator, you can go to GDAP Management -> Relationships, select one or more relationship and choose the action "Remove Global Administrator from Relationship". After waiting for changes to sync, you can then select the action "Enable automatic extension".

If your CIPP-API isn't updating, start by checking the Actions tab in your repository for a workflow named _master*.yml.

• If the workflow is missing: Your repository may not be fully configured. Follow the instructions provided in Recreate the Workflow Fileto restore the action workflow.

You don't need to do anything. The personal access token was only needed for initial deployment.