Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Welcome to the CyberDrain Improved Partner Portal (CIPP) User Documentation
Welcome to the CIPP User Documentation! CIPP (pronounced "sip") is the CyberDrain Improved Partner Portal, a powerful Microsoft 365 multi-tenant management system designed to help MSPs streamline their clients' Microsoft 365 administration tasks. Created by Kelvin Tegelaar in 2021, CIPP aims to fill the gaps left by existing multi-tenant management solutions, making it easy and efficient to manage multiple clients from one centralized portal experience.
CIPP consists of two main components: the CIPP UI and the CIPP API. The frontend is built using React and Core UI, while the API is built with PowerShell. The system leverages Azure Functions and Azure Static Web Apps to provide a fast, responsive, and maintainable solution.
Central User Management: CIPP offers a simple user management interface, making it easy to add, edit, and delete users, offboard users, change calendar permissions, manage shared mailboxes, and more.
Easy Standardization: Deploy standards across your entire client base, ensuring tenants are always in the desired state. CIPP's alerting and best practices features help you provide the best experience for your clients.
Secure and Report: CIPP includes industry best-practice standards and integrations, allowing you to report on everything in your M365 tenants and secure your customers' environments.
The documentation is organized into the following components:
Setup Documentation: This section covers the initial setup process of deploying your own instance of CIPP, including system requirements, installation, and configuration.
User Documentation: Here, you'll find detailed guides and tutorials on how to use the CIPP platform once it's been deployed to manage your clients' Microsoft 365 tenants.
Developer Documentation: If you're looking to extend the functionality of CIPP or integrate it with other tools and services, the Developer Documentation provides API documentation, custom scripting, and other advanced topics for developers.
In addition to the core documentation components, we also provide a Troubleshooting Guide and an FAQ section to help you quickly resolve common issues and find answers to frequently asked questions.
CIPP is an open-source project, and we encourage users to review the code and contribute to its ongoing development. For more information about the project, its contributors, and funding, please refer to the documentation in the relevant sections.
We hope this documentation serves as a valuable resource as you explore and utilize the CyberDrain Improved Partner Portal. If you have any questions or need further assistance, please don't hesitate to check us out in .
Reports available within CIPP - Identity Management
The table below outlines the keyboard shortcuts that have been enabled in CIPP.
Open Search
Ctrl + k
Cmd + k
Have an error that you're unsure how to handle? Errors in most pages of CIPP will return with a Get Help button to the right of the text. Click the button and a new tab will open allowing you to search the documentation for additional information.
Getting started with setting up the CyberDrain Improved Partner Portal
This section of the documentation will walk you through the process of setting up the CyberDrain Improved Partner Portal (CIPP) to manage your clients' tenants efficiently.
CIPP is a powerful Microsoft 365 multitenant management system that will allow you to deploy standard properties across all your tenants, easily manage everything from a single portal, and keep your managed environments in the best shape.
This will allow you to add a guest user. Enter the user's "Display Name", "E-mail Address", and an optional "Redirect URL". Toggle the "Send invite via e-mail" option on if you'd like the guest user to receive a Microsoft generated invite e-mail.
This page allows you to adjust the settings for your group template.
Clicking this icon will display pages that you have added to your bookmarks.
To add new bookmarks, hover your mouse over the page's entry in the side menu. You will see the same icon. Clicking the icon will shade in the icon and add the page to your boomarks.
Use of the magnifying glass in the menu bar will pop open a search modal. You can use this feature to quickly locate a page within CIPP without having to navigate the sidebar menu. This search will only return pages that a user has permission to.
Hitting "Ctrl + k" for Windows users or "Cmd + k" for Mac users will open the search modal for quick access.
When typing in text fields, you can now type % and begin typing the name of the variable you want to use in the text field. This will bring up a dropdown that you can use to auto complete variable names. This ensures you always type the variable name exactly how you input it into settings.
Navigating the list is supported by the following hotkeys
Depending on how you will deploy the software will determine where you will want to start.
Self-Hosted Instance: If you are planning on forking and hosting CIPP in your own Azure environment, you will want to start on the Prerequisites page.
Hosted Sponsor Instance: If you are planning on sponsoring the CIPP project and having us host your instance for you, you can skip the "Self-hosting guide" and start configuration of CIPP by clicking next.
This page will output a structured view of the audit log entry selected from the Audit Logs page.
We value your feedback and ideas. Please raise any feature requests on GitHub.
Arrow Down
Scrolls down in the list
Arrow Up
Scrolls up in the list
Tab or Enter
Accepts the selected variable in the list
Escape
Closes the autocomplete list
Custom domain
Why setup a custom domain?
The automatically generated domain uses azurewebsites.net which is often blocked by web filtering products as it's often used by spammers and phishing sites due to the ease of obtaining an azurewebsites.net subdomain.
Your bookmark stays the same if you redeploy.
Easier to communicate internally and looks better for your team.
At the moment of deployment, the application uses a generated domain name. To change this follow these instructions:
Go to CIPPs Settings menu
Click on 'Static Web app - Role Management'
Select Custom Domains. You can add your own domain name here.
For more information see Microsoft's documentation at
Setup your Conditional Access policies for CIPP.
To make sure CIPP is able to access your tenants securely we recommend the usage of Conditional Access. Both your, and your clients Conditional Access Policies will need to be configured for optimal usage.
GDAP is affected by your clients' conditional access policies. To make sure you can access your clients using your CIPP integration user we recommend excluding the MSP from the Conditional Access Policy per
Optional: If you are running in Direct Tenant mode, exclude the CIPP service account for this tenant instead of the tenant exclusion.
If you want to manage your own tenant or if you are not a Microsoft Partner but still want to use CIPP you can perform the setup and enable access to the partner tenant or enable Single Tenant Mode. The CIPP Service Account should be granted at least the Recommended Roles within the tenant being managed.
To manage the tenant mode, a user with the CIPP "superadmin" roles will need to access the Tenant Modepage of the Super Admin settings.
Multi Tenant - GDAP mode
This is the default mode in CIPP, it does not allow access to the partner tenant.
Multi Tenant - Add Partner Tenant
This mode allows direct access to the partner tenant in addition to your customer tenants via GDAP. See the Limitations below for more details.
When using Single Tenant Mode CIPP runs in a somewhat more limited state - You are not able to add any other tenant to CIPP and it only works for the configured tenant. GDAP permissions will not apply, and you must directly assigned roles such as Global Admin to the service account.
When using Partner Tenant Enabled mode you can see your partner tenant inside of CIPP. There will be no permissions applied to whom can see this tenant and control it.
It is highly recommended to use a custom role if multiple users have access to your CIPP instances. This can help ensure not all users have access to manage your partner tenant. If you do not, it's important to note that all your users will have access to edit/configure your partner tenant. Information on custom roles can be found .
GDAP permissions will not apply and you must directly assign roles to the service account in the Entra portal (e.g. User Administrator, Exchange Administrator, etc.).
Log in to CIPP with an account with the role superadmin. This role will allow you access to the menu to change this setting.
Go to the Application Settings menu
Go to the Super Admin tab
Select one of the three modes. The default mode is "Multi Tenant - GDAP Mode"
The GDAP Invite Wizard simplifies setting up GDAP relationships with your clients by assigning the correct roles and ensuring the CIPP-SAM application is correctly configured for each tenant. To get started with generating GDAP invites inside CIPP, navigate to Tenant Administration -> GDAP Management and follow the instructions below.
To get started, we click the "Add Tenant" button. The overview page shows you your current GDAP configuration
If you have never used the CIPP before, you will have the option to generate the CIPP Defaults Template. This template allows you to create the optimal role configuration for CIPP. If you do not create this template, you will need to create your own.
Choose the role template to use from the list of role templates, and choose the amount of invites you'd like to generate. You can use this to generate the exact amount of invites for tenants you'd like to onboard.
After submission, you will see as many rows as invites you've requested, with two URLs in a table:
Invite Link: This URL is for the Global Administrator in your client tenant to accept the invite.
Onboarding Link: This URL is to be used by a CIPP admin to complete the onboarding process. It should not be used under a client account.
Any additional users who need access to your Microsoft CSP Tenants via the admin portals must be manually added to the relevant security groups. These groups start with "M365 GDAP".
Whenever you push changes to the chosen branch, the Function App updates itself automatically if you follow this guide.
If you choose to sponsor and use the CyberDrain hosted version, you can skip over these steps and jump over to our Sponsor Quick Start guide for further direction.
If you want your Function App to auto-update whenever you commit to your CIPP-API fork, follow these steps:
Still in the Function App settings, go to Deployment Center (sometimes under Deployment → Deployment Center).
If an existing CI/CD connection is configured, Disconnect it to avoid conflicts.
Under Source, select GitHub
Your Function App will now be automatically updated pull directly from your GitHub fork whenever you pull the latest version of the CIPP-API repository.
This page will allow you to create a group template for ease of deployment to your clients' tenants. Enter the group's "Display Name", "Description", and "Username" before selecting the radial for the group type you'd like to set.
Azure Role Group
Dynamic Group Parameters: For Dynamic Groups, a text box for entering the dynamic group parameters syntax becomes available e.g.: (user.userPrincipalName -notContains "#EXT#@") -and (user.userType -ne "Guest").
View Members/Edit Membership - This will toggle the page to display a table of the current group membership or show the edit membership and properties view.
Display Name
Description
Mail Nickname
Add Members
Add Owners
Add Contacts
Remove Members
Remove Owners
Remove Contacts
Set group visibility to Public or Private
Let people outside the organization email the group - If selected, it allows external senders to send emails to the group.
Send Copies of team emails and events to team members inboxes - If selected, it enables sending copies of team emails and events to the inboxes of team members.
Hide group mailbox from Outlook - If selected, it will hide the mailbox from the Global Address List
Global variables are key-value pairs that can be used to store additional information for All Tenants. These are applied to templates in standards using the format %variablename%. If a tenant has a custom variable with the same name, the tenant's variable will take precedence.
These variables can be used in any type of template and will be replaced automatically.
Tenant custom variables can be set in the box, shown while editing a Tenant. Global variables are set on the Global Variables tab under Tenant Administration > Administration > Tenants.
Given the differences in how various systems treat the variable name, we recommend using all lowercase when naming variables, e.g. variablename.
The following variables will be automatically replaced by CIPP:
%initialdomain%
%tenantfilter%
%tenantid%
The following variables are reserved and will not be used:
%cippurl%
%cippuserschema%
%defaultdomain%
Explore and review members for M365 roles
The Roles page provides a comprehensive list of all Microsoft 365 roles such as Billing Administrator, Global Administrator, etc. It offers the ability to view members associated with each role. This capability promotes efficiency and transparency in managing role assignments.
The properties returned are for the Graph resource type directoryRole. For more information on the properties please see the . Additionally, CIPP will include a column outlining who is a member of each role.
While navigating the Roles page, please consider the following:
Tenant Selection: This page does not yet support the "All Tenants" overview. Please use the tenant selector to view roles specific to a selected tenant.
Scope of Roles: This page displays Microsoft 365 admin roles only. Exchange, Azure IAM, and Purview rights are outside the scope of this area.
We value your feedback and ideas. Please raise any on GitHub.
This page will present a tenant's Entra devices in a table.
The properties returned are for the Graph resource type device. For more information on the properties please see the Graph documentation.
We value your feedback and ideas. Please raise any on GitHub.
This page will allow you to edit the settings for your app approval template
This page allows you to modify the tenant group's information such as Group Name, Group Description, and make bulk changes to the group membership.
This page will allow you to edit the permission set's settings.
After a new update, when you first load CIPP you will have the release notes show up in a popup on your screen. You can even select prior releases to review. At the bottom you have three options
View release notes on GitHub - takes you to GitHub to view the release notes
Remind me next time - Will open again the next time you load CIPP
Don't show untle next release - Will suppress the notification until CIPP gets a version update
No, this isn't the breadcrumbs from one of the CyberDrain CTFs. Sorry for anyone experiencing any PTSD from your time in the trenches chasing these tasks.
Breadcrumb navigation appears the top of CIPP just under the top menu bar. This will show you path information to how you arrived at a particular page. There are two different display modes for the breadcrumbs:
This mode will show you the menu hierarchy that allows you to arrive at the current page the same as if you had drilled down the left side menu.
This mode will show you the previous pages you clicked to get to your current page.
This wizard will allow you to bulk create new users.
An alternative way to display the Secure Score page.
Current Score
Compared Score (All Tenants)
Compared Score (Similar Tenants)
Score in Points
The properties returned are for the Graph resource type secureScoreControlProfile. For more information on the properties please see the .
CIPP will additionally add columns called "Action Url" and "Remediation" with addiitonal information on how to take action on the score component. The "Remediation" column will indicate which CIPP Standard will complete the selected action.
This page will display all audit logs for Microsoft Entra ID.
The properties returned are for the Graph resource type directoryAudit. For more information on the properties please see the Graph documentation.
Welcome to your hosted instance of CIPP!
If you need assistance with or aren't comfortable navigating these requirements alone, take a look at our page, which offers a paid option for those who need a bit more hands on guidance with GDAP & CIPP deployment.
If you've started the sponsorship process and are ready to enhance your management of Microsoft 365 tenants with efficiency, this guide is designed to get you started.
This guide walks you through the process of executing the Setup Wizard inside CIPP for the first time. The Setup Wizard presents you with multiple options. If this is your first setup, choose the "First Setup" option.
The First Setup option is designed for initial configuration. It guides you through essential steps to prepare CIPP and connect your tenants.
Begin Setup
This page allows you to create a new JIT admin
View and manage your Microsoft 365 CSP tenants.
When you select one of the portal links, the permissions of the currently logged in user are the ones that matter. The user's GDAP permissions will apply, not the CIPP service account.
The Tenant page provides the ability for you to jump to the specific tenant administration centers for that client using your individual partner tenant user credentials. Allowing you to administer that specific tenant.
Tenants are cached for 24 hours. By using the Clear Tenant Cache button in , you are able to reload the tenants from the partner center immediately. Remember to also clear your browser cache.
This page shows all the enterprise applications that are available in the tenant. This can for example be very helpful when trying to identify SAM applications from previous MSPs.
To do this, first clear the filter and then select the All-non-Microsoft Enterprise Apps filter. If not done in this order, the filter will not work as expected.
Manage scheduled tenant alerts.
CIPP offers a set of scheduled, recurring alert checks. Some of these duplicate Microsoft Alerts functionality in a more MSP-friendly manner and some are not available as a Microsoft Alert at this time. Similar to , you configure alerts using the wizard to select one or more tenants or -All Tenants- to apply alerts globally, then select from the list of available alerts.
Choose your Organization, Repository, and Branch (where your CIPP - code lives).
Leave “Workflow Option” set to “Add a workflow” (the default).
For Authentication Type, pick “Basic Authentication.” (Azure portal doesn’t support Identity-based auth yet.)
Click Add a workflow, then Save.
Repeat this for any additional function apps you may have deployed for Function Offloading.
Application Registration On this page, you’ll create the necessary Application Registration in your Microsoft 365 environment. This application is used to manage tenant connections.
Click Authenticate and follow the on-screen instructions to register the application.
Important: Use the dedicated CIPP service account created during the preparation steps.
Tenant Configuration Choose how you want to connect your tenants. Even if you’re not a Microsoft Partner, we strongly recommend selecting "Connect to Partner Tenant" first. This allows CIPP to manage credentials and application permissions effectively.
You can also add tenants individually, outside your partner relationship. These tenants show up in the table directly below, and can be removed if you accidentally authenticated the wrong tenant.
For these separate tenants, use a service account with equivalent permissions as the partner tenant. More information on these roles can be found under Recommended Roles
Select Baselines Choose from a list of available configuration baselines. These presets help you quickly apply best practices and policies.
We recommend selecting the CyberDrain Templates for the most optimized standard configurations, and receiving templates and examples on how to utilize standards.
Configure Notifications Set up email notifications on the next page.
Ensure your service account has a mailbox enabled to support email alerts. This can either be a shared mailbox
You can test notification delivery directly from this screen.
Optional Features The final step presents a list of optional features you can enable to further enhance CIPP’s functionality. Review and configure these as needed.
Note: To utilize the Entra MFA report part of this report, the tenant must be licensed for Entra P1 or higher. Per-User MFA status will still function even if the tenant isn't licensed.
A user must have at least one checkmark in any of the following categories to be protected by MFA:
Per-User MFA: This means MFA is enabled directly on a per-user basis. It ensures that any sign-in attempt by the user is subjected to MFA verification.
Covered by Security Defaults (SD): This indicates that the user is protected by default security settings, automatically enabling and enforcing usage of MFA, when Microsoft deems a sign-in as risky.
Covered by Conditional Access (CA): In this case, MFA is enabled through Conditional Access policies which might require MFA based on conditions like user location, device compliance, etc.
The report lists every user in the tenant and provides detailed information about their MFA status, including:
Whether MFA is enabled and enforced through Per-User MFA settings.
If the user is safeguarded by Security Defaults that enforce MFA.
Whether Conditional Access policies require MFA for the user.
If the user is capable of using MFA.
The MFA methods the user has setup.
For tenants with over 250 user accounts, the Per User MFA status might appear as blank or null due to API throttling. In such cases, it could indicate any of the following states: disabled, enabled, or enforced.
This table doesn't utilize a per-row Actions column like many of the other tables introduced with CIPP v7.
We value your feedback and ideas. Please raise any feature requests on GitHub.
Certificate Authority Detail
Certificate Based Auth PKI
External User Profile
Group
Pending External User Profile
Service Principal
User
The table will show some basic default information regarding the deleted object. The full list of columns available represent the Graph resource type administrativeUnit, application, certificateAuthorityDetail, certificateBasedAuthPki, externalUserProfile, group, pendingExternalUserProfile, servicePrincipal, and user.
Restore Object
Restores the selected item(s)
Permanently Delete Object
Permanently deletes the selected item(s)
More Info
Displays the Extended Info flyout
We value your feedback and ideas. Please raise any feature requests on GitHub.
Save this policy under the name "CIPP Service Account Conditional Access Policy"
For each policy listed. Add an exclusion to "Users and Groups" with the following settings:
Guest or external users
Service Provider Users
Selected
Enter your tenant ID. If you do not know what your tenant ID is, you can look this up here.
If you have any Microsoft-Managed Conditional Access policies showing up in your client tenants, these are an indication from Microsoft that they do not feel that your client's tenant meets minimum security posture. These policies cannot be deleted but they can be cloned and then disabled.
Display Name
Display name of object
Created Date Time
Relative time since the object was created
On Premises Provisioning Errors
Any errors with syncing the object
Object Type
Type of the object
More Info
Displays the Extended Info flyout
Dismiss Risk
This action will mark the risk as dismissed.
Research Compromised Account
Opens the BEC investigation tab of the selected user
More Info
Opens the Extended Info flyout
We value your feedback and ideas. Please raise any feature requests on GitHub.
Subscription Activation: Start by signing up for the $99 subscription using your GitHub account on the GitHub Sponsorship page.
Welcome Email: Upon subscription, you will receive an email with detailed instructions to kickstart your deployment. This email will guide you to the CIPP management portal for deployment steps.
Configure CIPP Deployment: Login to your management portal using the GitHub credentials you used to initiate the sponsorship. This is where you can kick off your deployment, add custom domain names, and begin inviting users into CIPP. NOTE: If you sponsor with an organization GitHub account, please send in a message to [email protected] with your personal GitHub username so that we can manually add that user to the portal. You cannot log in to the management portal with organization accounts.
Service Account Creation: Follow the instructions carefully on the Creating the CIPP Service Accountpage to ensure there are no permission issues when connecting your tenants within CIPP in the subsequent steps.
Add Yourself to CIPP: On the User Management page in your management portal, ensure you've invited your work account as an admin into your newly deployed instance to avoid 403 Forbidden errors during login. Further guidance can be found on the Adding Users and Managing Roles page.
Execute Setup Wizard: Follow the instructions on the Executing the Setup Wizard page once logged into your CIPP instance using your newly invited account, NOT the service account. The service account is only used during specific configuration steps within the Setup Wizard.
Onboard Existing Relationships: If your GDAP relationships with clients are already configured and you do not need to create new invites, proceed to Adding Tenants & Consenting the CIPP-SAM Application to start managing your clients immediately.
Establish New Relationships: If you need to establish new GDAP relationships for new clients, use the Tenant Onboarding wizard to generate invites and complete the necessary actions to onboard the client to CIPP.
Research Compromised Account
Launches the CIPP user page to research the compromise
More Info
Opens the Extended Info flyout
We value your feedback and ideas. Please raise any feature requests on GitHub.
Name
The tenant name.
Default Domain
The tenant's default domain.
The page also features several columns which contain links to the different Microsoft 365 administration centers for the tenant.
Edit Tenant
Opens a page to edit the tenant alias and manage tenant group membership.
We value your feedback and ideas. Please raise any feature requests on GitHub.
More Info
Opens the "Extended Info" flyout
Enable Device
Enables the device to be logged in with tenant credentials
Disable Device
Disables the device from being logged in with tenant credentials
Retrieve BitLocker Keys
Pulls BitLocker keys stored in Entra ID
Delete Device
Deletes the device from Entra ID
Display name of the JIT admin user
User Principal Name
UPN of the JIT admin user
Account Enabled
Boolean for if the account is enabled
Jit Admin Enabled
Boolean for if the JIT admin roles are enabled
Jit Admin Expiration
Expiration of the JIT admin
Member Of - Display Name
Display name of the admin role(s) the user is a part of
Member Of - Id
GUID of the admin role(s) the user is a part of
This table doesn't utilize a per-row Actions column like many of the other tables introduced with CIPP v7.
We value your feedback and ideas. Please raise any feature requests on GitHub.
ID
GUID of the user
Display Name
We value your feedback and ideas. Please raise any feature requests on GitHub.
Single Tenant - Own Tenant Mode
This mode is for if you would like to manage your own tenant and/or are not a Microsoft Partner. See the limitations below for more details.
Clear the tenant cache. Users of CIPP now have access to the CSP Partner tenant, or to the single tenant it's been configured for.
Security Enabled - Allows you to change the security enabled attribute of a Microsoft 365 group.
%tenantname%%partnertenantid%
%programdata%
%programfiles%
%programfiles(x86)%
%samappid%
%serial%
%systemdrive%
%systemroot%
%temp%
%userdomain%
%username%
%userprofile%
%windir%
Select the Entra ID admin roles you want assigned to the user. Remember: Use the principle of least privilege to only assign the role with the minimum set of permissions needed to complete your tasks. The roles are rerturned from the Microsoft API. If you are looking for Global Administrator, you need to select Company Administrator.
Reason
Enter the reason the JIT Admin is being requested. This will display on the table in
Generate TAP
Set this option to generate a Temporary Access Pass (TAP) to satisfy the need for strong authentication/MFA
Expiration Action
Select what you want to happen to the user at expiration of the JIT admin access requested.
Notification Action
Select the option or options for how you would like to be notified of JIT admin creation. Note that only options that are configured in CIPP settings will work.
To use Temporary Access Passes (TAP), you must enable the authentication method in the customer tenant. This can be done easily via the CIPP Entra Standards Templates: "Enable Temporary Access Passwords"
Tenant selection
Use the dropdown to select the tenant for JIT Admin access
User selection
Select if you would like to create a new user or use an existing user
Start Date
Sets the start date for JIT Admin access
End Date
Sets the end date and time for JIT Admin access
Roles
The UPN of the user or service
Operation
The action taken
Service
Where the action was taken
Audit Log Record Type
Client IP
More Info
Displays Extended Info flyout
Created Date Time
Relative time since the audit log record was created
User Principal Name
View App Registration
Opens the app registration in the Entra portal
View API Permissions
Opens the API permissions for the app registration in the Entra portal
Create Enterprise App Template (Multi-Tenant)
Creates a deployment template from the selected app registration. This will copy the app registration to the partner tenant if you are running this under a client tenant context.
Create Manifest Template (Single-Tenant)
Creates a deployment template from the selected app registration.
New Search
Opens a modal to allow you to create a new audit log search. Select the settings you desire on the search before clicking Confirm.
Display Name
The name of the search including the UTC timestamp the search was completed
Status
The success status of the search
Filter Start Date Time
The relative time of the start time of the search window
Filter End Date Time
The relative time of the end time of the search window
View Results
Process Logs
CIPP will review the log search results for any alerts that should be generated and send them to the method you have set in .
This button will launch Application Approval.
The properties returned are for the Graph resource type servicePrincipal. For more information on the properties please see the Graph documentation.
View Application
Opens the application in Entra ID
Create Template from App
Opens a modal to confirm you want to create a template from the selected application. This will create the associated permission set too.
Remove Password Credentials
Removes the password credentials from the selected enterprise application(s), if applicable
Remove Certificate Credentials
Removes the certificate credentials from the selected enterprise application(s), if applicable
We value your feedback and ideas. Please raise any feature requests on GitHub.
You can select between "Enterprise Application", "Gallery Template", or "Application Manifest".
Enterprise Application: Deploy existing multi-tenant apps from your tenant. Requires "Multiple organizations" or "Personal Microsoft accounts" in App Registration settings.
Gallery Template: Deploy pre-configured applications from Microsoft's Enterprise Application Gallery with standard permissions.
Application Manifest: Deploy custom applications using JSON manifests. For security, only single-tenant apps (AzureADMyOrg) are supported.
Select the Enteprise Application from the dropdown
This dropdown will only display applications with a sign in audience set to multi-tenancy.
Select the previously created permission set
As a prerequisite, you must first create a permissions template. See the documentation on .
Select the Gallery Template application from the dropdown
Paste your application manifest JSON here. Use the "" format.
For security reasons, signInAudience must be 'AzureADMyOrg' or not specified.
You can now deploy the application with the permissions template in Standards & Drift or Application Approval.
Within CIPP, there are two types of alerts:
Audit Log Alert - These alerts are based on Microsoft audit logs.
Scripted CIPP Alert - These alerts have been developed by CIPP to pull from sources other than the audit logs.
Audit Log Alerts - Processed in near real-time, but a small delay of up to 15 minutes is normal.
Scripted CIPP Alerts - Each alert comes with a default value suggested by the CIPP team, but you can adjust it as needed. The available timings are:
365 days / 1 year
30 days / 1 month
7 days / 1 week
1 day
4 hours
1 hour
30 minutes
Webhook - This will deliver a JSON payload to the webhook configured in Notifications.
PSA - This will deliver a formatted payload to the configured PSA in Notifications.
Email - This will deliver an HTML-formatted table to the email address provided in Notifications.
None
Security Group
None
Microsoft 365 Group
None
Dynamic Group
Dynamic Group Parameters (see below)
Dynamic Distribution Group
Dynamic Group Parameters ( see below)
Distribution List
Let people outside the organization email the group - Allows the group to receive messages from both inside and outside the organization.
Mail Enabled Security Group
None
More Info
Opens up the Extended Info flyout
If you choose to sponsor and use the CyberDrain hosted version, you can skip over these steps and jump over to our Sponsor Quick Start guide for further direction.
Enabling automatic updates means that each time CIPP releases a new version, a pull request (PR) is created in your GitHub repository. You simply approve and merge this PR to get the newest changes, no manual forking or syncing required.
Go to .
Click Install (or Configure, if you’ve used Pull before).
Select your CIPP and CIPP-API repositories from the list.
pull_request Triggers in Your Existing WorkflowTo avoid conflicts, you’ll remove the lines that automatically trigger GitHub Actions on pull requests in your azure-static-web-apps workflow file:
Open your CIPP repository in GitHub.
Navigate to the folder:
Find the file named something like azure-static-web-apps-xyz.yml (the name includes your deployment token and some random words).
Why Remove These Lines? They trigger the workflow whenever a PR is opened or updated—this can cause conflicts once Pull starts handling your updates, because you’ll end up with dueling triggers.
When a new version of CIPP is released:
Open your CIPP repository on GitHub.
Check the Pull Requests tab. You’ll see a new PR created by the Pull app.
Review the changes.
That’s it! Your repository will now stay in sync with the latest CIPP releases by simply merging new pull requests from the Pull app.
Q: Do I need to remove pull_request triggers in both CIPP and CIPP-API repos?
A: Yes—if both repos have pull_request triggers in their .yml workflow files, remove them in each to avoid conflicts.
Q: What if I accidentally discard the Pull app’s PR?
A: You can always open the “Closed” Pull Requests and revert that action, or let Pull create a new one. Just make sure you haven’t re-added the pull_request lines.
Q: Will my Azure deployment automatically pick up changes after I merge the PR?
A: Yes—assuming your GitHub Actions workflow triggers on push to main, the Static Web App and Function App will redeploy within ~30 minutes.
Q: Do I still need to click “Sync Fork”? A: No—once Pull is set up, you won’t need to manually sync. The Pull app auto-creates a PR whenever upstream changes are detected.
With Pull handling your repository’s updates, your self-hosted CIPP instance will stay current with minimal effort. Just watch for those PR notifications, merge them, and enjoy the latest features!
Single pane of glass review of common Indicators of Compromise (IoC)
Upon page load, CIPP will run an analysis on the user to identify common Indicators of Compromise (IoC). Once that analysis is returned, review the information presented and determine if the user has been compromised. The analysis performs the checks listed in the table below. A green check will indicate that information was found for the check and needs review.
Note: This page is intended to surface information about potential information that should be reviewed when a compromise is suspected. The existence of information in one of the indicators should not be interpreted as an absolute sign of compromise but rather as a useful tool to help quickly surface the basic information that should be reviewed during your investigation.
This guide will walk you through the process of setting up standards in CIPP. Follow these instructions to configure and run standards for your organization.
This guide walks you through setting up Standards in CIPP for the first time. It focuses on applying and managing standards to maintain security and compliance across your organization.
Navigate to Tenant Administration > Standards & Drift.
Here you'll be presented with a table of Standards templates and an action in the upper right to create new templates.
Each standard offers three options:
Report: Logs the current configuration in a Best Practices Report.
Alert: Sends you a notification via the configured method in CIPP -> Application Settings -> Notifications.
Remediate: Automatically applies the desired configuration.
Each standard includes:
A description of what it does.
An impact label (Low, Medium, High) to indicate user impact.
Review these details to ensure changes align with your needs.
Some standards require settings, like custom text fields or dropdown selections.
Enter the required values to customize the standard.
Standards are grouped by categories, like security, compliance, or usability.
There are over 150 standards (), with more added regularly.
Use templates for consistent configurations across clients.
Examples include templates for Intune, Exchange, and Conditional Access
Exclude specific tenants from All Tenants standards to:
Prevent global standards from applying.
Allow custom standards for that tenant only.
Templates reapply every 3 hours, maintaining the desired state.
If changes are made by admins, they are automatically reverted to match the template.
Update a template once, and all linked tenants will receive the changes.
Use the Run Template Now options from the Actions menus.
Apply standards immediately to:
A specific tenant by selecting (Currently Selected Tenant only) to match the tenant in the menu Tenant Selector.
All tenants in one go for all tenants in the template.
Standards automatically reapply settings every 3 hours for consistency.
Categories and templates simplify management across multiple tenants.
Customization and manual runs give you flexibility to meet tenant-specific needs.
By following these steps, you’ll ensure your M365 tenants remain secure, consistent, and compliant with minimal manual effort.
The tenant selector at the top of CIPP allows you to control the currently managed tenant. Any changes to the tenant selector will reload the currently shown data to the one of the selected tenant.
The Tenant Selector has a building button to see the current tenant details. Clicking on this button allows you to view the following info directly from any page:
You can also use this page to jump to the most common portals or actions
Actions
Manage Tenant - Opens
M365 Portal
Exchange Portal
Entra Portal
For users running CIPP in their own Azure environment.
This step is optional for anyone who deployed after v7.1.x. If you are coming from v7.1.x or earlier, your Function App identity needs the "Contributor" role assigned to itself. You can do this manually, or with the PowerShell Role Assignment script. Both options are described below.
If you're self-hosting and running your own Azure Function App, you'll need to grant it proper access:
Go to .
Open the resource group hosting CIPP.
Select the Function App (not an offloaded app).
You can also use Azure Cloud Shell:
Once configured, head over to the Integration page in your CIPP UI.
Interact with Microsoft 365 groups.
The Groups page is equivalent to Microsoft 365 admin center > Active teams and groups. It offers an overview of all groups within the organization and allows users to manage group details and memberships.
Show/Hide Members - This will toggle if the page displays a column to show the membership of the group. You may need to select the column to show from the table's column selector also.
The properties returned are for the Graph resource type group. For more information on the properties please see the .
These actions and information are available in the flyout menu when you click the ellipsis button in the "Actions" column:
We value your feedback and ideas. Please raise any on GitHub.
This page covers everything you need before installing CIPP on your own infrastructure.
If you choose to sponsor and use the CyberDrain hosted version, you can skip over these steps, and jump over to Sponsor Quick Start guide for further direction.
To get started you must follow or have the following ready. Click on the links for instructions on how to perform some of these tasks, or for more information on the functionality in question.
For the installation and maintenance of CIPP, understanding how to manage a GitHub repository and app deployment is crucial for the ongoing performance of CIPP. The issues that you can run into with app deployment and updates can be quite numerous and not being familiar with how to troubleshoot those issues can cause you to have your application fail to update. Of course, if you get stuck you can ask in #cipp-community-help in Discord.
You’re Ready for Installation Once you’ve checked off these prerequisites, move on to the next page to set up your self-hosted instance. Happy CIPPing!
On this page you will enter all of the necessary information to create a group.
Display Name
Set the display name that you want visible for this group
Description
Set the description for the group
Username
Set the group's username. This will be used in setting the mail nickname, e-mail address, etc.
Primary Domain Name
Select the domain from the dropdown that you wish to set as the primary domain name for the group
Owners
Dynamic Group Parameters: For Dynamic Groups, a text box for entering the dynamic group parameters syntax becomes available e.g.: (user.userPrincipalName -notContains "#EXT#@") -and (user.userType -ne "Guest").
The report indicates whether inactive users have licenses assigned. It examines both interactive and non-interactive sign-in dates to determine this. This page lists all inactive users in the tenant who have not logged in for 180 days or more.
ID
The GUID of the tenant concatenated with the GUID of the user separated by an underscore
Tenant ID
We value your feedback and ideas. Please raise any on GitHub.
When you start a CIPP sponsorship, you can either:
Continue self-hosting and receive support for that setup, or
Use the version hosted by CyberDrain (fully managed).
If you decide to migrate from a self-hosted instance to our hosted environment, follow these steps:
Log In to your self-hosted CIPP instance.
Go to Application Settings → click Run Backup.
Download the generated backup file.
Go to CIPP's and log in with the GitHub account you used to sponsor.
NOTE: If you sponsor with an organization GitHub account, please send in a message to [email protected] with your personal GitHub username so that we can manually add that user to the portal. You cannot log in to the management portal with organization accounts.
Return to your self-hosted instance → Application Settings → Backend.
Click Go to Keyvault. Keep this tab open.
In your hosted instance, open the SAM Setup Wizard.
In your hosted CIPP instance, navigate to Application Settings → Restore Backup.
Upload the backup file you downloaded in Step 1.
Wait for the restore to complete—CIPP will import your original configuration and data.
If you used a custom domain on your self-hosted instance, remove it there first so you can reuse it in the hosted environment.
In the Management Portal, add your custom domain to the hosted CIPP instance following the on-screen instructions.
Your instance and settings now live in the fully managed, CyberDrain-hosted version of CIPP.
Congratulations on a smooth migration! Enjoy your new, hosted CIPP with automatic updates and support.
View captured Audit Logs from the Alerts Wizard.
CIPP saves Audit Logs when an alert matches the rules defined in your Alert Configuration.
Select a time range in the Search Options to find Audit Log entries. Use the table filter to narrow down the results to what you are looking for.
This will output a combined table of the various audit log alert entries that CIPP has collected. The table columns will vary based on the alert data structures.
We value your feedback and ideas. Please raise any on GitHub.
This page will allow you to create a new application permission set of Microsoft Graph permissions.
Set a name for your new permission set, optionally import from an existing permission set, optionally add a service principal, and select the application and delegated permissions to add to the set.
Now you can use to create a template to deploy this permissions set with the app you want to select.
This page allows you to view and manage your custom tenant groups. Groups can be used in easily including similar tenants in your Standards.
This flyout will allow you to create a new tenant group. Set the Group Name, Group Description, and initial tenants to add to the group.
How to Make a Dynamic Tenant Group
This will allow you to create a predefined set of tenant groups provided by CIPP. The default groups created are:
This will open a flyout with a table of information on CIPP's processing of your dynamic tenant groups.
This page displays all current configured Audit Log and Scripted Alerts for CIPP. It also allows you to remove alert rules.
We value your feedback and ideas. Please raise any on GitHub.
This page will contain your application appoval templates.
This button will launch Application Approval.
This table will include basic information on the template name, app id, app name, and permission set for your created templates.
This page will allow you to manage application permission settings to be used to approve and deploy applications to your client tenants.
This table will display the permission sets that you have created along with some basic information on the permission set.
This page provides an overview of the Secure Score of the tenant. The default page view is with each secure score component displayed as a card.
All Recommentations
Shows all Secure Score recommendations regardless of status.
We value your feedback and ideas. Please raise any on GitHub.
The Group Templates page allows administrators to define templates for creating groups. These templates can speed up the process of creating new groups by pre-defining certain group parameters. Once a template is created, it can be reused multiple times to create new groups with similar settings.
Streamline group creation across multiple tenants in Microsoft 365
The Deploy Group Templates page provides an interface for creating and deploying group templates in Microsoft 365. This feature offers an easy and efficient way to manage group creation, allowing users to select from a list of pre-defined templates and apply them across chosen tenants.
This document provides a step-by-step guide on how to navigate and utilize the Deploy Group Templates page.
This page will allow you to test your conditional access policies before putting them in production. The returned results will show you if the user is allowed or denied access based on the policy.
Disable Service Principal
If enabled, disables the service principal for the selected enterprise application(s)
Enable Service Principal
If disabled, enables the service principal for the selected enterprise application(s)
Delete Service Principal
Deletes the service principal for the selected enterprise application(s)
More Info
Opens the Extended Info flyout
CIPP API Fork: GitHub Repo
If you buy a Lighthouse license purely for CIPP, remember to accept the EULA in the Lighthouse portal to activate it.
Azure Static Web Apps: Learn more
Azure Key Vault: Learn more
Azure Cost Management: Learn more
Azure Storage (Tables, Blobs, Files): Learn more
The linked resources above will help you understand the Azure services CIPP depends on that you will be required to configure and maintain. If you’re missing any of these skills, we suggest reviewing these before proceeding. Proper knowledge ensures a smooth deployment and ongoing maintenance.
More Info
Opens Extended Info flyout
GUID of the tenant
Tenant Display Name
Azure Ad User Id
GUID of the user
Display Name
User's display name
User Principal Name
User's UPN
User Type
User type of "Member", "Guest", or "SharedMailbox"
Created Date Time
Relative time since the account was created
Number of Assigned Licenses
Last Refreshed Date Time
Relative time since the last refresh on the login statistics
Last Sign In Date Time
Relative time since the last login
Last Non Interactive Sign In Date Time
Relative time since the last non interactive sign in. For more information on what a non interactive sign in is, please see Microsoft Learn.
View User
Opens the CIPP user page for the selected user
Edit User
Opens the CIPP edit user page for the selected user
Block Sign In
Opens a modal to confirm if you want to block sign in for the user
Delete User
Opens a modal to confirm if you want to delete the user
Store this file in a safe location (it contains all your CIPP config).
Accept the initial invite and log into the newly created hosted environment.
Select “I have an existing application and would like to manually enter my tokens.”
Copy each value from your self-hosted Key Vault (step 2) into the corresponding fields in your hosted environment.
Click Next to finish the wizard.
View Log
Opens
Completed (100%)
Shows all Secure Score recommendations that have been completed.
Not Started (0%)
Shows all Secure Score recommendations that have not been started.
In Progress (Started)
Shows all secure score recommendations that have been started but not completed. This is anything from 1-99% complete.
Change Status
Opens a modal that allows you to change the status of the score component
Remediate
Will launch the appropriate Microsoft portal or recommended CIPP standard to remediate this score component.
Updates
Displays a chart of updates to the score since CIPP started tracking
Remove Password Credentials
Removes the password credentials from the selected app registration(s), if applicable
Remove Certificate Credentials
Removes the certificate credentials from the selected app registration(s), if applicable
Delete App Registration
More Info
Opens the Extended Info flyout
Mail Enabled Security Group
None
Select one or more owners of the group from the dropdown
Members
Select one or more members of the group from the dropdown
Azure Role Group
None
Security Group
None
Microsoft 365 Group
None
Dynamic Group
Dynamic Group Parameters (see below)
Dynamic Distribution Group
Dynamic Group Parameters (see below)
Distribution List
Let people outside the organization email the group - Allows the group to receive messages from both inside and outside the organization.
We value your feedback and ideas. Please raise any feature requests on GitHub.
+We value your feedback and ideas. Please raise any feature requests on GitHub.
Opens docs.cipp.app for the page you are currently reviewing.
Join the Discord!
Opens a new tab to join the CyberDrain Discord server.
Request Feature
Opens a new tab to the GitHub feature request form. Note: Submissions by non-sponsors will auto close
Report Bug
Opens a new tab to the GitHub bug report form.
License
Opens the page for the GNU Affero General Public License terms for CIPP.
We value your feedback and ideas. Please raise any feature requests on GitHub.
AD Password Sync
If passwords are synced
Teams Portal
Azure Portal
Intune Portal
Security Portal
Sharepoint Admin
Display Name
The display name of the tenant
Business Phones
What phone number has been set on the tenant
Technical Emails
Technical email contact
Tenant Type
What the type of tenant it is
Created
Created time and date
AD Connect Enabled
If AD connect is enabled
AD Connect Sync
We value your feedback and ideas. Please raise any feature requests on GitHub.
Is syncing is enabled
Create template based on group
Will create a group template from this group's settings
Delete Group
Deletes the group using the ExecGroupsDelete endpoint listed below.
More Info
Opens the Extended Info flyout
Edit Group
Allows navigation to the Edit Group page.
Set Global Address List Visibility
Controls the visibility of the group in the Global Address List.
Only allow messages from people inside the organization
Restricts the group to only receive messages from people inside the organization.
Allow messages from people inside and outside the organization
Allows the group to receive messages from both inside and outside the organization.
Tenants
Shows the tenants selected for the alert
Event Type
"Audit log Alert" or "Scheduled Task"
Conditions
Shows the alert conditions configured
Repeats Every
Shows the cadence for the alert
Actions
Shows the actions selected when an alert is generated
Alert Comment
Shows the comment added when the alert was created.
Excluded Tenants
Displays the excluded tenants
View Task Details
When a Scheduled Task is selected, this will open the View Scheduled Task Detailsfor the task.
Edit Alert
Opens the Add Alert page to be able to adjust settings as needed
Clone & Edit Alert
Copies the selected alert allowing you to make adjustments before saving it as a new alert.
Delete Alert
Opens a modal to confirm you want to delete the alert
More Info
Opens the Extended Info flyout
Edit Template
Opens the template to edit
Copy Template
Opens the Add App Approval Template page with the settings from the currently selected template prefilled
Save to GitHub
Saves the selected template(s) to your chosen GitHub repo
Delete Template
Opens a modal to confirm deletion of the selected template(s)
We value your feedback and ideas. Please raise any feature requests on GitHub.
Edit Permission Set
Opens the permission set to allow you to adjust the set's settings
Cope Permission Set
Opens the Add Permission Set page with the settings of the selected permission set pre-filled
Delete Permission Set
Opens a modal to confirm deletion of the selected permission set(s)
More Info
Opens the Extended Info flyout
We value your feedback and ideas. Please raise any feature requests on GitHub.
Edit the file (click the pencil icon).
Remove the following lines (or comment them out):
Commit these changes directly to your repository’s main branch.
Click Merge (or Run Workflow, if asked) to accept the update.
pull_request:
types: [opened, synchronize, reopened, closed]
branches:
- main.github/workflowsMFA Devices
This will identify any MFA devices for review, including when the type of device and the datetime when it was registered.
Password Changes
This will display any recent password changes for the tenant.
Mailbox Rules
This will present any mailbox rules found for the client.
Recently added users
This will display any newly created users in the tenant.
New Applications
This will display any newly registered enterprise applications.
Mailbox permission changes
This will identify any suspicious mailbox permission changes.
Refresh Data
This will refresh the analysis for the user and update the Indicators of Compromise checks.
Remediate User
This action will block user sign-in, reset the user's password, disconnect all current sessions, remove all MFA methods for the user, and disable all inbox rules for the user.
Download Report
This will download a JSON file for the checks completed in the analysis.
We value your feedback and ideas. Please raise any feature requests on GitHub.
and review the indicated mailboxes for the permissions data.
Navigate to Access control (IAM) > + Add > Add role assignment.
Click on Privileged administrator roles.
Choose:
Role: Contributor
Assign access to: User, group, or service principal
Select: The CIPP Function App identity
Click Save.
You will be landed on the "Edit User" tab.
Header Information on this page displays the user's Display Name, their User Principal Name (with copy option), their User ID (with copy option, the Account Creation Date, and a button to launch Entra to view the user.
User Identity: First Name, Last Name, Display Name, Username (before the @ symbol), Primary Domain name (select from dropdown)
Professional Details: Job Title, Department, Company Name
Contact Details: Street Address, Postal Code, Mobile Phone, Business Phone, Alternate Email Address
Management: Set Manager (select from existing users), Copy groups from another user
Password Options
Create password manually (toggle)
When enabled: Enter custom password
When disabled: System generates secure password
Require password change at next logon (toggle)
Location Settings
Usage Location (required for licensing)
Select country from dropdown
Current Licenses
Shows currently assigned licenses
Drop down box allows you to multi-select the licenses you want the user to have after editing
Option to remove all licenses (toggle) - When removing the final license on a user, this must be checked.
SherWeb Integration (if enabled)
Auto-purchase option appears when licenses unavailable
Select license SKU for purchase
System handles purchase and assignment
Copy groups from user
Allows you to select another Entra ID user to copy groups from
Add to Groups
Multi-select dropdown that will allow you to add the user to groups
Remove from Groups
Multi-select dropdown that will allow you to remove the user from groups
Custom attributes can be configured in Preferences > General Settings
These include specific Azure AD attributes that will be available when creating new users:
Available Attributes: consentProvidedForMinor, employeeId, employeeHireDate, employeeLeaveDateTime, employeeType, faxNumber,legalAgeGroupClassification, officeLocation, otherMails, showInAddressList, state
Configuration:
Go to Preferences page under your user profile.
Under General Settings
Find Added Attributes when creating a new user
Changes take effect immediately upon saving
License changes require valid usage location
Password resets follow complexity requirements
Group membership changes are processed in order (removals then additions)
On-premises synced accounts show warning about limited editability
Display Name
This is the name that will be given to the group when a group is created using this template. It should be unique and descriptive.
Description
This field should contain a more detailed explanation of the group's purpose. This might include information about who should be added to the group, what resources the group provides access to, or any other information that helps describe the group.
Username
The username of the creator of the group template.
Group Type
The type of group that the template creates. Options include:
Azure Role Group
Security Group
Distribution List*
Allow External
Are external people allowed to email this group?
*Additional Fields for Specific Group Types
For some types of groups, additional fields become available when that type is selected:
Allow External: For Distribution Lists, a checkbox labeled "Let people outside the organization email the group" becomes available.
Dynamic Group Parameters: For Dynamic Groups, a text box for entering the dynamic group parameters syntax becomes available e.g.: (user.userPrincipalName -notContains "#EXT#@") -and (user.userType -ne "Guest").
Edit Template
Opens the Edit Template page for the selected template
Save to GitHub
Saves the template to your GitHub repository
Delete Template
Deleted the template
More Info
Opens the extended info flyout
We value your feedback and ideas. Please raise any feature requests on GitHub.
In this step, you choose the tenants for which you want to create the group. Each tenant has a displayName and defaultDomainName.
In this step, you can choose to apply one of the previously created templates or manually enter the group information. If you opt for a template, select it from the dropdown menu. The page will automatically populate the rest of the fields based on the chosen template.
However, you have the flexibility to adjust the options as needed:
Group Type: Select the type of group. Options include Dynamic Group, Security Group, Distribution Group, Azure Role Group, and Mail Enabled Security Group.
Group Display Name: Enter the name that will be displayed for the group.
Group Description: Provide a brief description of the group. This field is optional.
Group Username: Specify the username for the group.
Let people outside the organization email the group: Check this box if you want the group to be able to receive emails from outside the organization. This option is available only for Distribution Groups.
Membership Rule: If you chose Dynamic Group as the group type, you can specify the rule for membership here.
Remember, the options presented depend on the Group Type selected. For instance, the "Membership Rule" field only appears if you select "Dynamic Group" as the Group Type.
For more details on these settings, please refer to .
We value your feedback and ideas. Please raise any feature requests on GitHub.
This drop down contains the list of applications available for login scenarios
See the Optional Parameterstable below for more information
See the Test Results table below for more information
Country
Select the country you want to test logging in from via the drop down.
IP Address
Enter the IP address you want to test logging in from. Format must be similar to 8.8.8.8
Device Platform
Select the device platform you want to test.
Client Application
Select the client application you want to test.
Sign-In Risk Level
Select the sign-in risk level of the user signing in you want to test.
User Risk Level
Select the user risk level of the user signing in you want to test.
This table will outline the following information about the conditional access policies configured for the tenant and the results of the test.
Display Name
The display name of the conditional access policy.
State
The enablement state of the conditional access policy.
Policy Applies
A Boolean showing if the policy applies to the test settings.
Reasons
A value for the reason for the decision on policy application.
Not Intune and Entra Premium Capable
This group does not have a license for intune, nor a license for Entra ID Premium
Business Premium License available
This group has at least one Business Premium License available
Entra Premium Capable, Not Intune Capable
This group does have a license for Entra Premium but does not have a license for Intune
Entra ID Premium and Intune Capable
This group has Intune and Entra ID Premium available
Name
Name of the group
Description
Description set for the group
Group Type
dynamic or static
Members
Click to view a table of the tenants in this group
Edit Group
Opens the Edit Tenant Group page for the selected row
Run Dynamic Rules
Will force refresh the dynamic group rules. Will only be selectable on groups with a dynamic type.
Delete Group
Opens a modal to confirm you want to delete the selected group.
We value your feedback and ideas. Please raise any feature requests on GitHub.
Installing Your Self-Hosted CIPP
This guide walks you through deploying your self-hosted instance of CIPP using our Azure Resource Manager (ARM) templates. Once completed, you’ll have a fully functioning CIPP installation, ready to configure.
Before deploying, ensure you’ve completed everything in the section (forks, Azure subscription, GitHub PAT, etc.).
How to grant users access to the CIPP App
When you first set up CIPP, you will need to create your first user in one of two ways:
For hosted clients, invites and roles can be managed by logging into the management portal
For self-hosted users:
Go to the Azure Portal.
Go to your CIPP Resource Group.
Once you have your initial superadmin user added, you are now ready to finish the first setup. After completing the setup, you can return hereto set up additional users using the built-in roles or custom CIPP roles via .
CIPP features a role management system which utilizes the . The roles available in CIPP are as follows:
You can assign these roles to users using the page.
While CIPP only supplies the above roles by default, you can create your own custom roles and apply them to your users with editor or readonly rights, admin users are unaffected by custom roles.
Set up Custom Roles by following these steps:
Go to CIPP -> Advanced -> Super Admin -> CIPP Roles.
Select a Custom Role from the list or start typing to create a new one if you do not yet have any.
Please ensure that your custom role is entirely in lowercase and does not contain spaces or special characters.
Optionally select a Entra group this role will be mapped to. Adding an Entra group removes the requirement to add the user to either the SWA or inviting via the Management Portal.
Users previously directly added to the SWA or via the Management App will retain their settings from there. Adding those users via Entra group to a role with different permissions can cause errors in determining the user's access. It is recommended not to duplicate how you provide the user with permissions.
If you continue to utilize SWA/Management App for role assignment, note that the roles do not sync so you will need to carefully type the role exactly as it appears in CIPP Roles for the role to properly apply.
The Tenant Onboarding Wizard further simplifies the process of getting setup in CIPP by automatically connecting to any tenants found in your GDAP Relationships List to perform the background tasks necessary to manage a tenant in the system. Below is a list of the actions that are performed during Tenant Onboarding:
Verification of GDAP Invite Accepted
Confirmation that required roles are present.
Ensures groups are correctly mapped to roles.
Validates that permissions are updated via a CPV refresh
Verifies Graph API connectivity and access.
CIPP requires its Service Account user to be a member of the specific security groups with the assigned for proper functionality within your GDAP relationship. This step is completed during the prior to tenant onboarding.
If these roles are missing or the groups haven't been applied to the CIPP user, CIPP will not be able to access the tenant, resulting in errors such as: invalid_grant:AADSTS65001: The user or administrator has not consented to use the application.
or
We currently support two methods of connecting to Microsoft Tenants, using a direct connection or a GDAP connection. It's recommended to setup a GDAP relationship with your clients, but in some cases, this is not always possible due to transaction regions or other potential blockers.
CIPP relies on use of GDAP role templates for proper onboarding of tenants. Prior to using the tenant onboarding wizard, you should create a role template. To create the CIPP Defaults role template navigate to Tenant Administration-> GDAP Management-> Role Templates. Click the "+ Create CIPP Defaults" button. You can alternatively create your own templates but be sure to include the recommended roles for full CIPP functionality.
Navigate to Tenant Administration -> GDAP Management-> Relationships
To automate this process even further, enable in Application Settings and newly invited tenants will automatically onboard once accepted.
To directly add a tenant, go to the and select "Add a Tenant" - Make sure you log into a tenant using a service account. This tenant is added to the list of managed tenants immediately.
Do not attempt to add your partner tenant as a direct tenant. This will result in a permission error. To add your partner tenant, please see and select "Multi Tenant - Add Partner Tenant" or "Single Tenant - Own Tenant Mode".
There are limitations to what CIPP can do with directly added tenants due to some features relying on Lighthouse, Partner Center APIs, etc.
Permissions errors during addition of the tenant
Consent can only be granted for permissions the direct tenant is licensed for.
To work around this until a more robust method can be devised, if you see one of these errors, remove the offending permission (NOT THE CONSENT) from the CIPP-SAM app registration in your tenant.
Universal Search - This relies on Lighthouse to search for users
The View User page provides a comprehensive overview of user details and settings. It serves as the main landing page when viewing a user, with additional tabs available for more specific operations, such as Edit User, Compromise Remediation, etc.
Primary display of user information including a quick link to view the user in Entra
Additional tabs at top for extended functionality (Edit, Compromise Remediation, etc.)
Inherits Actions dropdown from list users page
The actions dropdown carries forward the same from the main Users page.
Information is read-only in this view
Use Edit tab to modify information
Expandable sections (▼) provide additional details
Direct links to related management pages
This view serves as the central hub for user information, providing quick access to both basic details and advanced management options through the tabbed interface.
The Add User wizard provides an interface for creating new user accounts in your tenant.
Navigate to: Identity Management > Administration > Users
Click Add User
Choose your starting point:
Start with blank form
Use "Copy properties from another user" dropdown to pre-fill fields
Use a User Template
User Identity: First Name, Last Name, Display Name, Username (before the @ symbol), Primary Domain name (select from dropdown)
Email Aliases: Add multiple email aliases one per line without domain (added automatically)
Password Options
Create password manually (toggle)
When enabled: Enter custom password
License Assignment: Allows you to select license(s) to assign & shows available license count
SherWeb Integration (if enabled): Auto-purchase option appears when licenses unavailable, allows you to select license SKU for purchase for system to handle for you along with onboarding.
Professional Details: Job Title, Department, Company Name
Contact Details: Street Address, City, State/Province, Postal Code, Mobile Phone,
License assignment requires valid usage location
Password complexity rules apply to manual passwords
Group copying includes all accessible groups
Scheduled creation can be monitored in tasks
First things to check out after setting up CIPP.
Welcome to the post-setup implementation guide for CIPP! In this guide, you will learn how to navigate and configure various settings within the CIPP application. Let's discover some of the key features of CIPP and see how to use them.
Select Setup Wizardfrom CIPP settings for easy set up of several of the basics needed to operate CIPP.
Using the at the top you can switch tenants at any time. This allows you to dynamically choose what you're working on. You can also use the Tenant Selector to select "All Tenants" which allows you to see all your tenants in one swoop.
Let's setup some personal things first. The section has your personal preferences and profile information. Let's start by setting up CIPP the way you like it.
Click the toggle to switch to your preferred mode to display CIPP.
Let's go check out some of the next.
We have two style of passwords we can generate when creating a new user, or resetting a password, the classic password with capitalization, numbers, and symbols. You can also choose the modern passphrase style password. This is a more readable and often stronger password than randomly generated characters
Let's select the "Correct-Battery-Horse" option, which are passphrases.
You can choose the DNS resolver CIPP uses. By default, the resolver is Google.
CIPP can help you figure out why you can't access a tenant by executing an access check. These checks can help you detect issues with GDAP, access rights, or general M365 issues. These checks are done on the tab of CIPP Application Settings.
Talking about tenants, let's go check out our internal tenant list. We see all our tenants on the tab of CIPP Application Settings.
We can exclude a tenant from CIPP. This means the tenant will not be connected to CIPP, and we will not be able to make any changes to this tenant. This is done from the Actions column for individual tenants or the Bulk Actions button when multiple tenants are checked.
Navigate to the tab.
CIPP can send many types of notifications, in this screen we can do some of the basic setup of these notifications to filter them or select where they need to go.
Let's see how CIPP works in action. We'll navigate to the Identity Management > Administration > section to start managing users.
Most pages in CIPP work by showing you a table layout. The table allows you to filter data, export it, or execute actions. Let's try executing some bulk actions.
Setting the checkbox means we are going to take a bulk action on that specific row in our table.
You'll find all available actions in the "Bulk Actions" dropdown. Each page has different actions.
Let's look at some more of the options we have. Most tables in CIPP have a three-dot action menu as the right-hand visible column. This three-dot menu gives you a dropdown menu with options and information about that specific row.
For users, we have a lot of actions we can take. We could reset passwords or even add them to groups. Let's not bother our users and check out some other parts of CIPP for now.
Navigate to the section.
Select Tools > Tenant Tools > .
CIPP has the option to report on anything inside of the Graph API. even when there is not a direct page created for it. You can use the Graph Explorer option to craft your own report. Let's try using the All User with Email Addresses report.
Execute the query by clicking "Apply Filter".
The report allows you to check this data as raw as it comes back from the API. you can also create an export using the PDF or CSV buttons.
Let's go check out the standards next by navigating to Tenant Administration > Administration > .
Standards allow you to create a baseline for a tenant. This means you can easily deploy your wanted settings to any tenant. With how important Standards are to the function and power of CIPP, we'll take a deeper dive in , or you can review the full documentation.
Let's go check out some reporting. Click on Tenant Administration > Administration > Standards > next.
The BPA gives you the ability to zoom in on your tenants and their current state. You can use custom reports or use the included examples to tell your clients what actions they need to take to become more secure.
Talking about best practices. You want to be notified when something goes wrong, so let's look at some of the alert options available in Tenant Administration > Administration > .
The documentation linked above has lots of information on the two types of alerts you can configure in CIPP:
Audit Log Alert: Microsoft Audit Log received alert
Scripted CIPP Alert: Data processed by CIPP on a schedule
Let's try managing our tenants next. Click on Tenant Administration > Administration > .
The tenant overview shows you your tenant names, default domains, and direct links to each of the portals. You can use these links to directly manage that tenant using GDAP.
We can also take actions on the tenants. Let's try using the three-dot icon in the Actions column to do so.
You'll find some more information about the tenant in this flyout, and you can edit a tenant. This allows you to set a tenant friendly name for CIPP, manage CIPP tenant group memberships, and more!
There are so many more features, but now that you understand the basics you can find more of the features yourself. We hope you enjoyed the walkthrough of the basic settings. You're now ready to deep dive into the platform.
The User Preferences page provides a tailored interface for users to manage and configure their individual settings related to general preferences, appearance, and offboarding defaults. This document outlines the functionalities available on the User Settings page.
In this section, users can manage general settings related to their account and workspace:
Added Attributes when creating a new user: Users can select additional user object attributes that are available when creating a new user.
Default new user usage location: This setting allows users to specify the default user location when creating or editing a user.
Default Page Size: Set the default page size for tables across CIPP.
Menu Favourites: Set pages that will display in your favourites section.
This section provides you the ability to set offboarding defaults, this allows you to easily preselect your predefined offboarding preferences.
This will display the active roles for the logged in user.
Save Settings: Save the modified settings for the individual user.
Save for All Users: If the user has admin privileges, they have the option to save the modified settings for all users within the tenant, this will overwrite all personal settings and be force on each full refresh of a page.
Enable TanStack Query Tools
This will allow you to toggle on and off the various portal links displayed in the or on the Portals dropdown on the .
We value your feedback and ideas. Please raise any on GitHub.
Get up and running with CIPP quickly and confidently—no guesswork, no headaches.
We get it—GDAP can be confusing, but setting up CIPP doesn’t have to be painful!
Let our CIPP experts show you the ropes. They’ve seen it all and know the best tips and tricks to help you get up to speed. Stop banging your head against the wall and start benefiting from the time-saving, streamlined features CIPP offers once it’s configured correctly.
Offboard the selected user with standard requirements
The Offboarding Wizard is an interactive guide that streamlines the process of offboarding a user from a tenant in Microsoft 365. It provides a step-by-step process where you can select from a variety of offboarding tasks. These tasks include revoking sessions, removing mobile devices, resetting passwords, and more. This wizard also allows for easy setting of a user's Out of Office message and forwarding their mail to another user.
As CIPP is an application that touches many parts of M365 selecting the roles might be difficult. The following roles are recommended for CIPP, but you may experiment with less permissive groups at your own risk.
Please note that any relationship that contains the Global Administrator/Company Administrator role will NOT be eligible for auto extend.
The table below outlines the recommended roles for use in CIPP, describing what each role enables. Click on the Role Name to navigate to Microsoft's page for detailed information about each specific role.
About the Dashboard which includes versions and quick links
The Home page provides a comprehensive overview of the current tenant's details and allows you to perform various actions related to the tenant and its resources.
The Home page includes the following sections:
Universal Search: This is a universal search bar that allows you to quickly find the information you need using Lighthouse. To utilize this search, you must have onboarded Lighthouse on your partner tenant.
Portals: Contains links to various Microsoft 365 administration centers.
$RGName = Read-Host -Prompt "Resource Group Name"
Connect-AzAccount
$Functions = Get-AzResource -ResourceGroupName $RGName -ResourceType 'Microsoft.Web/sites' | Where-Object { $_.Name -match 'cipp' -and $_.Name -notmatch '-' }
$FunctionApp = Get-AzWebApp -ResourceGroupName $Functions.ResourceGroupName -Name $Functions.Name
$Identity = $FunctionApp.Identity.PrincipalId
New-AzRoleAssignment -ObjectId $Identity -RoleDefinitionName 'Contributor' -Scope $FunctionApp.Id✅ Recorded Sessions: Use the recordings to train your team and replicate processes effortlessly. ✅ Future-Proofing: Establish scalable systems that grow with your business. ✅ Expert Guidance: Work with a seasoned CIPP specialist who has hands-on experience. ✅ Save Time: Avoid trial-and-error setups and get clear, actionable steps.
For a one-time fee of $750 USD, you’ll receive:
A 90-minute live session with a CIPP expert.
A recording of your session for easy reference and team training.
By the end of the session, you’ll:
Understand the step-by-step process for onboarding clients to CIPP.
Learn how to configure regional settings and custom domain names.
Identify and resolve common performance issues related to region selection.
Use the CIPP management portal for user role assignments and permissions.
Implement best practices for inviting and managing additional users.
Gain familiarity with the Setup Wizard and GDAP setup process.
Complete a full GDAP setup for one client within CIPP.
Note: If you’ve already completed parts of the setup or need a specific focus, discuss this with your CIPP expert before scheduling. Unique requirements must be communicated in advance to ensure they’re addressed within the allotted time.
Fill Out the Form: Share your name, email, company name, and deployment status.
Check Your Email: Receive onboarding details and the sign-up link.
Complete Payment: Submit your payment securely to confirm your session.
Relax and Wait: Your dedicated CIPP expert will contact you to schedule the session.
To make the most of your session, have the following ready:
A Global Administrator account for your Partner Tenant.
Access to at least two Customer Global Admin accounts for GDAP testing.
Verify access to the CIPP Management Portal: https://management.cipp.app.
Prepare a list of:
Any errors or challenges you’ve encountered.
Screenshots of relevant issues (e.g., CIPP access failures, portal errors).
Have a mailbox license ready for the CIPP Service Account.
This will be converted into a shared mailbox during onboarding.
Here’s what you can expect during your onboarding session:
Recap your current environment, goals, and any pre-identified issues.
Guided walkthrough of key configurations, starting with GDAP setup and validation.
Test access to customer tenants using CIPP links.
Verify notifications and critical configurations.
Review and implement:
“AllTenants” Standard configurations.
Scripted alerts and audit log alerts with remediation workflows.
Address any outstanding questions or unique requirements.
Ensure you’re confident replicating processes for additional tenants.
To build on your onboarding success:
Refine Your Standards:
Adjust your “AllTenants” Standard to align with business needs.
Finalize Notifications:
Test and confirm email notifications for critical alerts.
Expand GDAP:
Use the GDAP Invite Wizard to onboard additional customers efficiently.
Document and Train:
Leverage your session recording to train team members and reinforce processes.
Ready to simplify your CIPP setup and take full advantage of its features?
If you have questions or need additional assistance before your session, reach out to our team—we’re here to help!
Dynamic Group*
Select your CIPP Static Web App CIPP-SWA-XXXX.
Under Settings, Select Role Management (Not IAM Role Management).
Select invite user.
Add the roles for the user. Multiple roles can be applied to the same user.
For Allowed Tenants select a subset of tenants to manage, tenant groups, or AllTenants.
If AllTenants is selected, you can block a subset of tenants or tenant groups using Blocked Tenants.
Optionally select the CIPP endpoints that you want to block for the role. For example, if you do not want the role to have access to delete users/mailboxes you would block RemoveUser.
Select the API permission from the listed categories and choose from None, Read or Read/Write.
To find out which API endpoints are affected by these selections, click on the Info button.
Not defining a category is the same as setting None. Be sure that you define all base role permissions you want to apply to the user.
You must be sure to assign both the custom role and the base role readonly or editor to the users.
If using Entra ID groups, you can map the base role to a Entra group (eg. CIPP readonly mapped to readonly) and add the user to the base role Entra group and the custom role Entra group to properly manage permissions
If using SWA role management (self-hosted) or management portal (CyberDrain hosted) be sure to add both roles to the user manually.
readonly
Only allowed to read and list items and send push messages to users.
editor
Allowed to perform everything, except change system settings.
admin
Allowed to perform everything.
superadmin
A role that is only allowed to access the settings menu for specific high-privilege settings, such as setting up the I want to manage my own tenant settings.
Send an interactive authorization request for this user and resourceReview the warnings on the tenant as these will indicate if the tenant functions properly within CIPP.
If you see the warning that the relationship does not have all the CIPP recommended roles, do not proceed. See Tenant Onboarding to create a new GDAP relationship to establish a relationship that meets at least the minimum required roles.
Now that you've onboarded the tenant, your pre-existing role mapping may not match the role template you used as part of the onboarding.
Navigate to Tenant Administration-> GDAP Management-> Relationships-> Select the Actions menu for the tenant you just onboarded and choose "Reset Role Mapping"
Admin Portal Links - These utilize the GDAP relationship to log in as your CSP user. You will have to log in to the portal with an account native to the tenant
Alerts - There are certain alerts that will only work with GDAP/Lighthouse
Alert if Defender is not running
Alert if Defender Malware found
Inactive Users Report - Relies on a CSP report
Select desired attributes from dropdown
Selected attributes will appear on Add User form
Azure Function App (API) with a Storage Account
Azure Key Vault for CIPP secrets
Azure Static Web App (SWA) that auto-selects a supported region near you
Performance is impacted by your region selection. Make sure you choose the region closest to you for optimal performance.
After you have completed the prerequisites in, select the button below to run the automated setup.
You must replace the preset "Github Repository" and "Github API Repository" fields with the URL's of your own Github fork of the CIPP repository.
What if the deployment fails? It’s simplest to delete the resource group in the Azure portal and try again. This ensures a clean slate.
Azure Static Web Apps (SWA) is global by default (it picks the data center closest to you) however some regions don't support deployment. To work around this, use the alternative installation button below.
When to use:
You need to enforce the SWA resource to deploy in Central US due to deployment issues
Your region doesn’t support SWA. Regions that support SWA deployment at the moment are:
Central US
East US 2
East Asia
The Azure Portal will load a “Custom deployment” form.
Fill in Deployment Parameters
GitHub Repository: Replace the default with your fork of the CIPP frontend repo.
GitHub Token: Paste your Personal Access Token. (Make sure it has permissions to access and deploy from your forked repo.)
Select a Region
Choose the region for your Key Vault, Function App, and Storage.
Note: If you’re using the Alternative (Central US) template, SWA will still deploy in centralus automatically, but the rest of your resources honor this selected region.
Review + Create
Check your settings, especially the repository URLs.
Click Review + create, wait for validation, then Create.
Wait for Completion
You can monitor progress in the Azure Portal’s Notifications.
If it fails, delete the resource group and try again for a clean slate.
Verify Your Deployment
Navigate to the Resource Group to check that the resources (Key Vault, Function App, Storage, SWA) exist.
Open the Static Web App and locate the “Primary endpoint” or “URL” field in the SWA resource. Browse to it. If everything’s working, you’ll see the CIPP login screen
refreshtokentenantidAzure Function App
Hosts the CIPP-API, deployed via a zip package in Azure Storage (latest.zip from cipp-api releases).
Uses a System-Assigned Managed Identity for secure operations.
Storage Account
Required for the Function App’s logs and file storage.
App Service Plan
A Y1 (Consumption) plan to keep Function App costs low.
Static Web App (SWA)
Hosts the frontend (CIPP React app).
Defaults to a global distribution, unless you use the Alternative template pinned to centralus.
Real-time data from Entra ID/Azure AD
User Photo
Displays user's Entra ID photo; shows initials if no photo is uploaded. Includes the ability to upload a new photo or delete the current photo.
Display Name
User's full display name as shown in the directory
User Principal Name
Primary username/login identity for the user
Account Enabled
Boolean indicator showing if user can sign in (✓/✗)
Synced from Active Directory
Boolean indicator showing if account is AD-synced (✓/✗)
Licenses
List of currently assigned M365/Azure licenses
Email Address
Primary and alternative email addresses
Business Phone
Primary business contact number
Mobile Phone
User's mobile contact number
Job Title
User's current position/role
Department
Organizational department
Office Location
Physical office location
Address
Street address details
Postal Code
ZIP/Postal code
Country
The country of the user
City
The city of the user
Last Logon
Most recent sign-in information • Expandable for additional details (click arrow)
Applied Conditional Access Policies
Active security policies • Expandable for policy details (click arrow)
Multi-Factor Authentication Devices
Registered MFA devices • Expandable for device details (click arrow)
Group Memberships
Table of all group associations • Includes per-row actions • Direct link to Edit Group page for the associated group to manage membership.
Admin Roles
Table of assigned administrative roles
We value your feedback and ideas. Please raise any feature requests on GitHub.
statepostalCodecompanyNamemobilePhonebusinessPhonesusageLocationofficeWhen disabled: System generates secure password
Require password change at next logon (toggle)
Location Settings
Usage Location (required for licensing)
Select country from dropdown
Business PhoneAlternate Email AddressManagement: Set Manager (select from existing users), Copy groups from another user
Custom Attributes
Custom attributes can be configured in Preferences > General Settings
These include specific Azure AD attributes that will be available when creating new users:
Available Attributes: consentProvidedForMinor, employeeId, employeeHireDate, employeeLeaveDateTime, employeeType, faxNumber,legalAgeGroupClassification, officeLocation, otherMails, showInAddressList, state
Configuration:
Go to Preferences page under your user profile.
Under General Settings
Find Added Attributes when creating a new user
Must be configured before they appear on the form.
Attributes are standard Azure AD attributes
Values persist in Azure AD and can be queried/updated later
Not all attributes may be relevant for every user
Changes to Preferences affect all new user creation forms
We value your feedback and ideas. Please raise any feature requests on GitHub.
Convert Mailbox
Transforms mailbox to selected type: Shared, User, Room, or Equipment.
Enable Online Archive
Enable Auto-Expanding Archive
If the online archive has been enabled, this will allow you to enable the auto-expanding archive
Set Global Address List Visibility
This action will allow you to hide/unhide the mailbox from the Global Address List.
Start Managed Folder Assistant
Delete Mailbox
Copy Sent Items to Shared Mailbox
If this mailbox is a shared mailbox, this will set the attribute to copy sent items to the shared mailbox.
Disable Copy Sent Items to Shared Mailbox
If the mailbox is a shared mailbox, this will set the attribute to disable copy items to the shared mailbox.
Set Litigation Hold
Opens a model to enable a litigation hold on the mailbox and set the duration for the hold. If you want to remove the litigation hold, toggle the "Disable Litigation Hold" to on.
Set Retention Hold
Opens a modal to enable the retention hold on the mailbox. If you want to remove the retention hold, toggle the "Disable Retention Hold" to on.
Set Mailbox Locale
Opens a modal to set the locale of the mailbox, e.g. en-US or da-DK
Set Max Send/Receive Size
Sets the max mailbox send and receive size for messages
Set Send Quota
Sets the quota (in MB, GB, or TB) the mailbox is allowed to send
Set Send and Receive Quota
Sets the quota (in MB, GB, or TB) the mailbox is allowed to send and receive
Set Quota Warning Level
Sets the warning level for the quota (in MB, GB, or TB)
Set Calendar Processing
Allows you to configure calendar processing settings such as "Automatically Accept Meeting Requests", "Allow Conflits", etc.
Mailbox Type
Displays the type of mailbox assigned to this user. "UserMailbox" or "ShareMailbox"
Mailbox Usage
Shows percentage of mailbox quota used.
Hidden From Address Lists
A Boolean value indicating if this user has been hidden from the Global Address List.
Forward and Deliver
A Boolean value indicating if this user's mailbox has been set to forward email to another user.
Forwarding Address
If set, the e-mail address of the person email is forwarded to.
Archive Mailbox Enabled
A Boolean value indicating if the archive mailbox has been enabled.
Proxy Addresses
A widget that allows for updating a user/mailbox proxy addresses with add, delete, and set primary capability.
Mailbox Permissions
A widget that allows for updating mailbox permissions other users can be granted to this user's mailbox.
Calendar Permissions
A widget that allows for updating calendar permissions other users can be granted to this user's mailbox.
Contact Permissions
A widget that allows you to manage contact folder permissions.
Mailbox Forwarding
A widget that allows for updating mail forwarding options for this user's mailbox.
Out of Office
A widget that allows you to edit the out of office settings for this user's mailbox.
Bulk Add Mailbox Permissions
Allows you to bulk add other users to the current mailbox with Send As and/or Send On Behalf permissions.
Send MFA Push
Sends a push notification to the user's Microsoft Authenticator (if setup). This is useful to confirm you are speaking with the user.
Must be a Global Administrator while setting up the integration. These permissions must be removed after the integration has been setup, and the application has been installed.
Must be added to the AdminAgents group. This group is required for connection to the Microsoft Partner API.
MFA Setup: This account must have Microsoft MFA enforced for each logon.
Use when available or via when not available.
Microsoft MFA is mandatory. Do not use alternative providers like Duo, and ensure it's setup before any login attempts.
This guide walks you through the process from the video of setting up the CIPP Service Account. Follow the instructions on this page to the letter to ensure a seamless setup process down the line.
The CIPP service account will be the account used to execute any actions on your tenants via CIPP.
To get started, head to the Microsoft Entra Portal's user overview at entra.microsoft.com
If you would like to use notifications, webhook triggers, or exporting to other system the account you use must have a mailbox available. This mailbox will be used for outgoing reports, exports, and notifications.
Click on the "New user" button.
Create a new internal user in your organization
Enter a username in the field, we recommend something identifiable like "CIPPServiceAccount"
Enter "CIPP Service Account" in the Display Name field. Set the password to something strong, and save this password in a secure location
Click on "Next: Properties".
Click on "Next: Assignments".
If you are a Microsoft Partner, and want to manage all your client tenants, click on Add Group.
Select the AdminAgents group. This group is required for connection to the Microsoft Partner API.
Select your GDAP groups
If you have already migrated to GDAP you select your GDAP groups at this stage. If you migrated using CIPP these groups start with M365 GDAP.If you have migrated, but not using CIPP check the latest required GDAP roles check our Recommended Roles page.
If you have not migrated or used GDAP at all, or are planning to onboard your GDAP tenants using CIPP, continue on.
These groups might not exist if you have not yet migrated to GDAP.
If you want to move to using CIPP and Microsoft's best practice recommendation of mapping one role to one security group, you can skip this step for now. CIPP will create the groups when you first setup adding your client tenants in Adding Tenants.
Click "Add role"
Add the Global Administrator Role
Find the Global Admin role. This role is required for the CIPP-SAM application creation, and is recommended to be removed directly after installation.
Click "Next: Review + create"
Click on "Create". This creates the account.
Tenant Selection
Select the tenant from which you want to offboard a user. Only one tenant can be selected at a time.
User Selection
Choose the user to be offboarded from the tenant. The selection is made from a dropdown menu that displays all users from the selected tenant.
Offboarding Options
Choose from a variety of offboarding options to apply to the user. These options are detailed in the sections below.
Confirmation
Review your selections and confirm to apply the offboarding process.
The Offboarding Wizard offers a range of settings that can be performed during the offboarding process. These tasks include:
Convert to Shared Mailbox
Converts the user's mailbox to a shared mailbox
Hide from Global Address List
Hides the user from the Global Address List
Cancel all calendar invites
Cancels all upcoming calendar events and meetings organized by the user
Remove user's mailbox permissions
Removes all the offboarded user's permissions to all other mailboxes
Remove all Rules
Removes all rules associated with the user
Remove all Mobile Devices
Removes all mobile devices associated with the user
Mailbox Full Access (no automap)
The selected user or users will be granted full access to the offboarded user's mailbox but will not have that mailbox auto mapped in Outlook
Mailbox Full Access (automap)
The selected user or users will be granted full access to the offboarded user's mailbox and they will have that mailbox auto mapped in Outlook
OneDrive Full Access
The selected user or users will be granted full access to the offboarded user's OneDrive
Forward Email To
The selected user will be set as the forwarding recipient on the offboarded user
Keep a copy of forwarded email
Toggling on this option will retain received mail in the offboarded user's mailbox while also forwarding it to the user selected above
Out of Office Message
This WYSIWYG editor will allow you to craft the Out of Office message set on the offboarded user's mailbox
Schedule this offboarding
If toggling this switch to on, will present the remaining options in this table
Scheduled Offboarding Date
The date and time you would like the offboarding to run
Webhook
Enable this to send a notification to your configured webhook in CIPP notifications settings
Enable this to send a notification to your configured e-mail address in CIPP notifications settings
PSA
Enable this to send a notification to your configured PSA in CIPP notifications settings
We value your feedback and ideas. Please raise any feature requests on GitHub.
Can create and manage all applications, service principals, app registration, enterprise apps, consent requests. Cannot manage directory roles, security groups.
Manages all aspects of users, groups, registration, and resets passwords for limited admins. Cannot manage security-related policies or other configuration objects.
Manages all aspects of Intune, including all related resources, policies, configurations, and tasks.
Manages all aspects of Exchange Online, including mailboxes, permissions, connectivity, and related settings. Limited access to related Exchange settings in Azure AD.
Can read security information and reports, and manages security-related features, including identity protection, security policies, device management, and threat management in Azure AD and Office 365.
Manages all aspects of the Defender for Cloud App Security in Azure AD, including policies, alerts, and related configurations.
Enables, disables, deletes devices in Azure AD, reads Windows 10 BitLocker keys. Does not grant permissions to manage other properties on the device.
Manages all aspects of Microsoft Teams, including telephony, messaging, meetings, teams, Microsoft 365 groups, support tickets, and service health.
These roles are not currently configured with functionality within CIPP but will begin to be incorporated over time. These are the roles that Microsoft recommends in addition to the 12 above to give MSPs the most similar experience of a global administrator without needing global administrator access. Currently these are helpful for enabling them to do things in the native Microsoft portals.
Can manage domain names in cloud and on-premises.
Can read everything that a Global Administrator can but not update anything.
Can perform common billing related tasks like updating payment information.
These roles will begin to be alerted as missing when running GDAP checks. It is recommended that these be added to your GDAP Role Mapping and add these three roles to your Role Template.
Current Tenant: Displays various details about the current tenant:
Tenant Name
Tenant ID
Default Domain
AD Sync Enabled
User Statistics: Total, Licensed, Guests and Global Admins. Note: The chart names are clickable.
Drift Monitoring: Shows the Aligned Policies, Accepted Deviations, Current Deviations, and Customer Specific Deviations.
SharePoint Quota
Domain Names
Partner Relationships
Tenant Capabilities
Some values have special display settings for ease of reading.
Most tables also include an "Actions" column that will be visible to the right of the table. Clicking the ellipses will open the menu for available per-row actions that can be taken for this table. In many tables, selecting multiple check boxes next to rows will enable a Bulk Actions button for you to take the same action on every row selected.
Keeping CIPP up-to-date ensures you have the latest features, security patches, and bug fixes.
Note (Hosted / Sponsored Clients) If you’re using a CyberDrain-hosted instance of CIPP, updates happen automatically—generally within 48 hours of a new release. You can safely skip the rest of this page; however, it is important to perform a permissions check via CIPP > Application Settings > Permissions to ensure any newly added permissions are accounted for via an automated Permissions Repair in v7+.
Update your self-hosted CIPP instance to the latest release using the following instructions:
Select desired attributes from dropdown
Selected attributes will appear on Add User form
Remove from all Groups
Removes the user from all groups
Remove Licenses
Removes all licenses associated with the user
Revoke all sessions
Revokes all active sessions of the user
Disable Sign-In
Disables the user's ability to sign in
Clear Immutable ID
Clears the Immutable ID for a user synced from on-premises Active Directory. Note: This only works after the link is broken from AD
Reset Password
Resets the user's password to a randomly generated value, preventing the user from signing in after offboarding
Remove all MFA Devices
Removes all MFA devices associated with the user
Delete User
Deletes the user from the tenant
Manages all aspects of SharePoint Online, Microsoft 365 groups, support tickets, service health. Scoped permissions for Microsoft Intune, SharePoint, and OneDrive resources.
Sets/resets authentication methods for all users (admin or non-admin), deletes/restores any users. Manages support tickets in Azure and Microsoft 365. Restrictions on managing per-user MFA in legacy MFA portal.
Configures authentication methods policy, MFA settings, manages Password Protection settings, creates/manages verifiable credentials, Azure support tickets. Restrictions on updating sensitive properties, deleting/restoring users, legacy MFA settings.
Manages role assignments in Azure AD, Azure AD Privileged Identity Management, creates/manages groups, manages all aspects of Privileged Identity Management, administrative units. Allows managing assignments for all Azure AD roles including Global Administrator.
Auto Expanding Archive
A Boolean value indicating if the archive mailbox has been set to auto expand.
Total Archive Item Size
The value, in GB, of the size of the archive.
Total Archive Item Count
The value, in total number of items, of the size of the archive.
Litigation Hold
A Boolean value indicating if the account has been placed in litigation hold.
Mailbox Protocols
A listing of the protocols this mailbox has enabled.
Blocked For Spam
A Boolean value indicating if this account has been blocked by Microsoft due to spam activity.
Current Mailbox Rules
Displays any currently configured mailbox rules.
Pin to right
Unpin
Hide <column name> column
Show all columns
Between
Will return all results where the value is in between the inputs. This will not include the inputs in the returned results
Between Inclusive
Will return all results where the value is in between the inputs. This will include the inputs in the returned results
Greater Than
Will return all results where the value is greater than the input
Greater Than Or Equal To
Will return all results where the value is greater than or equal to the input
Less Than
Will return all results where the value is less than the input
Less Than OR Equal To
Will return all results where the value is less than or equal to the input
Empty
Will return all results where there is no value for this column
Not Empty
Will return all results where there is a value for this column
Not Contains
Will return all results where the value does not contain the input
Regex
Will return all results that match the Regex search pattern
Boolean (not in list)
Boolean columns will have a special drop down shown in the filters text entry area that will allow you to filter on Yes for true and No for false.
🔃 Refresh data
This action will refresh the column data
🔍 Search input text
This window will perform a search on table contents for the value you type into the box. Clicking on the magnifying glass will allow you to change from the default contains search method to fuzzy or starts with.
Filters
This will present options for preset filters for the table you are viewing. All tables have an option to "Reset all filters"
Columns
This will allow you to select which columns are visible on the page. You will also be presented with the options to "Reset to preferred columns", "Save as preferred columns", and "Delete preferred columns". Preferred columns are saved as part of your browser cookies.
Export
This will present you with different options on how to export the table data: CSV, PDF, API response (JSON). If you have selected any check boxes in the table, you will also be presented with the option to just export the selected rows to CSV or PDF.
📈 Queue Status
When present, this button will show you the status of the background tasks for longer-running queries. When complete, the queue tracking will refresh the results table.
Clear sort
This will clear any sorting set on this column
Sort by <column name> ascending
This will sort the column by ascending values (smallest to largest, 0 to 9, and/or A to Z)
Sort by <column name> descending
This will sort the column by descending values (largest to smallest, 9 to 0, and/or Z to A)
Clear filter
Clears any filters placed on the column
Filter by <column name>
This will present additional filtering options (See below)
Pin to left
Fuzzy
Will return all results where the value is similar to what is input
Contains
Will return all results where the value contains the input
Starts With
Will return all results where the value starts with the input
Ends With
Will return all results where the value ends with the input
Equals
Will return all results where the value exactly matches the input
Not Equals
Will return all results where the value does not match the input
Boolean
Columns that display information in a Boolean will utilize a graphical representation instead of true and false. The value for true will display as a check mark. The value for false will display as a circle with an X in it.
Table
Columns that return data in a complex list will an orange button with the number of items in the list. Clicking the button will open a modal that will display a second table with the contents of that list.
We value your feedback and ideas. Please raise any feature requests on GitHub.
West Europe
West US 2
The SWA remains globally served, so end-user latency is typically minimal.
Reference this article on Supported MFA options from Microsoft for more details.
Note (Self-Hosted Clients Updating from v6 or earlier)
A few more steps are required to upgrade versions 6 to 7. See the release notes for v7.0.1 and review the steps in 2. Updating from v6 (or Older) to v7+ below for how to successfully update in these scenarios.
For typical updates (e.g., moving from any v7+ patch releases):
Open Your CIPP Fork
Go to your fork of the CIPP repo on GitHub.
Click Sync fork (or sometimes Fetch upstream).
Choose Update branch—be careful not to discard any commits.
IMPORTANT: If prompted with a question asking "Do you want to Discard (X) Commits" or "Update Branch", ensure you click on "Update Branch" AND DO NOT PRESS DISCARD
Repeat for CIPP-API
Do the same steps in your CIPP-API fork so both the front-end and API stay in sync.
Wait for Deployment
If you’ve connected your Azure Function App to GitHub Actions (), the updates should roll out automatically within about 30 minutes.
Check your Azure Logs or GitHub Actions to confirm a successful deployment
Clear Browser Cache
If you see an older version in your browser, try a Hard Refresh: open DevTools (F12), then right-click the refresh icon beside the URL bar and select Hard reload and empty cache.
Permissions Check
Updates to CIPP can often include additional permissions required as new features are added or existing features get updated for new requirements from Microsoft. Go into CIPP > Application Settings > Permissions and perform a Permissions Check. If any roles are missing, you'll be presented with the option to Repair Permissions in v7+.
The v7 front-end introduced a Next.js + Material-UI stack, so older forks might need an extra step:
Check Your Workflow File(s)
In your CIPP repo, open:
Look for filenames starting with azure-static-web-apps (e.g., azure-static-web-apps-main.yml).
Important: If you discarded commits previously, you might not see such a file at all—or it might be renamed.
Set the output_location to "/out" (If Missing)
In older v7 instructions, we had to manually change:
to:
However, newer versions of the workflow may already include
Commit and Redeploy
After editing, commit directly to your main branch.
A GitHub Actions run should trigger automatically, building and redeploying the Static Web App.
Wait & Verify
Give Azure a few minutes to pick up changes. Check the Actions tab or the Azure Logs for success.
Clear your cache or try a different browser to confirm the new version is live.
Permissions Check
Updates to CIPP can often include additional permissions required as new features are added or existing features get updated for new requirements from Microsoft. Go into CIPP > Application Settings > Permissions and perform a Permissions Check. If any roles are missing, you'll be presented with the option to Repair Permissions in v7+.
In many cases, there are so many changes to the repo that GitHub doesn't know how to properly merge your repo with the upstream repo. Follow these instructions to get your branch to update.
If you accidentally chose Discard (X) Commits while syncing your fork, you might have lost the original azure-static-web-apps workflow file. This often leads to:
“No changes to commit” messages,
A stuck or outdated front-end version,
Confusion about missing .yml files.
Check Repository Secrets
In your CIPP fork, go to Settings → Secrets and variables → Actions.
Note the name of your Azure Static Web Apps deployment token (e.g., AZURE_STATIC_WEB_APPS_API_TOKEN_SOMENAME_12345).
Create a New .yml in .github/workflows
The filename can be anything (azure-static-web-apps-fix.yml, deploy.yml, etc.)—just make sure it ends in .yml.
Use this example file as the contents
Update References to Your Secrets
In that new file, look for lines referencing the token (e.g., AZURE_STATIC_WEB_APPS_API_TOKEN_...).
Replace them with your token name from Step 1.
Commit
Once you commit, GitHub Actions should fire off a new build if the on: triggers are present (typically push or pull_request).
Check the Actions tab to see if it’s running.
Confirm Deployment
After the workflow succeeds, your Static Web App should serve the updated version.
If you still see the old UI, do a Hard Refresh (Open DevTools, then Right Click Refresh Button) or wait up to 30 minutes for Azure’s distribution/CDN to update
Permissions Check
Updates to CIPP can often include additional permissions required as new features are added or existing features get updated for new requirements from Microsoft. Go into CIPP > Application Settings > Permissions and perform a Permissions Check. If any roles are missing, you'll be presented with the option to Repair Permissions in v7+.
At this point, your CIPP front-end and API should be updated to the latest release. Keep these key points in mind:
Never click “Discard Commits” when syncing.
Watch for the .github/workflows files if you suspect deployment issues.
Hard-refresh or wait for CDN caches to clear for a truly up-to-date view
Congratulations! You’re now up-to-date and ready to use the newest features.
.github/workflows.github/workflows"/out"Click "Discard XXX commits"
Select "Create new file"
Name the file the same as the azure-static-web-apps file open in your other browser tab
Copy the contents of the file in your other tab to the new file
output_location: "" output_location: "/out".github/workflowsInteract with Microsoft 365 users.
User management. Equal to and extending Microsoft 365 admin center > Active Users.
The properties returned are for the Graph resource type user. For more information on the properties please see the .
Create a temporary access password for a user to enroll in .
The Add User has the ability to be form filled via URL query strings. This table shows all supported query strings. For example https://yourcipp.app/identity/administration/users/add?customerId=Mydomain.onmicrosoft.com&city=Rotterdam would automatically fill in the city for a user.
If you want to create your own LiveLink you can use the QueryString below.
Edit Properties
Bulk update user properties via the
Send MFA Push
Sends test MFA prompt to user's devices
- Verifies MFA configuration - Tests user's registered devices
Set Per-User MFA
Configures MFA state: - Enforced - Enabled - Disabled
- Overrides tenant-level settings - Immediate effect on sign-ins
Set Sign In State
Allows you to set the sign in state for the selected user(s) to either Enabled or Disabled
- Immediate effect - Doesn't affect existing sessions
Revoke all user sessions
Forces re-authentication on all devices
- Terminates all active sessions - Requires new sign-in everywhere
Disable Out of Office
Removes automatic replies
- Immediate effect - Clears all auto-reply settings
Disable Email Forwarding
Removes all email forwarding rules
- Clears ForwardingAddress - Clears ForwardingSMTPAddress
Set Source of Authority
Allows you to select if the user should be "Cloud Managed" or "On-Premises Managed"
displayName
Display Name
givenName
First Name
jobTitle
Job Title
mailNickname
Username before the email address part(User<@domain.com>)
mobilePhone
Mobile Phone Number
addedAliasses
Added Aliasses, Multiple allowed via linebreak(%0A)
postalCode
Zip or post code
streetAddress
Address information
surname
Last Name
usageLocation
User location for license, can be left blank for default.
primDomain
User Primary Domain (User<@domain.com>)
MustChangePass
Boolean, default is false.
👁 View User
Displays comprehensive user account details in the admin interface
- Read access to user objects - Shows all available user information - Display advanced user account details. [More information]
✏️ Edit User
Modifies user account details and settings: - Basic information - License assignments - Group memberships - Contact details
- Write access to user objects - Can copy group memberships from another user - Changes apply immediately
Delete User
Permanently removes user account
Research Compromised Account
Analyzes Indicators of Compromise (IoC): - Sign-in patterns - Mail rules - Suspicious activities
- Security admin rights - Provides comprehensive security review - Single pane of glass review of common indicators of compromise (IoC) [More information]
Create Temporary Access Password
Creates temporary password for passwordless enrollment
- Time-limited access - Create a temporary password to allow full passwordless enrollment. [More information]
Re-require MFA registration
Forces new MFA setup by: - Resetting MFA status to Enabled - Requiring new registration
Reset Password
Sets new random password. Optionally you can set the toggle for "Must Change Password at Next Logon"
- Password immediately active - No change requirement
Set Password Expiration
Set password expiration state for this user.
If set to Enable then if the password of the user is older than the set expiration date of the organization, the user will be prompted to change their password at their next login.
Convert Mailbox
Transforms mailbox to selected type: Shared, User, Room, or Equipment.
- Requires Exchange Online license - Maintains data and access
Enable Online Archive
Activates archival mailbox
- Requires appropriate license - Additional storage space
Set Out of Office
Configures automatic replies
Pre-provision OneDrive
Initializes OneDrive storage
- No user login required - Speeds up first access
Add OneDrive Shortcut
Creates SharePoint site shortcut
- Adds to OneDrive root - Requires existing OneDrive
Manage Licenses
Allows for bulk license management of the selected user(s)
Add to Group
Assigns user to specified group(s)
- Immediate membership - Inherits group permissions
Clear Immutable ID
Breaks on-premises AD sync
More info
Opens Extended Info panel showing: - Common profile fields - Additional actions
- Quick access to key information - Alternative action access point
customerId
Client Tenant ID(Only required field)
businessPhones
Business Phone Number
city
User City Location
companyName
Company Name
country
Country
department
Department
We value your feedback and ideas. Please raise any feature requests on GitHub.
- Administrative privileges required - Irreversible action - Consider backup/archival first
- User must complete new MFA setup - Affects all MFA methods - Authentication Methods must be migrated from legacy - You will need Security Defaults or a CA policy and registration campaign to force registration again
- Single message for internal/external - No HTML formatting Note: Setting a different internal and external autoreply is currently not supported
- Sets onPremisesImmutableId to null - Stops directory synchronization
?city=<CITY>&country=<COUNTRY>&customerId=<UDF-TenantId(tblCustomers)>&primDomain=<ACCOUNTWEBSITEADDRESS>&usageLocation=NL&streetAddress=<ACCOUNTADDRESS1>&companyName=<ACCOUNTNAME>&businessPhones=<ACCOUNTPHONE>&postalCode=<ACCOUNTPOSTALCODE>&givenName=<CONTACTFIRSTNAME>&surname=<CONTACTLASTNAME>
