Frequently Asked Questions

On this page you can find a list of frequently asked questions about the CyberDrain Improved Partner Portal (CIPP). If you're having specific issues with CIPP please also check the Troubleshooting page.

I updated, but CIPP still says my frontend is out of date. How do I fix this?

SELF-HOSTED NOTE: Be sure to verify that your repo is actually up to date. Instructions for updating self-hosted CIPP can be found here.

CIPP-HOSTED NOTE: Updates can take several hours to roll out to all instances depending on how well Github and Azure are communicating at the time the release is pushed. If it's been more than 48 hours, follow these instructions and then reach out to CIPP's helpdesk if still not resolved.

CIPP v7 heavily relies on caching. Because of this it is necessary to clear your browser's cookies and cache to pull in the most up to date version of CIPP's frontend.

Chrome/Edge - Open Devtools (F12), right click on the refresh button, select "Empty cache and hard reset"
Firefox - Click the padlock in the URL bar and select "Clear cookies and site data..."

How much does CIPP cost to run?

Assuming you're running on the click-to-deploy configuration and average usage patterns it should cost $15 - $20 or £17 - £22 per month. You can check the costs, and estimated costs, for the resource group on the Azure Portal.

Please note it is your responsibility to ensure you are keeping an eye on costs within your instances.

How do we get new integrations?

We know, you love CIPP. You want everything to integrate with CIPP. Unfortunately, CIPP's business model doesn't allow us to take on the development, documentation, and help desk training to support every integration out there. In order for a vendor to integrate with CIPP, we need them to sponsor CIPP at the integration level.

Vendor sponsorship pays for that development, training, and support. If you have a vendor that you want to see integrated with CIPP, please reach out to your Account Manager at the vendor and let them know that you are interested.

Here's a couple of options for emails that you can send to licensing provider vendors. Modify these as you see fit for other vendors.

Email 1: You love CIPP and would switch distributors based on who we integrate with:

Hi,

I hope you're doing well! I'm reaching out to you today as I'm a user of a tool called CIPP(https://cipp.app). It has greatly enhanced my Microsoft 365 experience and is now our core tool when it comes to performing M365 management. 
We understand you might be having discussions with their team already, but we just want to amplify that our choice of distributor is dependant on which one integrates with CIPP

Regards,

Email 2: You love CIPP and would like your distributor to integrate

Hi,

I hope you're doing well! I'm reaching out to you today as I'm a user of a tool called CIPP(https://cipp.app). It has greatly enhanced my Microsoft 365 experience and is now our core tool when it comes to performing M365 management. 
We understand you might be having discussions with their team already, but we just want to amplify that our preference is to use CIPP to transact licenses.

Regards,

What should I do if I'm experiencing performance issues in CIPP?

Performance issues in CIPP are not expected. If your performance appears impacted, you can follow these steps to diagnose and resolve the issue:

Check Your Deployment Region:
- Ensure that you deployed to the nearest region. You can verify this at .
Clear Durable Queues:
- Go to your CIPP instance.
- Open the Application Settings menu.
- Click on "Maintenance".
- Select "Clear Durable Queues".
Purge Orchestrators:
- Click on "Purge Orchestrators".

For more information, refer to the .

If you are self-hosted, you will also want to ensure you have configured mode, which can help make sure your system is running efficiently on the backend.

If you have completed all of these, your instance may benefit from implementing function offloading. Refer to the .

CIPP runs slow when I first open it. How can I speed that up?

If users in your organization have not accessed CIPP in a while, the Static Web App will put itself into a sleep state to save on resource usage. It's normal to see an initial 15-20 second delay on the first results being called from the CIPP-API backend. This is sometimes known as a cold start.

If you want to avoid cold starts, it's possible to utilize the and an RPA such as CIPP sponsor Rewst to make a basic call to keep activity on the function app. A basic call to /getversion every 5 minutes will complete quickly and ensure that your function app stays in a warm state. It is recommended that you limit your RPA cron to only during expected business hours to limit the number of additional function app calls you are making.

Self-hosted clients should see minimal impact to their overall costs.

Can I add Conditional Access to my CIPP App?

To add Conditional Access to CIPP, follow the below steps:

Select which users to apply the policy to, default suggestion is "All Users"
Select Azure Static Web Apps as the included app under "Cloud Apps or actions"
Configure any condition you want. For example Trusted Locations, specific IPs, specific platforms.
At Access Controls you must enable Grant, with MFA access.
Select Save

Your app is now protected with Conditional Access.

I renamed a tenant. How do I get this to show up in CIPP?

Beginning with v7, CIPP relies on the tenant's name at the time a GDAP relationship was created. Much of the tenant naming and renaming API capabilities were deprecated. As such, it will no longer pull in live information if you rename a tenant through your Microsoft Partner Portal.

To have the new tenant name show up in CIPP:

I remediated an admin with no MFA, why is it still alerting?

The CIPP alert "Alert on admins without any form of MFA" is based on checking a report created by Microsoft. This report is only updated once every 7 days. As such, CIPP recommends only running this alert every 7 days. It's possible the user may still show up on the report after remediation if the report has not refreshed since you completed your remediation steps.

I'm getting an error that "you must use multi-factor authentication to access" what's going on?

Typically this error means you're using tokens that don't have a "strong auth claim" or similar. This could be because you're using non-Azure AD MFA or you didn't complete MFA when creating your tokens for one or more of the authentication steps. Make sure you're using a supported MFA method and that you've completed the MFA steps when creating your tokens.

What if I get errors during management my tenants in CIPP?

Perform a CPV Permissions Refresh:
1. Navigate to Settings -> CIPP -> Application Settings
2. Click on the Tenants tab.
3. Click the blue refresh button in the "Actions" column for the relevant tenant.
Perform Permissions Check:
1. Navigate to Settings -> CIPP -> Application Settings
2. Select "Perform Permissions Check"
Conduct GDAP Check
1. Navigate to CIPP -> Application Settings -> GDAP Check.
2. After the Permissions Check, perform the GDAP check
Perform an Access Check:
1. Navigate to CIPP -> Application Settings -> Access Check.
2. Select the relevant tenant and click "Run access check".

I'm getting missing permissions errors when performing the Permissions Check on my CIPP-SAM application. How can I fix this?

Sometimes when you are running a permissions check, you may encounter specific errors that you are missing some of the API permissions required for CIPP to perform as expected.

To ensure full functionality of CIPP, follow these steps to add the necessary API permissions:

- Pay attention to the hint boxes on the page, which explain how to find APIs not listed under Graph.
- Some permissions may appear duplicated in both Delegated and Application permissions tables. This is intentional; add both sets of permissions.
- Some permissions come from other APIs besides Microsoft Graph. These are indicated by names in brackets (e.g., (WindowsDefenderATP)).
- To add these permissions, go to "APIs my organization uses" instead of "Microsoft Graph." Look for the exact name in brackets to find and add the correct resource.

Note: These tasks must be executed in your own tenant, as authentication is performed using your credentials.

How can I resolve expired / revoked auth token errors or ensure the correct service account is used by CIPP?

This error occurs because the user who authorized the CSP or Graph API connection has had their password changed, sessions revoked, or account disabled. Reauthorization is required.

To resolve this, execute the SAM Wizard with Option 2:

Go to CIPP -> Application Settings -> SAM Setup Wizard.
Select "I would like to refresh my token or replace the user I've used for my previous token."

Important: Ensure your browser allows cookies, disable any ad-blockers, and do not use in-private mode.

For more details, refer to:

How do I resolve issues with the wrong CIPP-SAM user / Service Account?

Perform a Permissions Check:
- Go to CIPP -> Settings -> Permissions Check.
- Click the Details button when it appears to see the username used for the SAM setup.
Ensure the Correct User:
- The user needs to be in the GDAP groups and the AdminAgents group.
- If the wrong user is used, go to CIPP -> SAM Setup Wizard.
- Select "I would like to refresh my token or replace the user I've used for my previous token."

How do I troubleshoot GDAP relationship issues in the partner portal?

If there are issues with the GDAP relationship, follow these steps:

Check GDAP Relationships:
- Select the client you are testing with and look at the relationships.
Verify Access:
- If you only see a relationship with "MLT_", you do not have write-access to the tenant.
- If you see other relationships, click into them and check if the roles are mapped to groups.
Create Role Mapping:
- If roles are not mapped, create the mapping by clicking the + icon.
- Assign these groups to the CIPP service account.
Identify the CIPP Service Account:
- Go to CIPP -> Application Settings -> Permission Check.
- Click the Details button to find the CIPP service account.

How do I resolve a missing GDAP permission error?

This error may occur because the user is not in any of the GDAP groups. To resolve this:

Check Recommended GDAP Roles and Relationships:
Perform a Tenant Access Check:
- Go to CIPP -> Settings -> Tenant Access Check.
- This will show you which roles might be missing.

Does CIPP require a specific license?

No, CIPP can work with any M365 license, for specific features CIPP will of course the tenant to be licensed correctly; e.g. to manage Intune, the tenant must have Intune Licensing.

My usernames or sites are GUIDs or blank?

Why can't I install CIPP using the "Deploy to Azure" button?

My tenant requires admin approval for user apps, how do I do this for CIPP?

If your Azure Tenant requires admin approval for user apps, add consent by following the below steps:

Find Azure Static Websites
Grant Admin Consent for all

This permits users the ability to grant consent when access CIPP now.

Can I replace the default branding with my own in CIPP?

No, CIPP's branding is compiled into the code. Additionally the branding isn't just a decorative feature, it plays a role in helping maintain visibility and community growth.

How can I add or change a domain name using the CIPP management portal?

You can use our management portal to add or change a domain name. Follow these steps:

Set CNAME:
- First, set any CNAME you want to use to your current portal domain.
- For example, set "CIPP.MyMsp.com" to "Proud-Dolphin01928.azurewebsites.net".
Use the Management Portal:

How do I find the correct AppID for CIPP?

To find the correct AppID for CIPP:

Run a Permissions Check:
- Go to CIPP -> Application Settings -> Permissions Check.
- Click the Details button.
Locate the Correct AppID:
- There will be a direct link to the application CIPP currently uses.
- You can safely delete the other AppIDs.

How do I find the SAM App that CIPP is currently using?

To find the SAM App that CIPP is currently using, follow these steps:

Run a Permissions Check:
- Go to CIPP -> Application Settings -> Permissions Check.
- Click the Details button.
Locate the SAM App:
- This will show you the user, IP, and a direct link to the application currently in use by CIPP.

Helpdesk asked me to generate a HAR file in Google Chrome. How do I do that?

To generate a HAR file while performing an action, follow these steps:

Open Chrome DevTools:
- Right-click in the browser window or tab.
- Select Inspect.
Capture Network Traffic:
- Click the Network tab in the panel that appears.
Export the HAR File:
- Click the download button (tooltip will say "Export HAR").
- Name the file and click Save.

Check for Lighthouse

Check for a Lighthouse License:
Check for a New EULA:

Applying New Standards to a Tenant

Q: How long does it typically take for new standards to be applied to a tenant?

A: It usually takes between 0 to 3 hours for new standards to be applied to a tenant. This timeframe depends on the scheduling of a cron job that automatically initiates the application of standards.

Q: Can I apply standards immediately instead of waiting for the cron job?

A: Yes, you can apply standards immediately by clicking the "Run Now" buttons located in the top right corner of the interface. This action bypasses the scheduled cron job and applies the standards right away.

Does editing the tenant display name in CIPP only affect what is shown in CIPP?

No, CIPP reflects the tenant name set in the Microsoft Partner Center. When a tenant is added to CIPP, its name is pulled from the Partner Center once. If the name changes in the Partner Center, CIPP does not automatically update it.

To refresh the tenant name in CIPP:

Go to Application Settings > Tenant.
Select the tenant and delete it.
Clear the tenant cache and wait for the system to refresh the data from the Partner Center.

This ensures the display name in CIPP matches the current name in the Partner Center.

When trying to onboarding a GDAP relationship, I received an error that only x amount of groups were found, or that the group is not assigned to a user. What does this mean?

This error can mean two things;

You migrated using different tools, such as Microsoft Lighthouse.
You didn't assign the groups to the user after migrating.

Make sure you assign the correct groups to the CIPP service account. For more information see our best practices here.

I've already setup my GDAP relationships, and given them access to a Global Administrator role. Can I still auto-extend these after their expiration?

Auto Extend is only available for relationships without the Global Administrator role. If your relationship contains the Global Administrator role you cannot enable this feature. This means that you will need to renew the relationship by reinviting the tenant every 2 years.

Troubleshooting CIPP-API Updating and Action Workflow Issues

If your CIPP-API isn't updating, start by checking the Actions tab in your repository for a workflow named _master*.yml.

My GitHub personal access token expired and I'm not sure what to do?

You don't need to do anything. The personal access token was only needed for initial deployment.

PreviousRefreshing a Specific Tenant's Permissions via CPV API NextI Got a "Potential Phishing page detected" Alert. What Do I Do With That?

Last updated 24 days ago

Was this helpful?