1 of 100

CIPP User Documentation

CIPP Documentation

Welcome to the CyberDrain Improved Partner Portal (CIPP) User Documentation

Introduction

Welcome to the CIPP User Documentation! CIPP (pronounced "sip") is the CyberDrain Improved Partner Portal, a powerful Microsoft 365 multi-tenant management system designed to help MSPs streamline their clients' Microsoft 365 administration tasks. Created by Kelvin Tegelaar in 2021, CIPP aims to fill the gaps left by existing multi-tenant management solutions, making it easy and efficient to manage multiple clients from one centralized portal experience.

CIPP consists of two main components: the CIPP UI and the CIPP API. The frontend is built using React and Core UI, while the API is built with PowerShell. The system leverages Azure Functions and Azure Static Web Apps to provide a fast, responsive, and maintainable solution.

Key Features

Central User Management: CIPP offers a simple user management interface, making it easy to add, edit, and delete users, offboard users, change calendar permissions, manage shared mailboxes, and more.
Easy Standardization: Deploy standards across your entire client base, ensuring tenants are always in the desired state. CIPP's alerting and best practices features help you provide the best experience for your clients.
Secure and Report: CIPP includes industry best-practice standards and integrations, allowing you to report on everything in your M365 tenants and secure your customers' environments.

Documentation Components

The documentation is organized into the following components:

Setup Documentation: This section covers the initial setup process of deploying your own instance of CIPP, including system requirements, installation, and configuration.
User Documentation: Here, you'll find detailed guides and tutorials on how to use the CIPP platform once it's been deployed to manage your clients' Microsoft 365 tenants.
Developer Documentation: If you're looking to extend the functionality of CIPP or integrate it with other tools and services, the Developer Documentation provides API documentation, custom scripting, and other advanced topics for developers.

In addition to the core documentation components, we also provide a Troubleshooting Guide and an FAQ section to help you quickly resolve common issues and find answers to frequently asked questions.

CIPP is an open-source project, and we encourage users to review the code and contribute to its ongoing development. For more information about the project, its contributors, and funding, please refer to the documentation in the relevant sections.

We hope this documentation serves as a valuable resource as you explore and utilize the CyberDrain Improved Partner Portal. If you have any questions or need further assistance, please don't hesitate to check us out in discord.

Our Sponsors

Setup

Setting Up CIPP

Prerequisites

This page covers everything you need before installing CIPP on your own infrastructure.

If you choose to sponsor and use the CyberDrain hosted version, you can skip over these steps, and jump over to Sponsor Quick Start guide for further direction.

To get started you must follow or have the following ready. Click on the links for instructions on how to perform some of these tasks, or for more information on the functionality in question.

Microsoft Tenant Requirements

Multi-Tenant Mode: A Microsoft Partner account with your clients’ tenants added. If you’re an MSP managing multiple tenants, this is essential for CIPP to function across them.

GitHub Forks

Fork each repository into your own GitHub organization so you can push updates, track changes, and deploy under your namespace.

CIPP Frontend Fork: GitHub Repo
CIPP API Fork: GitHub Repo

Azure Subscription

You’ll need an active Azure Subscription where your CIPP resources (Function Apps, Static Web Apps, Key Vault, etc.) will live. If you’re new to Azure, check out Azure’s free trial or confirm your existing subscription’s permissions

GitHub Personal Access Token

CIPP uses Azure Static Web Apps (SWA) to deploy from GitHub. You’ll need a PAT (Personal Access Token) with relevant repo permissions. For instructions, see Microsoft’s Create a GitHub Personal Access Token.

(Optional) Microsoft 365 Lighthouse License

Recommended for MSP Usage: A Microsoft 365 Lighthouse license is needed to access various API endpoints used in CIPP but CIPP will function without it.
If you buy a Lighthouse license purely for CIPP, remember to accept the EULA in the Lighthouse portal to activate it.

Azure Expertise (Assumed)

For the installation and maintenance of CIPP, we assume you’re comfortable with:

Azure Functions: Learn more
Azure Static Web Apps: Learn more
Azure Key Vault: Learn more
Azure Cost Management: Learn more
Azure Storage (Tables, Blobs, Files): Learn more

The linked resources above will help you understand the Azure services CIPP depends on that you will be required to configure and maintain. If you’re missing any of these skills, we suggest reviewing these before proceeding. Proper knowledge ensures a smooth deployment and ongoing maintenance.

GitHub Expertise (Assumed)

For the installation and maintenance of CIPP, understanding how to manage a GitHub repository and app deployment is crucial for the ongoing performance of CIPP. The issues that you can run into with app deployment and updates can be quite numerous and not being familiar with how to troubleshoot those issues can cause you to have your application fail to update. Of course, if you get stuck you can ask in #cipp-community-help in Discord.

You’re Ready for Installation Once you’ve checked off these prerequisites, move on to the next page to set up your self-hosted instance. Happy CIPPing!

Setup Automatic API Updates

Whenever you push changes to the chosen branch, the Function App updates itself automatically if you follow this guide.

If you choose to sponsor and use the CyberDrain hosted version, you can skip over these steps and jump over to our Sponsor Quick Start guide for further direction.

Connect to GitHub for Continuous Deployment

If you want your Function App to auto-update whenever you commit to your CIPP-API fork, follow these steps:

Still in the Function App settings, go to Deployment Center (sometimes under Deployment → Deployment Center).

If an existing CI/CD connection is configured, Disconnect it to avoid conflicts.

Under Source, select GitHub, then log in if prompted.

Choose your Organization, Repository, and Branch (where your CIPP - ${\color{red}API}$ code lives).

Leave “Workflow Option” set to “Add a workflow” (the default).

For Authentication Type, pick “Basic Authentication.” (Azure portal doesn’t support Identity-based auth yet.)

Click Add a workflow, then Save.

Repeat this for any additional function apps you may have deployed for Function Offloading.

Your Function App will now be automatically updated pull directly from your GitHub fork whenever you pull the latest version of the CIPP-API repository.

Migrating to Hosted CIPP

When you start a CIPP sponsorship, you can either:

Continue self-hosting and receive support for that setup, or
Use the version hosted by CyberDrain (fully managed).

If you decide to migrate from a self-hosted instance to our hosted environment, follow these steps:

1. Back Up Your Self-Hosted Instance

Log In to your self-hosted CIPP instance.

Go to Application Settings → click Run Backup.

Download the generated backup file.

Store this file in a safe location (it contains all your CIPP config).

2. Deploy Your Hosted Instance

Go to CIPP's Management Portal and log in with the GitHub account you used to sponsor.

Deploy your hosted CIPP instance by filling out the required information.

Accept the initial invite and log into the newly created hosted environment.

3. Transfer Your Key Vault Secrets

Return to your self-hosted instance → Application Settings → Backend.

Click Go to Keyvault. Keep this tab open.

In your hosted instance, open the SAM Setup Wizard.

Select “I have an existing application and would like to manually enter my tokens.”

Copy each value from your self-hosted Key Vault (step 2) into the corresponding fields in your hosted environment.

Click Next to finish the wizard.

4. Restore Your Backup

In your hosted CIPP instance, navigate to Application Settings → Restore Backup.

Upload the backup file you downloaded in Step 1.

Wait for the restore to complete—CIPP will import your original configuration and data.

5. (Optional) Custom Domain Cleanup

If you used a custom domain on your self-hosted instance, remove it there first so you can reuse it in the hosted environment.
In the Management Portal, add your custom domain to the hosted CIPP instance following the on-screen instructions.

That’s It!

Your instance and settings now live in the fully managed, CyberDrain-hosted version of CIPP.

Congratulations on a smooth migration! Enjoy your new, hosted CIPP with automatic updates and support.

Self-hosted API Setup

For users running CIPP in their own Azure environment.

This step is optional for anyone who deployed after v7.1.x. If you are coming from v7.1.x or earlier, your Function App identity needs the "Contributor" role assigned to itself. You can do this manually, or with the PowerShell Role Assignment script. Both options are described below.

Assign the “Contributor” Role to the Function App

If you're self-hosting and running your own Azure Function App, you'll need to grant it proper access:

Go to .

Open the resource group hosting CIPP.

Select the Function App (not an offloaded app).

Navigate to Access control (IAM) > + Add > Add role assignment.

Click on Privileged administrator roles.

Choose:

Role: Contributor
Assign access to: User, group, or service principal
Select: The CIPP Function App identity

The Contributor role should allow the identity to create and manage all types of Azure resources but does not allow them to grant access to others.

In the Select field and type cipp. As you begin typing, the list of options will narrow, and you should see the Managed Identity for your Function App.

Click Save.

PowerShell Role Assignment (Alternative)

You can also use Azure Cloud Shell:

Once configured, head over to the Integration page in your CIPP UI.

Configuring CIPP

Getting started with setting up the CyberDrain Improved Partner Portal

Introduction

This section of the documentation will walk you through the process of setting up the CyberDrain Improved Partner Portal (CIPP) to manage your clients' tenants efficiently.

CIPP is a powerful Microsoft 365 multitenant management system that will allow you to deploy standard properties across all your tenants, easily manage everything from a single portal, and keep your managed environments in the best shape.

How will you be planning to use CIPP?

Depending on how you will deploy the software will determine where you will want to start.

Self-Hosted Instance: If you are planning on forking and hosting CIPP in your own Azure environment, you will want to start on the page.
Hosted Sponsor Instance: If you are planning on sponsoring the CIPP project and having us host your instance for you, you can skip the "Self-hosting guide" and start configuration of CIPP by clicking next.

Conditional Access Configuration

Setup your Conditional Access policies for CIPP.

To make sure CIPP is able to access your tenants securely we recommend the usage of Conditional Access. Both your, and your clients Conditional Access Policies will need to be configured for optimal usage.

Setup of Your Conditional Access Policies

Open Azure

Browse to the Conditional Access Policies blade in Azure.

Edit Existing Conditional Access Policies

Exclude the CIPP service account from each existing policy, this way we have a dedicated policy for the CIPP service account

Create CIPP Specific Policy

Create a new policy and include the CIPP user. Enforce Azure Multi-Factor Authentication for each logon (set sign in frequency under session to every time) and for all cloud applications. Do not add any exclusions or trusted locations.

If you have trusted locations under the classic MFA portal you must always remove those.

Save this policy under the name "CIPP Service Account Conditional Access Policy"

Setup of Clients' Conditional Access Policies

GDAP is affected by your clients' conditional access policies. To make sure you can access your clients using your CIPP integration user we recommend excluding the MSP from the Conditional Access Policy per Microsoft's Documentation

Open Azure

Browse to your client's Conditional Access Policies blade in Azure.

Edit Conditional Access Policies

For each policy listed. Add an exclusion to "Users and Groups" with the following settings:

Guest or external users
Service Provider Users
Selected
Enter your tenant ID. If you do not know what your tenant ID is, you can look this up here.

If you have any Microsoft-Managed Conditional Access policies showing up in your client tenants, these are an indication from Microsoft that they do not feel that your client's tenant meets minimum security posture. These policies cannot be deleted but they can be cloned and then disabled.

Optional: If you are running in Direct Tenant mode, exclude the CIPP service account for this tenant instead of the tenant exclusion.

Executing the Setup Wizard

This guide walks you through the process of executing the Setup Wizard inside CIPP for the first time. The Setup Wizard presents you with multiple options. If this is your first setup, choose the "First Setup" option.

Getting Started with the CIPP Setup Wizard

The First Setup option is designed for initial configuration. It guides you through essential steps to prepare CIPP and connect your tenants.

Begin Setup Click on "First Setup" to start the configuration process.
Application Registration On this page, you’ll create the necessary Application Registration in your Microsoft 365 environment. This application is used to manage tenant connections.
- Click Authenticate and follow the on-screen instructions to register the application.
- Important: Use the dedicated CIPP service account created during the preparation steps.
Tenant Configuration Choose how you want to connect your tenants. Even if you’re not a Microsoft Partner, we strongly recommend selecting "Connect to Partner Tenant" first. This allows CIPP to manage credentials and application permissions effectively.
- You can also add tenants individually, outside your partner relationship. These tenants show up in the table directly below, and can be removed if you accidentally authenticated the wrong tenant.
- For these separate tenants, use a service account with equivalent permissions as the partner tenant. More information on these roles can be found under
Select Baselines Choose from a list of available configuration baselines. These presets help you quickly apply best practices and policies.
- We recommend selecting the CyberDrain Templates for the most optimized standard configurations, and receiving templates and examples on how to utilize standards.
Configure Notifications Set up email notifications on the next page.
- Ensure your service account has a mailbox enabled to support email alerts. This can either be a shared mailbox
- You can test notification delivery directly from this screen.
Optional Features The final step presents a list of optional features you can enable to further enhance CIPP’s functionality. Review and configure these as needed.

Tenant Onboarding

Overview

The GDAP Invite Wizard simplifies setting up GDAP relationships with your clients by assigning the correct roles and ensuring the CIPP-SAM application is correctly configured for each tenant. To get started with generating GDAP invites inside CIPP, navigate to Tenant Administration -> GDAP Management and follow the instructions below.

Wizard Steps

Step 1: Click on Add Tenant

To get started, we click the "Add Tenant" button. The overview page shows you your current GDAP configuration

Step 2: Generate CIPP Default Template

If you have never used the CIPP before, you will have the option to generate the CIPP Defaults Template. This template allows you to create the optimal role configuration for CIPP. If you do not create this template, you will need to create your own.

This option will create 12 new groups in your Azure AD if they do not exist and add the CIPP user to them. These groups will be mapped to the GDAP role referenced. For more information on which roles will have groups created for them, you can check out the page.

Step 3: Select GDAP Role Template and generate invites

Choose the role template to use from the list of role templates, and choose the amount of invites you'd like to generate. You can use this to generate the exact amount of invites for tenants you'd like to onboard.

Post-Invite Actions

After submission, you will see as many rows as invites you've requested, with two URLs in a table:

Invite Link: This URL is for the Global Administrator in your client tenant to accept the invite.
Onboarding Link: This URL is to be used by a CIPP admin to complete the onboarding process. It should not be used under a client account.

Role Management Considerations

Any additional users who need access to your Microsoft CSP Tenants via the admin portals must be manually added to the relevant security groups. These groups start with "M365 GDAP".

Adding a Custom Domain Name

Custom domain

Hosted Clients

Hosted clients can use the backend management system at to add a domain

Adding a Custom Domain Name

Why setup a custom domain?

The automatically generated domain uses azurewebsites.net which is often blocked by web filtering products as it's often used by spammers and phishing sites due to the ease of obtaining an azurewebsites.net subdomain.
Your bookmark stays the same if you redeploy.
Easier to communicate internally and looks better for your team.

At the moment of deployment, the application uses a generated domain name. To change this follow these instructions:

Go to CIPPs Settings menu
Click on 'Static Web app - Role Management'
Select Custom Domains. You can add your own domain name here.

For more information see Microsoft's documentation at

Implementing CIPP

Resources

Sponsor Quick Start

Welcome to your hosted instance of CIPP!

If you need assistance with or aren't comfortable navigating these requirements alone, take a look at our page, which offers a paid option for those who need a bit more hands on guidance with GDAP & CIPP deployment.

If you've started the sponsorship process and are ready to enhance your management of Microsoft 365 tenants with efficiency, this guide is designed to get you started.

Initial Sponsorship Actions

Subscription Activation: Start by signing up for the $99 subscription using your GitHub account on the page.
Welcome Email: Upon subscription, you will receive an email with detailed instructions to kickstart your deployment. This email will guide you to the for deployment steps.

Deployment & Service Account Creation

Configure CIPP Deployment: Login to your using the GitHub credentials you used to initiate the sponsorship. This is where you can kick off your deployment, add custom domain names, and begin inviting users into CIPP.
Service Account Creation: Follow the instructions carefully on the page to ensure there are no permission issues when connecting your tenants within CIPP in the subsequent steps.

Accessing CIPP & Executing SAM Wizard

Add Yourself to CIPP: On the page in your management portal, ensure you've invited your work account as an admin into your newly deployed instance to avoid 403 Forbidden errors during login. Further guidance can be found on the page.
Execute Setup Wizard: Follow the instructions on the page once logged into your CIPP instance using your newly invited account, NOT the service account. The service account is only used during specific configuration steps within the Setup Wizard.

Managing Client Relationships

Onboard Existing Relationships: If your GDAP relationships with clients are already configured and you do not need to create new invites, proceed to to start managing your clients immediately.
Establish New Relationships: If you need to establish new GDAP relationships for new clients, use the wizard to generate invites and complete the necessary actions to onboard the client to CIPP.

If you are unsure about whether your clients' environments are GDAP ready, or need more information about the process, continue to the page for more granular details & next steps.

User Documentation

Shared Features

Menu Bar

Display Mode

Clicking this toggle will switch the display mode for CIPP.

Available Display Modes

Light mode
Dark mode

Search

Use of the magnifying glass in the menu bar will pop open a search modal. You can use this feature to quickly locate a page within CIPP without having to navigate the sidebar menu.

Hitting "Ctrl + k" for Windows users or "Cmd + k" for Mac users will open the search modal for quick access.

Bookmarks

Clicking this icon will display pages that you have added to your bookmarks.

To add new bookmarks, hover your mouse over the page's entry in the side menu. You will see the same icon. Clicking the icon will shade in the icon and add the page to your boomarks.

User Preferences

The User Preferences page provides a tailored interface for users to manage and configure their individual settings related to general preferences, appearance, and offboarding defaults. This document outlines the functionalities available on the User Settings page.

General Settings

In this section, users can manage general settings related to their account and workspace:

Added Attributes when creating a new user: Users can select additional user object attributes that are available when creating a new user.
Default new user usage location: This setting allows users to specify the default user location when creating or editing a user.
Default Page Size: Set the default page size for tables across CIPP.
Menu Favourites: Set pages that will display in your favourites section.

Offboarding Defaults

This section provides you the ability to set offboarding defaults, this allows you to easily preselect your predefined offboarding preferences.

Actions

Save Settings: Save the modified settings for the individual user.
Save for All Users: If the user has admin privileges, they have the option to save the modified settings for all users within the tenant, this will overwrite all personal settings and be force on each full refresh of a page.

Developer Options

Enable TanStack Query Tools

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

Speed Dial

The CIPP speed dial contains easy access to quick links for help with CIPP. The speed dial is located in the lower right corner of your browser window:

Options

Option

Description

Keyboard Shortcuts

The table below outlines the keyboard shortcuts that have been enabled in CIPP.

Shortcut

Windows

Mac

Open Search

Ctrl + k

Cmd + k

Get Help

Have an error that you're unsure how to handle? Errors in most pages of CIPP will return with a Get Help button to the right of the text. Click the button and a new tab will open allowing you to search the documentation for additional information.

Note that not every Microsoft returned error will be included in the docs site. These can also have additional information available with a search of the internet/Microsoft documentation.

CIPP Dashboard

About the Dashboard which includes versions and quick links

The Home page provides a comprehensive overview of the current tenant's details and allows you to perform various actions related to the tenant and its resources.

The Home page includes the following sections:

Universal Search: This is a universal search bar that allows you to quickly find the information you need using Lighthouse. To utilize this search, you must have onboarded Lighthouse on your partner tenant.
Portals: Contains links to various Microsoft 365 administration centers.
Executive Report: Create an Executive Report with key metrics to help guide your conversations with your clients around Microsoft tenant security and setup. These can be custom branded by going to .
Current Tenant: Displays various details about the current tenant:
- Tenant Name
- Tenant ID
- Default Domain
- AD Sync Enabled
- Users: Total, Licensed, Guests and Global Admins. Note: The chart names are clickable.
- Standards set: Shows the applied Remediation, Alert and Report standards set.
- SharePoint Quota
- Domain Names
- Partner Relationships
- Tenant Capabilities

Identity Management

Administration

Bulk Add

This wizard will allow you to bulk create new users.

Tenant Selection

Select the tenant that you'd like to create the users in. This will default to the tenant you have picked in the menu bar.

User Selection

There is an example CSV on the User Selection step of the wizard that you can use to speed up larger bulk creation tasks. Alternatively, you can add individual rows one by one by pressing the "Add Item" action just above the table prior to moving to Step 3.

Extra Options

Here, you can set the Usage Location and assign any available licenses to the users.

Confirmation

Review this page to ensure that you have entered everything in prior steps before hitting Submit.

Invite Guest

This page will allow you to add a guest user. Enter the user's "Display Name", "E-mail Address", and an optional "Redirect URL". Toggle the "Send invite via e-mail" option on if you'd like the guest user to receive a Microsoft generated invite e-mail.

Compromise Remediation

Single pane of glass review of common Indicators of Compromise (IoC)

Upon page load, CIPP will run an analysis on the user to identify common Indicators of Compromise (IoC). Once that analysis is returned, review the information presented and determine if the user has been compromised. The analysis performs the checks listed in the table below. A green check will indicate that information was found for the check and needs review.

Note: This page is intended to surface information about potential information that should be reviewed when a compromise is suspected. The existence of information in one of the indicators should not be interpreted as an absolute sign of compromise but rather as a useful tool to help quickly surface the basic information that should be reviewed during your investigation.

Indicators of Compromise Checks

Check

Description

Where to Dig Deeper?

Actions

Action

Description

Risky Users

This page lists the tenant's risky users. Here, you can review the information associated with the risk detection.

Table Columns

The properties returned are for the Graph resource type riskyUser. For more information on the properties please see the .

Table Actions

Action

Description

Bulk Action Available

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

Edit Group

Page Buttons

View Members/Edit Membership - This will toggle the page to display a table of the current group membership or show the edit membership and properties view.

Edit Membership & Properties

Group Properties

Display Name
Description
Mail Nickname

Add Members

Add Members
Add Owners
Add Contacts

Remove Members

Remove Members
Remove Owners
Remove Contacts

Group Settings

Let people outside the organization email the group - If selected, it allows external senders to send emails to the group.
Send Copies of team emails and events to team members inboxes - If selected, it enables sending copies of team emails and events to the inboxes of team members.

Add Group Template

This page will allow you to create a group template for ease of deployment to your clients' tenants. Enter the group's "Display Name", "Description", and "Username" before selecting the radial for the group type you'd like to set.

Additional Group Type Settings

Group Type

Additional Settings

Dynamic Group Parameters: For Dynamic Groups, a text box for entering the dynamic group parameters syntax becomes available e.g.: (user.userPrincipalName -notContains "#EXT#@") -and (user.userType -ne "Guest").

Deploy Group Templates

Streamline group creation across multiple tenants in Microsoft 365

Overview

The Deploy Group Templates page provides an interface for creating and deploying group templates in Microsoft 365. This feature offers an easy and efficient way to manage group creation, allowing users to select from a list of pre-defined templates and apply them across chosen tenants.

This document provides a step-by-step guide on how to navigate and utilize the Deploy Group Templates page.

Tenant Choice

In this step, you choose the tenants for which you want to create the group. Each tenant has a displayName and defaultDomainName.

Choose Template

In this step, you can choose to apply one of the previously created templates or manually enter the group information. If you opt for a template, select it from the dropdown menu. The page will automatically populate the rest of the fields based on the chosen template.

However, you have the flexibility to adjust the options as needed:

Group Type: Select the type of group. Options include Dynamic Group, Security Group, Distribution Group, Azure Role Group, and Mail Enabled Security Group.
Group Display Name: Enter the name that will be displayed for the group.
Group Description: Provide a brief description of the group. This field is optional.
Group Username: Specify the username for the group.
Let people outside the organization email the group: Check this box if you want the group to be able to receive emails from outside the organization. This option is available only for Distribution Groups.
Membership Rule: If you chose Dynamic Group as the group type, you can specify the rule for membership here.

Remember, the options presented depend on the Group Type selected. For instance, the "Membership Rule" field only appears if you select "Dynamic Group" as the Group Type.

For more details on these settings, please refer to Group Templates.

Review and Confirm

In this step, you review your input and confirm to apply. The application sends a POST request to the AddGroup endpoint listed below with your input as values.

Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.

Edit Group Template

This page allows you to adjust the settings for your group template.

Devices

This page will present a tenant's Entra devices in a table.

Column Details

The properties returned are for the Graph resource type device. For more information on the properties please see the Graph documentation.

Table Actions

Action

Description

Bulk Action Available

Enable Device

Enables the device to be logged in with tenant credentials

Disable Device

Disables the device from being logged in with tenant credentials

Retrieve BitLocker Keys

Pulls BitLocker keys stored in Entra ID

Delete Device

Deletes the device from Entra ID

More Info

Opens the "Extended Info" flyout

Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.

Deleted Items

Lists all deleted users, groups and applications in the tenant

Shows deleted items in the tenant. What else did you expect? Monkeys? 🐒

Available Deleted Item Types

Application
Group
User

Column Details

The table will show some basic default information regarding the deleted object. The full list of columns available represent the Graph resource type , , and .

Table Actions

Action

Description

Bulk Action Available

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

Roles

Explore and review members for M365 roles

Overview

The Roles page provides a comprehensive list of all Microsoft 365 roles such as Billing Administrator, Global Administrator, etc. It offers the ability to view members associated with each role. This capability promotes efficiency and transparency in managing role assignments.

Column Details

The properties returned are for the Graph resource type directoryRole. For more information on the properties please see the . Additionally, CIPP will include a column outlining who is a member of each role.

Table Actions

Action / Feature

Description

Bulk Action Available

Considerations

While navigating the Roles page, please consider the following:

Tenant Selection: This page does not yet support the "All Tenants" overview. Please use the tenant selector to view roles specific to a selected tenant.
Scope of Roles: This page displays Microsoft 365 admin roles only. Exchange, Azure IAM, and Purview rights are outside the scope of this area.

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

JIT Admin

Ensure temporary admin accounts aren't left active. CIPP lets you create accounts with specific roles as needed and easily removes them automatically when no longer required. JIT Admin accounts will be displayed in the table.

Column Details

Column

Description

GUID of the user

Display Name

Display name of the JIT admin user

User Principal Name

UPN of the JIT admin user

Account Enabled

Boolean for if the account is enabled

Jit Admin Enabled

Boolean for if the JIT admin roles are enabled

Jit Admin Expiration

Expiration of the JIT admin

Member Of - Display Name

Display name of the admin role(s) the user is a part of

Member Of - Id

GUID of the admin role(s) the user is a part of

This table doesn't utilize a per-row Actions column like many of the other tables introduced with CIPP v7.

Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.

Add JIT Admin

This page allows you to create a new JIT admin

Option

Description

To use Temporary Access Passes (TAP), you must enable the authentication method in the customer tenant. This can be done easily via the CIPP Entra : "Enable Temporary Access Passwords"

Reports

Reports available within CIPP - Identity Management

MFA Report

Multi-Factor Authentication Status Report

Introduction

This report provides an overview of the Multi-Factor Authentication (MFA) status for all users within the tenant. It's a combination of the built in Entra MFA report, and getting the Per User MFA state and combining them for a complete picture.

Note: To utilize the Entra MFA report part of this report, the tenant must be licensed for Entra P1 or higher. Per-User MFA status will still function even if the tenant isn't licensed.

MFA Protection Criteria

A user must have at least one checkmark in any of the following categories to be protected by MFA:

Per-User MFA: This means MFA is enabled directly on a per-user basis. It ensures that any sign-in attempt by the user is subjected to MFA verification.
Covered by Security Defaults (SD): This indicates that the user is protected by default security settings, automatically enabling and enforcing usage of MFA, when Microsoft deems a sign-in as risky.
Covered by Conditional Access (CA): In this case, MFA is enabled through Conditional Access policies which might require MFA based on conditions like user location, device compliance, etc.

Detailed User MFA Status

The report lists every user in the tenant and provides detailed information about their MFA status, including:

Whether MFA is enabled and enforced through Per-User MFA settings.
If the user is safeguarded by Security Defaults that enforce MFA.
Whether Conditional Access policies require MFA for the user.
If the user is capable of using MFA.
The MFA methods the user has setup.

For tenants with over 250 user accounts, the Per User MFA status might appear as blank or null due to API throttling. In such cases, it could indicate any of the following states: disabled, enabled, or enforced.

This table doesn't utilize a per-row Actions column like many of the other tables introduced with CIPP v7.

Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.

Sign-in Report

This page will list sign-ins from the past seven days.

Note that this page requires Entra ID Premium (P1/P2) licensing to pull this information.

Table Columns

The properties returned are for the Graph resource type signIn. For more information on the properties please see the .

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

AAD Connect Report

This page will output a table showing the status of Entra ID Connect syncing.

Table Columns

Column

Description

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

Risk Detections

This page will display the risk detections for the selected tenant or AllTenants

Table Columns

The properties returned are for the Graph resource type riskDetection. For more information on the properties please see the .

Table Actions

Action

Description

Bulk Action Available

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

Tenant Administration

Administration

Tenants

View and manage your Microsoft 365 CSP tenants.

When you select one of the portal links, the permissions of the currently logged in user are the ones that matter. They need permission to access the portal in question either by virtue of direct administrative roles or the Admin Agent/Helpdesk Agent role in Partner Center.

The Tenant page provides the ability for you to jump to the specific tenant administration centers for that client using your individual partner tenant user credentials. Allowing you to administer that specific tenant.

Tenants are cached for 24 hours. By using the Clear Tenant Cache button in Application Settings, you are able to reload the tenants from the partner center immediately. Remember to also clear your browser cache.

Table Details

Fields

Description

Name

The tenant name.

Default Domain

The tenant's default domain.

The page also features several columns which contain links to the different Microsoft 365 administration centers for the tenant.

Table Actions

Bulk Action Available

Edit Tenant

Opens a page to edit the tenant alias and manage tenant group membership.

Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.

Edit Tenant

This page allows you to edit some basic information about a tenant. The following tabs have information that you can manage:

General

Tenant Details

This includes basic tenant details like the Display Name and Tenant ID pulled from your GDAP contract with the client.

Properties

Here you can view/edit a custom alias for the tenant. This alias will currently only populate in the tenant dropdown in the menu bar. You can also manage the tenant's CIPP group membership.

Custom Variables

This tab presents a way to manage Global Variableson a per-tenant basis. For example, you need to set a client's RMM site ID.

Tenant Groups

This page allows you to view and manage your custom tenant groups. Groups can be used in easily including similar tenants in your Standards.

Action Buttons

Table Details

Column

Description

Table Actions

Action

Description

Bulk Action Available

Add Tenant Group

This page will allow you to create a new tenant group. Set the Group Name, Group Description, and initial tenants to add to the group.

Edit Tenant Group

This page allows you to modify the tenant group's information such as Group Name, Group Description, and make bulk changes to the group membership.

Alert Configuration

This page displays all current configured Audit Log and Scripted Alerts for CIPP. It also allows you to remove alert rules.

Action Buttons

Table Details

Column

Description

Table Actions

Action

Description

Bulk Action Available

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

Audit Logs

View captured Audit Logs from the Alerts Wizard.

CIPP saves Audit Logs when an alert matches the rules defined in your Alert Configuration.

Search Options

Select a time range in the Search Options to find Audit Log entries. Use the table filter to narrow down the results to what you are looking for.

Table Details

This will output a combined table of the various audit log alert entries that CIPP has collected. The table columns will vary based on the alert data structures.

Table Actions

Action

Description

Bulk Action Available

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

View Audit Log

This page will output a structured view of the audit log entry selected from the Audit Logs page.

Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.

Applications

This page shows all the enterprise applications that are available in the tenant. This can for example be very helpful when trying to identify SAM applications from previous MSPs.

To do this, first clear the filter and then select the All-non-Microsoft Enterprise Apps filter. If not done in this order, the filter will not work as expected.

Table Details

The properties returned are for the Graph resource type servicePrincipal. For more information on the properties please see the .

Table Actions

Action

Description

Bulk Action Available

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

App Registrations

This table will show all app registrations in the tenant.

Table Details

The properties returned are for the Graph resource type application. For more information on the properties please see the .

Table Actions

Action

Description

Bulk Action Available

Edit Permission Set

This page will allow you to edit the permission set's settings.

Templates

This page will contain your application appoval templates.

Action Buttons

Table Details

This table will include basic information on the template name, app id, app name, and permission set for your created templates.

Table Actions

Action

Description

Bulk Action Available

Add App Approval Template

This page will allow you to create an approval template for a multi-tenant application. Set the template name, application to deploy, and the permission set.

As a prerequisite, you must first create a permissions template. See the documentation on .

Name the Template

Select the Application to Deploy

This drop down will only display applications with a sign in audience set to multi-tenancy.

Select the previously created Permission Set

Click "Create Template"

You can now deploy the application with the permissions template in or .

Edit App Approval Template

This page will allow you to edit the settings for your app approval template

Secure Score

This page provides an overview of the Secure Score of the tenant. The default page view is with each secure score component displayed as a card.

Card Actions

Action

Description

Change Status

Opens a modal that allows you to change the status of the score component

Remediate

Will launch the appropriate Microsoft portal or recommended CIPP standard to remediate this score component.

Updates

Displays a chart of updates to the score since CIPP started tracking

Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.

Authentication Methods

Shows the status of the authentication methods for the tenant.

Table Details

The properties returned are for the Graph resource type authenticationMethodsPolicy. For more information on the properties please see the .

Table Actions

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

Partner Relationships

This page shows all the relationships that the selected tenant(s) have.

Table Details

The properties returned are for the Graph resource type crossTenantAccessPolicyConfigurationPartner. For more information on the properties please see the .

This table is view only.

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

GDAP Management

Features

Overview

A chart showing a high-level view of your GDAP statistics including number of relationships, number of mapped admin roles, number of role templates, and pending invites.

Add a Tenant Button

Will launch the wizard.

GDAP Setup

A guided process to ensure that you have set up GDAP according to best practices to include mapping admin roles, creating role templates, creating invites, and setup completed.

GDAP Check

A tool to be used in troubleshooting for any failed issues with onboarding relationships, etc.

Relationship Summary

This page will allow you to view details about a particular GDAP relationship.

GDAP Relationships Summary Page

The GDAP (Granular Delegated Admin Privileges) relationships summary page provides an overview of a particular relationship. It displays details like the relationship status and assigned admin roles, helping manage and audit access efficiently.

Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.

Role Mappings

This page shows all the roles and what security group in the partner tenant that are available to be mapped to a GDAP relationship via CIPP.

To create new mappings, click the Map GDAP Rolesbutton.

Table Details

Column

Description

Role Name

The name of the GDAP role associated with the mapping

Group Name

The name of the Entra ID security group residing in your partner tenant associated with the mapping

Table Actions

Bulk Action Available

Add to Template

Delete Mapping

Feature Requests / Ideas

We value your feedback and ideas. Please raise any feature requests on GitHub.

Map GDAP Roles

This page will allow you to map the GDAP roles to a group in your partner tenant. The default is that the group will be created with the format of "M365 GDAP RoleName". You can optionally create your own group suffix if you have a need to map the same role to multiple groups (e.g. you use different group templates to provide different access by department, etc.).

Click "Add CIPP Default Roles" to automatically add the 15 recommended roles from the page.

Certain roles may not be compatible with GDAP. See the on GDAP role guidance. Unsupported roles are not available in CIPP to prevent random errors due to these roles being added to relationships.

The Company Administrator role is a highly privileged role that should be used with caution. GDAP Relationships with this role will not be eligible for auto-extend.

Updating Versions

Keeping CIPP up-to-date ensures you have the latest features, security patches, and bug fixes.

Note (Hosted / Sponsored Clients) If you’re using a CyberDrain-hosted instance of CIPP, updates happen automatically—generally within 48 hours of a new release. You can safely skip the rest of this page; however, it is important to perform a permissions check via CIPP > Application Settings > Permissions to ensure any newly added permissions are accounted for via an automated Permissions Repair in v7+.

Update your self-hosted CIPP instance to the latest release using the following instructions:

Note (Self-Hosted Clients Updating from v6 or earlier)

A few more steps are required to upgrade versions 6 to 7. See the for v7.0.1 and review the steps in below for how to successfully update in these scenarios.

1. Sync Your Fork(s) in GitHub

For typical updates (e.g., moving from any v7+ patch releases):

Open Your CIPP Fork

Go to your fork of the CIPP repo on GitHub.
Click Sync fork (or sometimes Fetch upstream).
Choose Update branch—be careful not to discard any commits.

IMPORTANT: If prompted with a question asking "Do you want to Discard (X) Commits" or "Update Branch", ensure you click on "Update Branch" AND DO NOT PRESS DISCARD

Repeat for CIPP-API

Do the same steps in your CIPP-API fork so both the front-end and API stay in sync.

Wait for Deployment

If you’ve connected your Azure Function App to GitHub Actions (), the updates should roll out automatically within about 30 minutes.
Check your Azure Logs or GitHub Actions to confirm a successful deployment

Clear Browser Cache

If you see an older version in your browser, try a Hard Refresh: open DevTools (F12), then right-click the refresh icon beside the URL bar and select Hard reload and empty cache.

Permissions Check

Updates to CIPP can often include additional permissions required as new features are added or existing features get updated for new requirements from Microsoft. Go into CIPP > Application Settings > Permissions and perform a Permissions Check. If any roles are missing, you'll be presented with the option to Repair Permissions in v7+.

2. Updating from v6 (or Older) to v7+

The v7 front-end introduced a Next.js + Material-UI stack, so older forks might need an extra step:

If your "Sync fork" options button presents you with an error that there are conflicts that must be resolved, skip to .

Check Your Workflow File(s)

In your CIPP repo, open:
Look for filenames starting with azure-static-web-apps (e.g., azure-static-web-apps-main.yml).
Important: If you discarded commits previously, you might not see such a file at all—or it might be renamed.

Set the output_location to "/out" (If Missing)

In older v7 instructions, we had to manually change:
to:
However, newer versions of the workflow may already include "/out". Double-check your file before making changes.

Commit and Redeploy

After editing, commit directly to your main branch.
A GitHub Actions run should trigger automatically, building and redeploying the Static Web App.

Wait & Verify

Give Azure a few minutes to pick up changes. Check the Actions tab or the Azure Logs for success.
Clear your cache or try a different browser to confirm the new version is live.

Permissions Check

Updates to CIPP can often include additional permissions required as new features are added or existing features get updated for new requirements from Microsoft. Go into CIPP > Application Settings > Permissions and perform a Permissions Check. If any roles are missing, you'll be presented with the option to Repair Permissions in v7+.

3. Updating from v6 (or Older) to v7+ (Merge Conflicts)

In many cases, there are so many changes to the repo that GitHub doesn't know how to properly merge your repo with the upstream repo. Follow these instructions to get your branch to update.

Locate your workflow file

In your CIPP repo, open:
Look for filenames starting with azure-static-web-apps (e.g., azure-static-web-apps-main.yml).
Open this file in a new browser tab.

Discard Commits

Return to your main repo view
Click "Sync fork"
Click "Discard XXX commits"

Recreate Workflow File

In your CIPP repo, open:
Click "Add file" in the top right of the page
Select "Create new file"
Name the file the same as the azure-static-web-apps file open in your other browser tab
Copy the contents of the file in your other tab to the new file

Resume with Step 2 from

“I Accidentally Discarded Changes” (The Common GitHub Pitfall)

If you accidentally chose Discard (X) Commits while syncing your fork, you might have lost the original azure-static-web-apps workflow file. This often leads to:

“No changes to commit” messages,
A stuck or outdated front-end version,
Confusion about missing .yml files.

Recreate the Workflow File

If you're comfortable with GitHub, the easiest way to ensure you have the appropriate values for your token is to review your Actions tab on your CIPP repo for the most recent successfully run update. The contents of your old workflow file will be found by clicking "Workflow file" in the left side column of the Build and Deploy task. You'll still need to ensure the /out changes have been made to the file.

Check Repository Secrets

In your CIPP fork, go to Settings → Secrets and variables → Actions.
Note the name of your Azure Static Web Apps deployment token (e.g., AZURE_STATIC_WEB_APPS_API_TOKEN_SOMENAME_12345).

Create a New .yml in .github/workflows

The filename can be anything (azure-static-web-apps-fix.yml, deploy.yml, etc.)—just make sure it ends in .yml.
Use this example file as the contents

Update References to Your Secrets

In that new file, look for lines referencing the token (e.g., AZURE_STATIC_WEB_APPS_API_TOKEN_...).
Replace them with your token name from Step 1.

Commit

Once you commit, GitHub Actions should fire off a new build if the on: triggers are present (typically push or pull_request).
Check the Actions tab to see if it’s running.

Confirm Deployment

After the workflow succeeds, your Static Web App should serve the updated version.
If you still see the old UI, do a Hard Refresh (Open DevTools, then Right Click Refresh Button) or wait up to 30 minutes for Azure’s distribution/CDN to update

Permissions Check

Updates to CIPP can often include additional permissions required as new features are added or existing features get updated for new requirements from Microsoft. Go into CIPP > Application Settings > Permissions and perform a Permissions Check. If any roles are missing, you'll be presented with the option to Repair Permissions in v7+.

Done & Dusted

At this point, your CIPP front-end and API should be updated to the latest release. Keep these key points in mind:

Never click “Discard Commits” when syncing.
Watch for the .github/workflows files if you suspect deployment issues.
Hard-refresh or wait for CDN caches to clear for a truly up-to-date view

Congratulations! You’re now up-to-date and ready to use the newest features.