Welcome to the BPA within CIPP! Your misconfiguration detective, uncovering compliance gaps and ensuring your Microsoft 365 tenants align with security and operational best practices.
BPA is currently on a deprecation path. While there is no current date for deprecation, the functionality will not be expanded. The testing engine in CIPP Dashboard v2 will replace the BPA.
The Best Practice Analyzer (BPA) is a tool within CIPP designed to help audit and improve Microsoft 365 environments. It provides a detailed framework for ensuring your setup is secure and compliant with industry and organizational standards.
At its core, the BPA is built to:
Assess Tenants Against Best Practices: Perform comprehensive audits to uncover misconfigurations or compliance risks.
Run on a Scheduled Basis: By default, it refreshes data once daily for accurate reporting.
Leverage CIPP Framework Standards: Use predefined, community-driven standards tailored to MSPs and IT professionals.
Provide Insight-Only Reports: BPA reports findings but leaves decision-making and changes to the administrator.
Navigate to: Tenant Administration > Standards > Best Practice Analyzer.
Run Initial Data Refresh: Select “Force Refresh All Data” if this is your first time displaying it.
To replicate the functionality of the "Force Refresh All Data" button, you can use the /api/ExecBPAAPI endpoint.
Note: Larger environments (e.g., 100+ tenants) may take ~15 minutes per run.
Pre-Built Reports
Use templates like CIPP Best Practices Table View for baseline compliance checks.
Custom Reports (Advanced)
Define custom reports to specify data sources, fields, and display formats.
For further details, check out the community guidance added to the Custom Reports page
The BPA uses a traffic-light system for quick, visual feedback:
🟥 Red: Critical issues demanding immediate attention (e.g., unprotected global admin accounts).
🟧 Orange: Warnings or recommendations—optional but strongly advised (e.g., enabling MFA for non-admin users).
🟩 Green: All good! Configuration aligns with best practices.
Partial Data?
Likely an issue with your Refresh Token.
Run the Access Check via: CIPP Settings > Configuration Settings > Tenant Access Check.
Slow Refresh Times?
Make sure permissions are correct. Navigate to:
CIPP Settings > Configuration Settings > Run Permission Check.
API Compatibility (Self-Hosted Only):
Ensure both CIPP-API and CIPP platform are up to date. The system logs (via the CIPP-API Function App) are your best friend for debugging.
Understand Execution Times: Forcing a refresh runs across your entire environment and may take some time. Use sparingly. Reports are refreshed nightly by default.
Permissions: Validate required permissions with Run Permission Check and troubleshoot invalid refresh tokens with Tenant Access Check.
We value your feedback and ideas. Please raise any feature requests on GitHub.
Last updated
Was this helpful?
Was this helpful?
