Frequently Asked Questions

Assuming you're running on the click-to-deploy configuration and average usage patterns it should cost $15 - $20 or £17 - £22 per month. You can check the costs, and estimated costs, for the resource group on the Azure Portal.

Please note it is your responsibility to ensure you are keeping an eye on costs within your instances.

Performance issues in CIPP are not expected. If your performance appears impacted, you can follow these steps to diagnose and resolve the issue:

1. Check Your Deployment Region:

   • Ensure that you deployed to the nearest region. You can verify this at Azure Speed.

2. Clear Durable Queues:

   • Go to your CIPP instance.

   • Open the Application Settings menu.

   • Click on "Maintenance".

   • Select "Clear Durable Queues".

3. Purge Orchestrators:

   • Click on "Purge Orchestrators".

For more information, refer to the maintenance instructions.

If you are self-hosted, you will also want to ensure you have configured Run From Package mode, which can help make sure your system is running efficiently on the backend.

To add Conditional Access to CIPP, follow the below steps:

1. Go to your Conditional Access Policies

2. Select which users to apply the policy to, default suggestion is "All Users"

3. Select Azure Static Web Apps as the included app under "Cloud Apps or actions"

4. Configure any condition you want. For example Trusted Locations, specific IPs, specific platforms.

5. At Access Controls you must enable Grant, with MFA access.

6. Select Save

Your app is now protected with Conditional Access.

Typically this error means you're using tokens that don't have a "strong auth claim" or similar. This could be because you're using non-Azure AD MFA or you didn't complete MFA when creating your tokens for one or more of the authentication steps. Make sure you're using a supported MFA method and that you've completed the MFA steps when creating your tokens.

Check the MFA Troubleshooting details in the Troubleshooting section for more information.

1. Perform a CPV Permissions Refresh:

   1. Navigate to Settings -> CIPP -> Application Settings

   2. Click on the Tenants tab.

   3. Click the blue refresh button in the "Actions" column for the relevant tenant.

2. Perform Permissions Check:

   1. Navigate to Settings -> CIPP -> Application Settings

   2. Select "Perform Permissions Check"

3. Conduct GDAP Check

   1. Navigate to CIPP -> Application Settings -> GDAP Check.

   2. After the Permissions Check, perform the GDAP check

4. Perform an Access Check:

   1. Navigate to CIPP -> Application Settings -> Access Check.

   2. Select the relevant tenant and click "Run access check".

Complete all checks for effective troubleshooting. If you still have issues or for detailed instructions, refer to theRefreshing a Specific Tenant's Permissions via CPV API page, the troubleshooting instructions page, and the relevant sections on our Error Codes page.

Sometimes when you are running a permissions check, you may encounter specific errors that you are missing some of the API permissions required for CIPP to perform as expected.

To ensure full functionality of CIPP, follow these steps to add the necessary API permissions:

1. Review the required permissions for the Secure Application Model registration:

   • Pay attention to the hint boxes on the page, which explain how to find APIs not listed under Graph.

2. Add any missing permissions in the App Registrations section of your Azure Portal.

   • Some permissions may appear duplicated in both Delegated and Application permissions tables. This is intentional; add both sets of permissions.

   • Some permissions come from other APIs besides Microsoft Graph. These are indicated by names in brackets (e.g., (WindowsDefenderATP)).

   • To add these permissions, go to "APIs my organization uses" instead of "Microsoft Graph." Look for the exact name in brackets to find and add the correct resource.

Note: These tasks must be executed in your own tenant, as authentication is performed using your credentials.

This error occurs because the user who authorized the CSP or Graph API connection has had their password changed, sessions revoked, or account disabled. Reauthorization is required.

To resolve this, execute the SAM Wizard with Option 2:

• Go to CIPP -> Application Settings -> SAM Setup Wizard.

• Select "I would like to refresh my token or replace the user I've used for my previous token."

Important: Ensure your browser allows cookies, disable any ad-blockers, and do not use in-private mode.

For more details, refer to:

• Troubleshooting guide

• SAM Wizard best practices

1. Perform a Permissions Check:

   • Go to CIPP -> Settings -> Permissions Check.

   • Click the Details button when it appears to see the username used for the SAM setup.

2. Ensure the Correct User:

   • The user needs to be in the GDAP groups and the AdminAgents group.

   • If the wrong user is used, go to CIPP -> SAM Setup Wizard.

   • Select "I would like to refresh my token or replace the user I've used for my previous token."

For more details, refer to the SAM Wizard best practices.

If there are issues with the GDAP relationship, follow these steps:

1. Check GDAP Relationships:

   • Go to Microsoft Partner Center.

   • Select the client you are testing with and look at the relationships.

2. Verify Access:

   • If you only see a relationship with "MLT_", you do not have write-access to the tenant.

   • If you see other relationships, click into them and check if the roles are mapped to groups.

3. Create Role Mapping:

   • If roles are not mapped, create the mapping by clicking the + icon.

   • Assign these groups to the CIPP service account.

4. Identify the CIPP Service Account:

   • Go to CIPP -> Application Settings -> Permission Check.

   • Click the Details button to find the CIPP service account.

This error may occur because the user is not in any of the GDAP groups. To resolve this:

1. Check Recommended GDAP Roles and Relationships:

   • Refer to the recommended GDAP roles and relationships document.

2. Perform a Tenant Access Check:

   • Go to CIPP -> Settings -> Tenant Access Check.

   • This will show you which roles might be missing.

For more details, refer to the permissions setup guide.

Please see the standard "Enable Usernames instead of pseudo anonymized names in reports" here

If you're experiencing issues with installation please report these in #cipp-issues on the CIPP Discord

If your Azure Tenant requires admin approval for user apps, add consent by following the below steps:

1. Go to Azure Enterprise Applications

2. Find Azure Static Websites

3. Grant Admin Consent for all

This permits users the ability to grant consent when access CIPP now.

No, CIPP's branding is compiled into the code. Additionally the branding isn't just a decorative feature, it plays a role in helping maintain visibility and community growth. However, a custom logo can be added to reports. This can be done in the User Settings page.

You can use our management portal to add or change a domain name. Follow these steps:

1. Set CNAME:

   • First, set any CNAME you want to use to your current portal domain.

   • For example, set "CIPP.MyMsp.com" to "Proud-Dolphin01928.azurewebsites.net".

2. Use the Management Portal:

   • After setting the CNAME, use the management portal to finish the setup and add it on the platform.

To find the correct AppID for CIPP:

1. Run a Permissions Check:

   • Go to CIPP -> Application Settings -> Permissions Check.

   • Click the Details button.

2. Locate the Correct AppID:

   • There will be a direct link to the application CIPP currently uses.

   • You can safely delete the other AppIDs.

For more details, refer to the permissions check guide.

To find the SAM App that CIPP is currently using, follow these steps:

1. Run a Permissions Check:

   • Go to CIPP -> Application Settings -> Permissions Check.

   • Click the Details button.

2. Locate the SAM App:

   • This will show you the user, IP, and a direct link to the application currently in use by CIPP.

To generate a HAR file while performing an action, follow these steps:

1. Open Chrome DevTools:

   • Right-click in the browser window or tab.

   • Select Inspect.

2. Capture Network Traffic:

   • Click the Network tab in the panel that appears.

3. Export the HAR File:

   • Click the download button (tooltip will say "Export HAR").

   • Name the file and click Save.

For more details, refer to the Chrome DevTools guide.

To invite a user, follow these steps:

1. Go to the CIPP Management Portal.

2. Ensure the UPN matches exactly with the user that is logged in.

3. The Management Portal returns a link. Distribute this link to the correct user.

For more details, refer to the roles setup guide.

1. Check for a Lighthouse License:

   • Ensure you have a Lighthouse license enabled by following the instructions here.

2. Check for a New EULA:

   • Go to Microsoft Lighthouse and check if there is a new EULA waiting for you to accept.

For more details, refer to the Lighthouse sign-up guide.

Q: How long does it typically take for new standards to be applied to a tenant?

A: It usually takes between 0 to 3 hours for new standards to be applied to a tenant. This timeframe depends on the scheduling of a cron job that automatically initiates the application of standards.

Q: Can I apply standards immediately instead of waiting for the cron job?

A: Yes, you can apply standards immediately by clicking the "Run Now" buttons located in the top right corner of the interface. This action bypasses the scheduled cron job and applies the standards right away.