# CIPP-API & MCP {% hint style="warning" %} Self-hosted clients, please see the [Self-hosted API Setup](/setup/maintaining-cipp/self-hosted-api-setup.md) for how to setup and configure your API for use before proceeding with this page. If you're using a **hosted CIPP instance**, you can follow the instructions below to set up and manage your API clients with no additional steps. {% endhint %} ## **Creating an API Client (App Registration)** 1. Navigate to CIPP > Integrations and click on CIPP-API. 2. Creating an API client: 1. If you need to create an API Client 1. Click on Actions > Create New Client. 2. Fill out the form with the App Name. 2. If you've already created an App Registration and would like to import it: 1. Click on Actions > Add Existing Client. 2. Select the API Client from the list. 3. Ensure that you Enable the client in order to save it to the Function App authentication settings. 4. Optionally set the [Adding Users and Managing Roles](/setup/self-hosting-guide/roles.md#custom-roles) and Allowed IP Ranges for additional security. 5. Select if you want MCP Access Allowed for this client. Enabling MCP Access converts this client into the MCP resource app and it can no longer be used as a normal API client. Only one client per tenant can hold this role. See [#enable-the-mcp-feature](#enable-the-mcp-feature "mention") for more information. 6. Submit the form to create the client. Remember to copy the Application secret to a secure location. 3. Once you have the API Client(s) configured, click Actions > Save Azure Configuration, this updates the Function App authentication settings with the new Client IDs. {% hint style="info" %} The IP Range list supports both IPv4 and IPv6 addresses as standalone IP addresses or in CIDR Notation (e.g. 12.34.56.78/24 or 1.1.1.1). {% endhint %} {% hint style="info" %} Custom Roles will limit which API endpoints each API Client can access. This can be used to limit all API calls to read only for example. {% endhint %} ## Using an API Client After creating your first API client, the page will update to include additional information that is necessary for your automation: * Token URL: This URL is what you will need when authenticating your automation to your CIPP instance. See [Setup & Authentication](/api-documentation/setup-and-authentication.md) for more information. * Tenant ID: This is the tenant ID for the tenant used to authenticate CIPP where your CIPP service account lives, this may take 5-15 minutes before it updates fromn when you create your first API client and press save. * API URL: This will be the base URL required for all post-authenticated calls. Note that most automation tools will require you to append `/api` to this base URL for successful responses. ## **Disabling an API Client** 1. Navigate to CIPP > Integrations and click on CIPP-API. 2. Find the API client in the table and click on the 3 dots in the Actions column > Edit. 3. Flip the Enabled switch off and click Submit. 4. At the top of the page, go to Actions and click Save Azure Configuration. ## **Rotating Secrets** 1. Navigate to CIPP > Integrations and click on CIPP-API. 2. Find the API client in the table and click on the 3 dots in the Actions column > Reset Application Secret. 3. Copy the new Secret to a secure location. ## **Troubleshooting** * If you are getting permission errors when creating an API Client, check the CIPP-SAM application to ensure the permissions listed in the error are added and consented by an admin. * If you have multiple CIPP-SAM apps, use the [Permissions](/user-documentation/cipp/settings/permissions.md#permissions-check) to figure out which one you're using. {% hint style="info" %} **Want to Build Against the API?** For full authentication examples, usage patterns, and endpoint information, see the [Setup & Authentication](/api-documentation/setup-and-authentication.md) section within the API Documentation section. {% endhint %} ## CIPP MCP The CIPP MCP allows you to add CIPP to any AI you use and immediately talk to it in natural language. For example, you can ask "List all tenants with unassigned licenses" or "list all users for tenant MySpecialTenant.com". To setup the MCP, follow these instructions: {% stepper %} {% step %} ### Enable the MCP Feature In CIPP: **CIPP → Application Settings → Features** → turn on **MCP Server**. {% endstep %} {% step %} ### Create the MCP API Client Open the [CIPP-API & MCP](/user-documentation/cipp/integrations/cipp-api.md) page and **Create New Client** (or edit an existing one). Set: | Field | Value | | ---------------------- | ------------------------------------------------------------------------------------------------ | | **Role** | `Readonly` (recommended) — or a custom read role. This becomes what the AI can do. | | **IP range** | `Any` — the connector calls in from Anthropic's servers, so you can't pin it to your office IPs. | | **Enable this client** | On | | **MCP Access Allowed** | **On** | | {% endstep %} | | {% step %} ### Save to Azure Click **Actions → Save to Azure**. This does all the Entra/Azure configuration for you automatically; however you might need to add your specific MCP providers authentication URL to your app. do that as follows: 1. Open the [Azure portal](https://portal.azure.com/) → **Microsoft Entra ID** → **App registrations**. 2. Select **All applications** and open your MCP client app — the one you flagged *MCP Access Allowed* (search by its name, or by its Application/Client ID). 3. Go to **Authentication**. 4. Under **Platform configurations**, click **Add a platform → Web** (or use the existing **Web** platform if one is already listed). 5. Under **Redirect URIs**, add your provider's callback URL (for Claude: `https://claude.ai/api/mcp/auth_callback`), then **Configure / Save**. The instance restarts — give it up to \~60 seconds before connecting. {% endstep %} {% step %} ### Add the Connector in Your LLM To add the MCP to your LLM follow the instructions provided by the LLM provider, in most cases you'll need to enter your **CIPP API URL and OAUTH credentials.** These credentials are the ID and secret returned to you by the setup. the URL used is `https:///api/ExecMCP` Click **Connect**. You'll be redirected to your normal Microsoft / CIPP sign-in — log in and approve. Your LLM completes the connection and CIPP's read tools appear. {% hint style="info" %} Every AI has a slightly different setup. Please reference the docs for your provider on how to connect the CIPP MCP tooling. Alternatively, ask your AI directly how to connect to the MCP with a prompt like: `Read the CIPP MCP setup instructions at https://docs.cipp.app/user-documentation/cipp/integrations/cipp-api#cipp-mcp and walk me through how to set up and configure the CIPP MCP integration with my AI. Give me the steps in order, include the exact field values I need to set, the redirect/callback URL, and the format of the ExecMCP endpoint URL. Note anything I have to copy and store securely.` {% endhint %} {% endstep %} {% step %} ### Verify Ask your AI something like: > *Using CIPP, list all my tenants.* If tools show up and return data, you're done. {% endstep %} {% endstepper %} *** ## Feature Requests / Ideas We value your feedback and ideas. Please raise any [feature requests](https://github.com/KelvinTegelaar/CIPP/issues/new?template=feature.yml) on GitHub. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cipp.app/user-documentation/cipp/integrations/cipp-api.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.