Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Welcome to the CyberDrain Improved Partner Portal (CIPP) User Documentation
Welcome to the CIPP User Documentation! CIPP (pronounced "sip") is the CyberDrain Improved Partner Portal, a powerful Microsoft 365 multitenant management system designed to help MSPs streamline their clients' Microsoft 365 administration tasks. Created by Kelvin Tegelaar in 2021, CIPP aims to fill the gaps left by existing multi-tenant management solutions, making it easy and efficient to manage multiple clients from one centralized portal experience.
CIPP consists of two main components: the CIPP UI and the CIPP API. The frontend is built using React and Core UI, while the API is built with PowerShell. The system leverages Azure Functions and Azure Static Web Apps to provide a fast, responsive, and maintainable solution.
Central User Management: CIPP offers a simple user management interface, making it easy to add, edit, and delete users, offboard users, change calendar permissions, manage shared mailboxes, and more.
Easy Standardization: Deploy standards across your entire client base, ensuring tenants are always in the desired state. CIPP's alerting and best practices features help you provide the best experience for your clients.
Secure and Report: CIPP includes industry best-practice standards and integrations, allowing you to report on everything in your M365 tenants and secure your customers' environments.
The documentation is organized into the following components:
Setup Documentation: This section covers the initial setup process of deploying your own instance of CIPP, including system requirements, installation, and configuration.
User Documentation: Here, you'll find detailed guides and tutorials on how to use the CIPP platform once it's been deployed to manage your clients' Microsoft 365 tenants.
Developer Documentation: If you're looking to extend the functionality of CIPP or integrate it with other tools and services, the Developer Documentation provides API documentation, custom scripting, and other advanced topics for developers.
In addition to the core documentation components, we also provide a Troubleshooting Guide and an FAQ section to help you quickly resolve common issues and find answers to frequently asked questions.
CIPP is an open-source project, and we encourage users to review the code and contribute to its ongoing development. For more information about the project, its contributors, and funding, please refer to the documentation in the relevant sections.
We hope this documentation serves as a valuable resource as you explore and utilize the CyberDrain Improved Partner Portal. If you have any questions or need further assistance, please don't hesitate to check us out in discord.
Installing Your Self-Hosted CIPP
If you choose to sponsor and use the CyberDrain hosted version, you can skip over these steps, and jump over to our Sponsor Quick Start guide for further direction.
This guide walks you through deploying your self-hosted instance of CIPP using our Azure Resource Manager (ARM) templates. Once completed, you’ll have a fully functioning CIPP installation, ready to configure.
Before deploying, ensure you’ve completed everything in the Prerequisites section (forks, Azure subscription, GitHub PAT, etc.).
When to use:
Your Azure region supports Azure Static Web Apps (SWA).
You want SWA to deploy automatically to the closest supported data center.
This template creates all necessary resources in your local region, including:
Azure Function App (API) with a Storage Account
Azure Key Vault for CIPP secrets
Azure Static Web App (SWA) that auto-selects a supported region near you
After you have completed the prerequisites in, select the button below to run the automated setup.
You must replace the preset "Github Repository" and "Github API Repository" fields with the URL's of your own Github fork of the CIPP repository.
What if the deployment fails? It’s simplest to delete the resource group in the Azure portal and try again. This ensures a clean slate.
Azure Static Web Apps (SWA) is global by default (it picks the data center closest to you) however some regions don't support deployment. To work around this use the alternative installation button below.
When to use:
You need to enforce the SWA resource to deploy in Central US due to deployment issues
Your region doesn’t support SWA. Regions that support SWA deployment at the moment are:
Central US
East US 2
East Asia
West Europe
West US 2
The key difference:
SWA is pinned to centralus in the ARM template.
The other resources (Key Vault, Function App, Storage) still deploy to the region you choose in the Azure Portal.
The SWA remains globally served, so end-user latency is typically minimal.
When you start a CIPP sponsorship, you can either:
Continue self-hosting and receive support for that setup, or
Use the version hosted by CyberDrain (fully managed).
If you decide to migrate from a self-hosted instance to our hosted environment, follow these steps:
Log In to your self-hosted CIPP instance.
Go to Application Settings → click Run Backup.
Download the generated backup file.
Store this file in a safe location (it contains all your CIPP config).
Deploy your hosted CIPP instance by filling out the required information.
Accept the initial invite and log into the newly created hosted environment.
Return to your self-hosted instance → Application Settings → Backend.
Click Go to Keyvault. Keep this tab open.
In your hosted instance, open the SAM Setup Wizard.
Select “I have an existing application and would like to manually enter my tokens.”
Copy each value from your self-hosted Key Vault (step 2) into the corresponding fields in your hosted environment.
Click Next to finish the wizard.
In your hosted CIPP instance, navigate to Application Settings → Restore Backup.
Upload the backup file you downloaded in Step 1.
Wait for the restore to complete—CIPP will import your original configuration and data.
If you used a custom domain on your self-hosted instance, remove it there first so you can reuse it in the hosted environment.
In the Management Portal, add your custom domain to the hosted CIPP instance following the on-screen instructions.
Your instance and settings now live in the fully managed, CyberDrain-hosted version of CIPP.
Congratulations on a smooth migration! Enjoy your new, hosted CIPP with automatic updates and support.
This page covers everything you need before installing CIPP on your own infrastructure.
To get started you must follow or have the following ready. Click on the links for instructions on how to perform some of these tasks, or for more information on the functionality in question.
For the installation and maintenance of CIPP, we assume you’re comfortable with:
The linked resources above will help you understand the Azure services CIPP depends on that you will be required to configure and maintain. If you’re missing any of these skills, we suggest reviewing these before proceeding. Proper knowledge ensures a smooth deployment and ongoing maintenance.
You’re Ready for Installation Once you’ve checked off these prerequisites, move on to the next page to set up your self-hosted instance. Happy CIPPing!
Go to CIPP's and log in with the GitHub account you used to sponsor.
If you choose to sponsor and use the CyberDrain hosted version, you can skip over these steps, and jump over to guide for further direction.
CIPP Frontend Fork:
CIPP API Fork:
You’ll need an active Azure Subscription where your CIPP resources (Function Apps, Static Web Apps, Key Vault, etc.) will live. If you’re new to Azure, check out or confirm your existing subscription’s permissions
CIPP uses Azure Static Web Apps (SWA) to deploy from GitHub. You’ll need a PAT (Personal Access Token) with relevant repo permissions. For instructions, see Microsoft’s .
Recommended for MSP Usage: A is needed to access various API endpoints used in CIPP but CIPP will function without it.
If you buy a Lighthouse license purely for CIPP, remember to accept the EULA in the to activate it.
Azure Functions:
Azure Static Web Apps:
Azure Key Vault:
Azure Cost Management:
Azure Storage (Tables, Blobs, Files):
How to configure CIPP after you've completed installation.
For Hosted Clients
If you’re using a CyberDrain hosted instance of CIPP:
Log in at management.cipp.app to manage users.
From the Management Portal, click Invite User, which generates a shareable invite link.
NOTE: Clicking on Invite User will return the invite link to you directly. You must share this link with the user. It is not e-mailed or sent to the user in any way.
Once your CIPP installation completes successfully, follow the steps below to finalize access and roles.
Tip: If you see a red “X” in your deployment status, the install failed. Delete the resource group in the Azure Portal and redeploy.
Open the Azure Portal and locate your CIPP Resource Group.
Find the CIPP Static Web App (e.g., CIPP-SWA-XXXX).
Click Role Management (not IAM Role Management).
Select Invite User.
In the “UPN” field, enter the Microsoft 365 UPN (user principal name) of the person you want to add (likely yourself upfront).
Assign the Admin role.
Save your changes.
Go to the URL for your Static Web App (SWA).
Log in with the same UPN you just added.
If successful, you’ll have admin privileges within CIPP.
With user access established, you can:
Invite other team members or clients (using the same Role Management process or the management portal for hosted users.).
Configure advanced settings (e.g., custom domains, environment variables, or additional roles).
Congratulations! You’re now ready to use CIPP for tenant management in your Azure environment.
Whenever you push changes to the chosen branch, the Function App updates itself automatically using Run From Package.
Note: If you’re a sponsor using a hosted CIPP instance, you can skip this page—Run From Package is already set for you.
Most Azure Function Apps can be deployed using various methods, but Run From Package is a streamlined, read-only approach that pins your Function App’s code to a zip file. This method:
Ensures consistent deployment (updates happen atomically when the package is replaced).
Makes rollback and troubleshooting simpler.
Often leads to faster cold starts since your code is pre-packaged and ready to go.
If you used our ARM template from the Installation page, your Function App should already be in Run From Package mode, deploying from the latest.zip file. To confirm:
Open Azure Portal → Locate the Function App in your resource group.
Go to Configuration (or Settings → Application Settings, depending on portal version).
Look for an Application Setting named WEBSITE_RUN_FROM_PACKAGE.
It should be set to 1.
If it is, great—your Function App is already running from a package zip.
If you want your Function App to auto-update whenever you commit to your CIPP-API fork, follow these steps:
Still in the Function App settings, go to Deployment Center (sometimes under Deployment → Deployment Center).
If an existing CI/CD connection is configured, Disconnect it to avoid conflicts.
Under Source, select GitHub, then log in if prompted.
Leave “Workflow Option” set to “Add a workflow” (the default).
For Authentication Type, pick “Basic Authentication.” (Azure portal doesn’t support Identity-based auth yet.)
Click Add a workflow, then Save.
Repeat this for any additional function apps you may have deployed for function offloading.
Your Function App will now be automatically updated pull directly from your GitHub fork whenever you push commits to the selected branch. For day-to-day development, this means less manual deployment and faster iteration on your CIPP-API codebase.
If you run into any snags:
Check the Azure Portal’s Logs under your Function App.
Review your GitHub Actions logs for build/deployment errors.
That’s it! You’re now set up for streamlined, package-based deployments with automatic updates.
Keeping CIPP up-to-date ensures you have the latest features, security patches, and bug fixes.
Note (Hosted / Sponsored Clients) If you’re using a CyberDrain-hosted instance of CIPP, updates happen automatically—generally within 48 hours of a new release. You can safely skip the rest of this page; however, it is important to perform a permissions check via CIPP > Application Settings > Permissions to ensure any newly added permissions are accounted for via an automated Permissions Repair in v7+.
Update your self-hosted CIPP instance to the latest release using the following instructions:
Note (Self-Hosted Clients Updating from v6 or earlier)
A few more steps are required to upgrade versions 6 to 7. See the release notes for v7.0.1 and review the steps in option 2 below for how to successfully update in these scenarios.
For typical updates (e.g., moving from any v7+ patch releases):
Open Your CIPP Fork
Go to your fork of the CIPP repo on GitHub.
Click Sync fork (or sometimes Fetch upstream).
Choose Update branch—be careful not to discard any commits.
IMPORTANT: If prompted with a question asking "Do you want to Discard (X) Commits" or "Update Branch", ensure you click on "Update Branch" AND DO NOT PRESS DISCARD
Repeat for CIPP-API
Do the same steps in your CIPP-API fork so both the front-end and API stay in sync.
Wait for Deployment
If you’ve connected your Azure Function App to GitHub Actions (Run From Package mode), the updates should roll out automatically within about 30 minutes.
Check your Azure Logs or GitHub Actions to confirm a successful deployment
Clear Browser Cache
If you see an older version in your browser, try a Hard Refresh: open DevTools (F12), then right-click the refresh icon beside the URL bar and select Hard reload and empty cache.
Permissions Check
Updates to CIPP can often include additional permissions required as new features are added or existing features get updated for new requirements from Microsoft. Go into CIPP > Application Settings > Permissions and perform a Permissions Check. If any roles are missing, you'll be presented with the option to Repair Permissions in v7+.
The v7 front-end introduced a Next.js + Material-UI stack, so older forks might need an extra step:
If your "Sync fork" options button presents you with an error that there are conflicts that must be resolved, skip to Option 3.
Check Your Workflow File(s)
In your CIPP repo, open:
Look for filenames starting with azure-static-web-apps (e.g., azure-static-web-apps-main.yml).
Important: If you discarded commits previously, you might not see such a file at all—or it might be renamed.
Set the output_location to "/out" (If Missing)
In older v7 instructions, we had to manually change:
to:
However, newer versions of the workflow may already include "/out". Double-check your file before making changes.
Commit and Redeploy
After editing, commit directly to your main branch.
A GitHub Actions run should trigger automatically, building and redeploying the Static Web App.
Wait & Verify
Give Azure a few minutes to pick up changes. Check the Actions tab or the Azure Logs for success.
Clear your cache or try a different browser to confirm the new version is live.
Permissions Check
Updates to CIPP can often include additional permissions required as new features are added or existing features get updated for new requirements from Microsoft. Go into CIPP > Application Settings > Permissions and perform a Permissions Check. If any roles are missing, you'll be presented with the option to Repair Permissions in v7+.
In many cases, there are so many changes to the repo that GitHub doesn't know how to properly merge your repo with the upstream repo. Follow these instructions to get your branch to update.
If you accidentally chose Discard (X) Commits while syncing your fork, you might have lost the original azure-static-web-apps workflow file. This often leads to:
“No changes to commit” messages,
A stuck or outdated front-end version,
Confusion about missing .yml files.
If you're comfortable with GitHub, the easiest way to ensure you have the appropriate values for your token is to review your Actions tab on your CIPP repo for the most recent successfully run update. The contents of your old workflow file will be found by clicking "Workflow file" in the left side column of the Build and Deploy task. You'll still need to ensure the /out changes have been made to the file.
Check Repository Secrets
In your CIPP fork, go to Settings → Secrets and variables → Actions.
Note the name of your Azure Static Web Apps deployment token (e.g., AZURE_STATIC_WEB_APPS_API_TOKEN_SOMENAME_12345).
Create a New .yml in .github/workflows
The filename can be anything (azure-static-web-apps-fix.yml, deploy.yml, etc.)—just make sure it ends in .yml.
Use this example file as the contents
Update References to Your Secrets
In that new file, look for lines referencing the token (e.g., AZURE_STATIC_WEB_APPS_API_TOKEN_...).
Replace them with your token name from Step 1.
Commit
Once you commit, GitHub Actions should fire off a new build if the on: triggers are present (typically push or pull_request).
Check the Actions tab to see if it’s running.
Confirm Deployment
After the workflow succeeds, your Static Web App should serve the updated version.
If you still see the old UI, do a Hard Refresh (Open DevTools, then Right Click Refresh Button) or wait up to 30 minutes for Azure’s distribution/CDN to update
Permissions Check
Updates to CIPP can often include additional permissions required as new features are added or existing features get updated for new requirements from Microsoft. Go into CIPP > Application Settings > Permissions and perform a Permissions Check. If any roles are missing, you'll be presented with the option to Repair Permissions in v7+.
At this point, your CIPP front-end and API should be updated to the latest release. Keep these key points in mind:
Never click “Discard Commits” when syncing.
Watch for the .github/workflows files if you suspect deployment issues.
Hard-refresh or wait for CDN caches to clear for a truly up-to-date view
Congratulations! You’re now up-to-date and ready to use the newest features.
GDAP allows you to access your clients tenants according to the role you've set. This means you are able to give one employee "helpdesk" access, and another employee "security" access.
GDAP requires a mapping between roles and security groups in your partner tenant. CIPP creates these groups and mappings for you. Do not select all roles. This is not supported by Microsoft and CIPP. Selecting all roles (or most roles) will guarantee unexpected results. Carefully consider which roles are required for your deployment.
GDAP relationships have a maximum age, but may auto-renew if setup correctly.
Auto Extend is only available for relationships without the Global Administrator role. If your relationship contains the Global Administrator role you cannot enable this feature. This means that you will need to renew the relationship by reinviting the tenant every 2 years.
The next few pages will walk you through the setting up of a CIPP Service Account, and the best practices you will need to follow within your microsoft environments to ensure you dont run into any issues.
It is important this account is setup correctly to ensure a seamless process when you get into CIPP and start the onboarding process.
Must be a Global Administrator while setting up the integration. These permissions may be removed after the integration has been setup.
Must be added to the AdminAgents group. This group is required for connection to the Microsoft Partner API.
MFA Setup: This account must have Microsoft MFA enforced for each logon.
Microsoft MFA is mandatory. Do not use alternative providers like Duo, and ensure it's setup before any login attempts.
This guide walks you through the process from the video of setting up the CIPP Service Account. Follow the instructions on this page to the letter to ensure a seamless setup process down the line.
The CIPP service account will be the account used to execute any actions on your tenants via CIPP.
If you would like to use notifications, webhook triggers, or exporting to other system the account you use must have a mailbox available. This mailbox will be used for outgoing reports, exports, and notifications.
Click on the "New user" button.
Create a new internal user in your organization
Enter a username in the field, we recommend something identifiable like "CIPP Service Account"
Enter "CIPP Service Account" in the Display Name field. Set the password to something strong, and save this password in a secure location
Click on "Next: Properties".
Click on "Next: Assignments".
If you are a Microsoft Partner, and want to manage all your client tenants, click on Add Group.
Select the AdminAgents group. This group is required for connection to the Microsoft Partner API.
Select your GDAP groups
Click "Add role"
Add the Global Administrator Role
Find the Global Admin role. This role is required for the CIPP-SAM application creation, and is recommended to be removed directly after installation.
Click "Next: Review + create"
Click on "Create". This creates the account.
As CIPP is an application that touches many parts of M365 selecting the roles might be difficult. The following roles are recommended for CIPP, but you may experiment with less permissive groups at your own risk.
Please note that any relationship that contains the Global Administrator/Company Administrator role will NOT be eligible for auto extend.
These roles are not currently configured with functionality within CIPP but will begin to be incorporated over time. These are the roles that Microsoft recommends in addition to the 12 above to give MSPs the most similar experience of a global administrator without needing global administrator access. Currently these are helpful for enabling them to do things in the native Microsoft portals.
If you’re using the CyberDrain-hosted version of CIPP, you can skip this page—updates happen automatically for you.
Enabling automatic updates means that each time CIPP releases a new version, a pull request (PR) is created in your GitHub repository. You simply approve and merge this PR to get the newest changes, no manual forking or syncing required.
Click Install (or Configure, if you’ve used Pull before).
Select your CIPP and CIPP-API repositories from the list.
pull_request Triggers in Your Existing WorkflowTo avoid conflicts, you’ll remove the lines that automatically trigger GitHub Actions on pull requests in your azure-static-web-apps workflow file:
Open your CIPP repository in GitHub.
Navigate to the folder:
Find the file named something like azure-static-web-apps-xyz.yml (the name includes your deployment token and some random words).
Edit the file (click the pencil icon).
Remove the following lines (or comment them out):
Commit these changes directly to your repository’s main branch.
Why Remove These Lines? They trigger the workflow whenever a PR is opened or updated—this can cause conflicts once Pull starts handling your updates, because you’ll end up with dueling triggers.
When a new version of CIPP is released:
Open your CIPP repository on GitHub.
Check the Pull Requests tab. You’ll see a new PR created by the Pull app.
Review the changes.
Click Merge (or Run Workflow, if asked) to accept the update.
That’s it! Your repository will now stay in sync with the latest CIPP releases by simply merging new pull requests from the Pull app.
Q: Do I need to remove pull_request triggers in both CIPP and CIPP-API repos?
A: Yes—if both repos have pull_request triggers in their .yml workflow files, remove them in each to avoid conflicts.
Q: What if I accidentally discard the Pull app’s PR?
A: You can always open the “Closed” Pull Requests and revert that action, or let Pull create a new one. Just make sure you haven’t re-added the pull_request lines.
Q: Will my Azure deployment automatically pick up changes after I merge the PR?
A: Yes—assuming your GitHub Actions workflow triggers on push to main, the Static Web App and Function App will redeploy within ~30 minutes.
Q: Do I still need to click “Sync Fork”? A: No—once Pull is set up, you won’t need to manually sync. The Pull app auto-creates a PR whenever upstream changes are detected.
With Pull handling your repository’s updates, your self-hosted CIPP instance will stay current with minimal effort. Just watch for those PR notifications, merge them, and enjoy the latest features!
Getting started with setting up the CyberDrain Improved Partner Portal
This section of the documentation will walk you through the process of setting up the CyberDrain Improved Partner Portal (CIPP) to manage your clients' tenants efficiently.
CIPP is a powerful Microsoft 365 multitenant management system that will allow you to deploy standard properties across all your tenants, easily manage everything from a single portal, and keep your managed environments in the best shape.
Depending on how you will deploy the software will determine where you will want to start.
When using the SAM Wizard to create your CIPP-SAM application, it's important to remember the following:
You're using a chromium based browser. It MUST allow cookies and have any ad-blocker disabled for the duration of the wizard. Do not use in-private mode.
This guide walks you through the process from the video of executing the SAM Wizard inside CIPP for the first time, and has 3 options based on what you're looking to accomplish. In this example, we use the first-time setup option, but more details on additional options can be found in the sections below.
Once you've logged into your CIPP instance, navigate to Settings -> SAM Setup Wizard
For the purposes of this walkthrough, we'll act as if this is your first time running through this process, and you'd like to follow CIPP's recommended settings by clicking I would like CIPP to create an application for me.
On the next page, click on the Start Setup Wizard button.
Copy the code from the returned step to your clipboard.
Then click on the "HERE" link beside the code.
Enter the code we've copied in the previous step & click Next.
Select the option "Use another account".
Click on the "Continue" button. You may close this window when prompted.
Back in CIPP, click on the link that now appears when you see we've arrived at step number 2.
Login with the CIPP Service Account again.
Click on the Accept button. This will forward you to the page that reports the authentication status. You may close this page when instructed.
Back in CIPP, you should see it says "Setup Completed". You can now click on the "Application Settings" button.
From there, you'll want to click on the "Run Permissions Check" button. This check should show a successful result when all steps have been performed.
Hosted clients can use the backend management system to add and remove users.
Go to management.cipp.app.
Navigate to the User Management tab.
Enter the UPN for the user in the Email field. Ensure this matches the user's M365 UPN.
Assign the appropriate roles for the user.
After deployment you'll need to give each user access. To generate an invite for a user follow these steps:
Go to the Azure Portal.
Go to your CIPP Resource Group.
Select your CIPP Static Web App CIPP-SWA-XXXX.
Select Role Management (Not IAM Role Management).
Select invite user.
Enter the UPN for the user. It is important to make sure that this matches the M365 UPN.
Add the roles for the user.
Choose your Organization, Repository, and Branch (where your CIPP - code lives).
You have some extra steps you'll need to perform, such as . CIPP uses this account to help alleviate some of the manual steps by generating the invite links you'll need to accept using the GDAP Invite Wizard.
If you have already migrated to GDAP and have a valid service account that you would like to use you can jump over to , however, its important to ensure you follow the steps for creating this account to the letter. Including the user having access to and MFA & conditional access expectations are adhered to.
Use when available or via when not available.
Reference from Microsoft for more details.
To get started, head to the Microsoft Entra Portal's user overview at
If you have already migrated to GDAP you select your GDAP groups at this stage. If you migrated using CIPP these groups start with M365 GDAP, For the latest required GDAP roles check our page.
The table below outlines the recommended roles for use in CIPP, describing what each role enables. Click on the Role Name to navigate to Microsoft's page for detailed information about each specific role.
These roles will begin to be alerted as missing when running GDAP checks. It is recommended that these be added to your and add these three roles to your .
Go to .
Self Hosted Instance: If you are planning on forking and hosting CIPP in your own Azure environment, you will want to start on the page.
Hosted Sponsor Instance: If you are planning on sponsoring the CIPP project and having us host your instance for you, you can skip most of the details here, and see a streamlined checklist on the page.
Do not attempt to log in to CIPP with the CIPP Service Account you created. Make sure you've gone through the steps of either via Azure (self-hosted) or through the Management Portal (hosted).
When you're asked to authenticate during the SAM Setup Wizard, remember to use to the CIPP service account credentials. If you do not have a service account prepared you can do so now by going to the page and following the instructions there.
This is where we will enter the credentials you've created for the CIPP service account. If you have not yet done that, follow the steps on the page. Remember that this account MUST use multifactor authentication.
And that's it! Now you're ready to move on to
CIPP supports three default roles for typical day-to-day permissions: readonly, editor, and admin. When adding yourself, admin is suitable for any tenant management you need to perform outside of .
superadmin and custom roles are reserved for specific situations and should not be assigned to users by default unless you are certain of the implications. More information on native and custom roles can found on the page.
Can create and manage all applications, service principals, app registration, enterprise apps, consent requests. Cannot manage directory roles, security groups.
Manages all aspects of users, groups, registration, and resets passwords for limited admins. Cannot manage security-related policies or other configuration objects.
Manages all aspects of Intune, including all related resources, policies, configurations, and tasks.
Manages all aspects of Exchange Online, including mailboxes, permissions, connectivity, and related settings. Limited access to related Exchange settings in Azure AD.
Can read security information and reports, and manages security-related features, including identity protection, security policies, device management, and threat management in Azure AD and Office 365.
Manages all aspects of the Defender for Cloud App Security in Azure AD, including policies, alerts, and related configurations.
Enables, disables, deletes devices in Azure AD, reads Windows 10 BitLocker keys. Does not grant permissions to manage other properties on the device.
Manages all aspects of Microsoft Teams, including telephony, messaging, meetings, teams, Microsoft 365 groups, support tickets, and service health.
Manages all aspects of SharePoint Online, Microsoft 365 groups, support tickets, service health. Scoped permissions for Microsoft Intune, SharePoint, and OneDrive resources.
Sets/resets authentication methods for all users (admin or non-admin), deletes/restores any users. Manages support tickets in Azure and Microsoft 365. Restrictions on managing per-user MFA in legacy MFA portal.
Configures authentication methods policy, MFA settings, manages Password Protection settings, creates/manages verifiable credentials, Azure support tickets. Restrictions on updating sensitive properties, deleting/restoring users, legacy MFA settings.
Manages role assignments in Azure AD, Azure AD Privileged Identity Management, creates/manages groups, manages all aspects of Privileged Identity Management, administrative units. Allows managing assignments for all Azure AD roles including Global Administrator.
Can manage domain names in cloud and on-premises.
Can read everything that a Global Administrator can but not update anything.
Can perform common billing related tasks like updating payment information.
I would like CIPP to create an application for me.
This will guide you through all the necessary steps for connecting to your tenants for the first time. Click the Start Setup Wizard button to start the process.
I would like to refresh my token or replace the user for previous token.
Select this option if you have used the incorrect account to setup the SAM wizard, need to renew tokens due to an expired password, or when you are instructed to do so by the Helpdesk.
I have an existing application and would like to manually enter or update my token.
This option is for advanced users and those following the migration manual in Migrating to a hosted instance of CIPP.
The GDAP Invite Wizard simplifies setting up GDAP relationships with your clients by assigning the correct roles and ensuring the CIPP-SAM application is correctly configured for each tenant. To get started with generating GDAP invites inside CIPP, navigate to Tenant Administration -> GDAP Management and follow the instructions below.
To get started, we click the "Add Tenant" button. The overview page shows you your current GDAP configuration
If you have never used the GDAP wizard before, you will have the option to generate the CIPP Defaults Template. This template allows you to create the optimal role configuration for CIPP.
This option will create 12 new groups in your Azure AD if they do not exist and add the CIPP user to them. For more information on which roles will have groups created for them, you can check out the Recommended Roles page.
Choose the role template to use from the list of role templates, and choose the amount of invites you'd like to generate. You can use this to generate the exact amount of invites for tenants you'd like to onboard.
After submission, you will see as many rows as invites you've requested, with two URLs in a table:
Invite Link: This URL is for the Global Administrator in your client tenant to accept the invite.
Onboarding Link: This URL is to be used by a CIPP admin to complete the onboarding process. It should not be used under a client account.
Any additional users who need access to your Microsoft CSP Tenants must be manually added to the relevant security groups. These groups start with "M365 GDAP".
Custom domain
Hosted clients can use the backend management system at management.cipp.app to add a domain
Why setup a custom domain?
The automatically generated domain uses azurewebsites.net which is often blocked by web filtering products as it's often used by spammers and phishing sites due to the ease of obtaining an azurewebsites.net subdomain.
Your bookmark stays the same if you redeploy.
Easier to communicate internally and looks better for your team.
At the moment of deployment, the application uses a generated domain name. To change this follow these instructions:
Go to CIPPs Settings menu
Click on 'Static Web app - Role Management'
Select Custom Domains. You can add your own domain name here.
For more information see Microsoft's documentation at Microsoft Docs - Set up a custom domain with free certificate in Azure Static Web Apps
How to grant users access to the CIPP App
CIPP utilizes the Secure Application model, which means that each action will be done under the user permissions of the CIPP-SAM user. To limit the access users have you can use the role management system.
For hosted clients, invites and roles can be managed by logging into the management portal here
CIPP features a role management system which utilises the Roles feature of Azure Static Web Apps. The roles available in CIPP are as follows:
readonly
Only allowed to read and list items and send push messages to users.
editor
Allowed to perform everything, except editing tenants, exclusions, and standards.
admin
Allowed to perform everything.
superadmin
You can assign these roles to users using the Role Management system of Azure Static Web Apps
After the invite link is sent to the user, they must click on it to accept the invite and gain access to the app. The invites expire after a specific amount of time. Note this link must be sent manually to them, it is not e-mailed.
To assign a role to a user you would follow these steps:
Go to the Azure Portal.
Go to your CIPP Resource Group.
Select your CIPP Static Web App CIPP-SWA-XXXX.
Select Role Management (Not IAM Role Management).
Select invite user.
Add the roles for the user. Multiple roles can be applied to the same user.
While CIPP only supplies the above roles by default, you can create your own Custom Roles and apply them to your users with 'editor' or 'readonly' rights, admin users are unaffected by custom roles. Set up Custom Roles by following these steps:
Go to CIPP -> Advanced > Super Admin > Custom Roles.
Select a Custom Role from the list or start typing to create a new one if you do not yet have any.
Please ensure that your custom role is entirely in lowercase and does not contain spaces or special characters.
For Allowed Tenants select a subset of tenants to manage or AllTenants.
If AllTenants is selected, you can block a subset of tenants using Blocked Tenants.
Select the API permission from the listed categories and choose from None, Read or Read/Write.
To find out which API endpoints are affected by these selections, click on the Info button.
Please note that this functionality is in beta and not officially supported. Removing permissions will result in an error message on affected endpoints. The error message will note which permission is missing.
If you are a hosted client, you can add custom roles to your users from the Management App. Just start typing the role name in the select box and add it when prompted. Make sure that your users have the 'editor' or 'readonly' role selected as well.
If you set up Custom Roles by modifying staticwebapp.config.json, you should revert those changes and migrate to the new Custom Role management.
The Tenant Onboarding Wizard further simplifies the process of getting setup in CIPP by automatically connecting to any tenants found in your GDAP Relationships List to perform the background tasks necessary to manage a tenant in the system. Below is a list of the actions that are performed during Tenant Onboarding:
Verification of GDAP Invite Accepted
Confirmation that required roles are present.
Ensures groups are correctly mapped to roles.
Validates that permissions are updated via a CPV refresh
Verifies Graph API connectivity and access.
CIPP requires its Service Account user to be a member of the specific security groups with the recommended roles assigned for proper functionality within your GDAP relationship. This step is completed during the SAM Setup Wizard execution prior to tenant onboarding.
If these roles are missing or the groups haven't been applied to the CIPP user, CIPP will not be able to access the tenant, resulting in errors such as: invalid_grant:AADSTS65001: The user or administrator has not consented to use the application.
or
Send an interactive authorization request for this user and resource
Navigate to Tenant Administration -> Administration -> Tenant Onboarding and click Start Tenant Onboarding to initiate the wizard.
Choose the GDAP relationship(s) to onboard.
Filter and select from the list of active relationships.
Toggle on Exclude this tenant from top-level standards if needed. This means that only the standards you explicitly set for this tenant will be applied.
Toggle on Map missing groups to GDAP Roles.
Toggle on Add CIPP SAM user to missing groups if any required GDAP groups are missing.
Click Next and wait for the wizard to complete the onboarding steps.
Review the onboarding status and logs to ensure successful completion of each step.
To automate this process even further, enable Partner Webhooks in Application Settings and newly invited tenants will automatically onboard once accepted.
After adding a relationship, you can perform a CPV refresh via the following instructions. This also runs automatically each night
Navigate to CIPP -> Application Settings
Click on the Tenants tab
Click on the blue refresh button next to the tenant. This will process all required permissions to that tenant.
Tenants are cached for 24 hours within CIPP. To see a newly added Microsoft Tenant you can use the Settings -> Clear Tenant Cache button to clear the cache.
I want to manage my own tenant
If you want to manage your own tenant or if you are not a Microsoft Partner but still want to use CIPP you can perform the setup and enable access to the partner tenant or enable Single Tenant Mode. The CIPP Service Account should be granted at least the Recommended Roles within the tenant being managed.
To manage the tenant mode, a user with the CIPP "admin" and "superadmin" roles will need to access the Tenant Mode page of the Super Admin settings.
Multi Tenant - GDAP mode
This is the default mode in CIPP, it does not allow access to the partner tenant.
Multi Tenant - Add Partner Tenant
This mode allows access to the partner tenant and customers via GDAP. See the Limitations below for more details.
Single Tenant - Own Tenant Mode
This mode is for if you would like to manage your own tenant and/or are not a Microsoft Partner. See the limitations below for more details.
When using Single Tenant Mode CIPP runs in a somewhat more limited state - You are not able to add any other tenant to CIPP and it only works for the configured tenant. GDAP permissions will not apply, and you must directly assigned roles such as Global Admin to the service account.
When using Partner Tenant Enabled mode you can see your partner tenant inside of CIPP. There will be no permissions applied to whom can see this tenant and control it.
It is highly recommended to use a custom role if multiple users have access to your CIPP instances. This can help ensure not all users have access to manage your partner tenant. If you do not, it's important to note that all your users will have access to edit/configure your partner tenant. Information on custom roles can be found here.
GDAP permissions will not apply and you must directly assign roles to the service account in the Entra portal (e.g. User Administrator, Exchange Administrator, etc.).
Add the role 'superadmin' to your admin user as an additional role. This role will allow you access to the menu to change this setting.
Go to the Application Settings menu
Go to the SuperAdmin tab
Select one of the three modes. The default mode is "Multi Tenant - GDAP Mode"
Clear the tenant cache. Users of CIPP now have access to the CSP Partner tenant, or to the single tenant it's been configured for.
This guide will walk you through the process of setting up standards in CIPP. Follow these instructions to configure and run standards for your organization.
This guide walks you through setting up Standards in CIPP for the first time. It focuses on applying and managing standards to maintain security and compliance across your organization.
Navigate to Tenant Administration > Standards.
Click Edit Standards to manage or add new standards.
Example: Add an "All Tenants" standard to apply settings across all tenants.
Each standard offers three options:
Report: Logs the current configuration in a Best Practices Report.
Alert: Sends notifications (via ticket, email, or webhook).
Remediate: Automatically applies the desired configuration.
Note: Turning off Remediate prevents future fixes but doesn’t undo changes already applied.
Each standard includes:
A description of what it does.
An impact label (Low, Medium, High) to indicate user impact.
Review these details to ensure changes align with your needs.
Some standards require settings, like custom text fields or dropdown selections.
Enter the required values to customize the standard.
Standards are grouped by categories, like security, compliance, or usability.
Use templates for consistent configurations across clients.
Examples include templates for Intune, Exchange, and Conditional Access
Templates reapply every 3 hours, maintaining the desired state.
If changes are made by admins, they are automatically reverted to match the template.
Update a template once, and all linked tenants will receive the changes.
Use the Run Now option at the top of the Standards page.
Apply standards immediately to:
A specific tenant.
All tenants in one go.
Exclude specific tenants from All Tenants standards to:
Prevent global standards from applying.
Allow custom standards for that tenant only.
Standards automatically reapply settings every 3 hours for consistency.
Categories and templates simplify management across multiple tenants.
Customization and manual runs give you flexibility to meet tenant-specific needs.
By following these steps, you’ll ensure your M365 tenants remain secure, consistent, and compliant with minimal manual effort.
A role that is only allowed to access the settings menu for specific high-privilege settings, such as setting up the settings. This role must be combined with 'admin'
For more information on Standards, what they are, and where to find the available ones, check out the section of the user documentation
There are , with more added regularly.
First things to check out after setting up CIPP.
Welcome to the post-setup implementation guide for CIPP! In this guide, you will learn how to navigate and configure various settings within the CIPP application. Let's discover some of the key features of CIPP and see how to use them.
Using the Tenant Selector at the top you can switch tenants at any time. This allows you to dynamically choose what you're working on. You can also use the Tenant Selector to select "All Tenants" which allows you to see all your tenants in one swoop.
Let's setup some personal things first. The user settings section has your personal preferences and profile information. Let's start by setting up CIPP the way you like it.
The Default Usage Location is used each time you create a new user. Set this up here to prevent having to enter it each time you create a new M365 user.
Go to the Appearance section and select the desired theme, page size, and report image.
You can set page table sizes to whatever number you want. The default is 25.
By clicking save settings, you save this profile for you, no matter what computer you move to.
By clicking Save for all users, you save this profile for all the users of the app. This becomes their default.
Let's go check out some of the application settings next.
We have two style of passwords we can generate when creating a new user, or resetting a password, the classic password with capitalization, numbers, and symbols. You can also choose the modern passphrase style password. This is a more readable and often stronger password than randomly generated characters
Let's select the "Correct-Battery-Horse" option, which are passphrases.
You can choose the DNS resolver CIPP uses. By default the resolver is Google.
CIPP can help you figure out why you can't access a tenant by executing an access check. These checks can help you detect issues with GDAP, access rights, or general M365 issues.
Talking about tenants, let's go check out our internal tenant list. In this section we see all our tenants.
Using the highlighted button we can exclude a tenant from CIPP. This means the tenant will not be connected to CIPP, and we will not be able to make any changes to this tenant.
Navigate to the Notifications section.
CIPP can send many types of notifications, in this screen we can do some of the basic setup of these notifications to filter them, or select where they need to go.
Let's see how CIPP works in action. We'll navigate to the Administration section to start managing users.
Navigate to the Users section.
Most pages in CIPP work by showing you a table layout. The table allows you to filter data, export it, or execute actions. Let's try executing some bulk actions.
Setting the checkbox means we are going to take a bulk action on that specific row in our table.
You'll find all available actions in the "Actions" dropdown. Each page has different actions.
Let's look at some more of the options we have. Most tables in CIPP have a three-dot action menu, next to bulk actions. This three dot menu gives you a flyout with options and information about that specific row.
For users, we have a lot of actions we can take. We could reset passwords or even add them to groups. Let's not bother our users and check out some other parts of CIPP for now.
Navigate to the Tools section.
Select the "Graph Explorer" option.
CIPP has the option to report on anything inside of the Graph API. even when there is not a direct page created for it. You can use the Graph Explorer option to craft your own report. Let's try using the All User with Email Addresses report.
Execute the query by clicking "Query".
The report allows you to check this data as raw as it comes back from the API. you can also create an export using the PDF or CSV buttons.
Let's go check out the standards next by clicking on "Edit Standards"
Standards allow you to create a baseline for a tenant. This means you can easily deploy your wanted settings to any tenant. If you want to see more about standards, check out the documentation about the standards on the Standards page.
Let's go check out some reporting. Click on Best Practice Analyzer next.
The BPA gives you the ability to zoom in on your tenants and their current state. You can use custom reports, or use the included examples to tell your clients what actions they need to take to become more secure.
Talking about best practices. You want to be notified when something goes wrong, so let's look at some of the alert options.
the classic alerts are alerts that run on a schedule, and check by executing a script towards the tenant. We also have the option to receive alerts from Microsoft directly. Let's go check that out.
Select the option for the specific action you want to perform, such as creating a new Inbox rule or editing an existing one. There is a list of default options, and none of these require a specific M 3 6 5 subscription. This means you can alert on logons from strange locations, VPN or anonymized IPs without needing to buy P1 subscriptions for all your clients.
Let's try managing our tenants next. Click on Administration and then Tenants.
The tenant overview shows you your tenant names, default domains, and direct links to each of the portals. You can use these links to directly manage that tenant using GDAP.
We can also take actions on the tenants. Let's try using the three dot icon to do so.
You'll find some more information about the tenant in this flyout, and you can edit a tenant. This allows you to change the tenant display name or defaultDomainName inside of your partner environment. Changes made there only reflect your partner side, and not the client's actual environment.
There are so many more features, but now that you've understood the basics you can find more of the features yourself. We hope you enjoyed the walkthrough of the basic settings. You're now ready to deep dive into the platform.
The tenant selector at the top of CIPP allows you to control the currently managed tenant. Any changes to the tenant selector will reload the currently shown data to the one of the selected tenant.
The Tenant Selector has a building button to see the current tenant details. Clicking on this button allows you to view the following info directly from any page:
Display Name
The display name of the tenant
Business Phones
What phone number has been set on the tenant
Technical Emails
Technical email contact
Tenant Type
What the type of tenant it is
Created
Created time and date
AD Connect Enabled
If AD connect is enabled
AD Connect Sync
Is syncing is enabled
AD Password Sync
If passwords are synced
You can also use this page to jump to the most common portals or actions
Actions
M365 Portal
Exchange Portal
Entra Portal
Teams Portal
Azure Portal
Intune Portal
Security Portal
Sharepoint Admin
Clicking this icon will display pages that you have added to your bookmarks.
To add new bookmarks, hover your mouse over the page's entry in the side menu. You will see the same icon. Clicking the icon will shade in the icon and add the page to your boomarks.
The User Preferences page provides a tailored interface for users to manage and configure their individual settings related to general preferences, appearance, and offboarding defaults. This document outlines the functionalities available on the User Settings page.
In this section, users can manage general settings related to their account and workspace:
Added Attributes when creating a new user: Users can select additional user object attributes that are available when creating a new user.
Default new user usage location: This setting allows users to specify the default user location when creating or editing a user.
Default Page Size: Set the default page size for tables across CIPP.
Menu Favourites: Set pages that will display in your favourites section.
This section provides you the ability to set offboarding defaults, this allows you to easily preselect your predefined offboarding preferences.
Save Settings: Save the modified settings for the individual user.
Save for All Users: If the user has admin privileges, they have the option to save the modified settings for all users within the tenant, this will overwrite all personal settings and be force on each full refresh of a page.
Enable TanStack Query Tools
We value your feedback and ideas. Please raise any feature requests on GitHub.
Use of the magnifying glass in the menu bar will pop open a search modal. You can use this feature to quickly locate a page within CIPP without having to navigate the sidebar menu.
Hitting "Ctrl + k" for Windows users or "Cmd + k" for Mac users will open the search modal for quick access.
The CIPP speed dial contains easy access to quick links for help with CIPP. The speed dial is located in the lower right corner of your browser window:
Check the Documentation
Opens docs.cipp.app for the page you are currently reviewing.
Join the Discord!
Opens a new tab to join the CyberDrain Discord server.
Request Feature
Opens a new tab to the GitHub feature request form. Note: Submissions by non-sponsors will auto close
Report Bug
Opens a new tab to the GitHub bug report form.
License
Opens the page for the GNU Affero General Public License terms for CIPP.
About the Dashboard which includes versions and quick links
The Home page provides a comprehensive overview of the current tenant's details and allows you to perform various actions related to the tenant and its resources.
The Home page includes the following sections:
Universal Search: This is a universal search bar that allows you to quickly find the information you need using Lighthouse. To utilize this search, you must have onboarded Lighthouse on your partner tenant.
Portals: Contains links to various Microsoft 365 administration centers.
Current Tenant: Displays various details about the current tenant:
Tenant Name
Tenant ID
Default Domain
AD Sync Enabled
Users: Total, Licensed, Guests and Global Admins. Note: The chart names are clickable.
Standards set: Shows the applied Remediation, Alert and Report standards set.
SharePoint Quota
Domain Names
Partner Relationships
Tenant Capabilities
This page will allow you to add a guest user. Enter the user's "Display Name", "E-mail Address", and an optional "Redirect URL". Toggle the "Send invite via e-mail option on if you'd like the guest user to receive a Microsoft generated invite e-mail.
Welcome to your hosted instance of CIPP!
Interact with Microsoft 365 users.
The main table provides an overview of information including display name, email address, licensing, enabled/disabled status, and if the account is AD synchronized. Behind the ellipsis menu user creation date, last sync date, and user GUID are also available.
Note that clicking one of these actions will present a confirmation modal dialog.
The Add User has the ability to be form filled via URL query strings. This table shows all supported query strings. For example https://yourcipp.app/identity/administration/users/add?customerId=Mydomain.onmicrosoft.com&city=Rotterdam would automatically fill in the city for a user.
If you want to create your own LiveLink you can use the QueryString below.
The Add User page provides an interface for creating new user accounts in your tenant.
This page will allow you to set all of the necessary properties to create a single new user. You can start with a blank slate or select to copy properties from another user in the top dropdown to speed up account creation.
Navigate to: Identity Management > Administration > Users
Click Add User
Choose your starting point:
Start with blank form
Use "Copy properties from another user" dropdown to pre-fill fields
When using the Copy properties from another user dropdown, the specific fields that get copied are: givenName, surname, jobTitle, department, streetAddress, postalCode, companyName, mobilePhone, businessPhones, usageLocation
User Identity: First Name, Last Name, Display Name, Username (before the @ symbol), Primary Domain name (select from dropdown)
Email Aliases: Add multiple email aliases one per line without domain (added automatically)
Password Options
Create password manually (toggle)
When enabled: Enter custom password
When disabled: System generates secure password
Require password change at next logon (toggle)
Location Settings
Usage Location (required for licensing)
Select country from dropdown
License Assignment: Allows you to select license(s) to assign & shows available license count
SherWeb Integration (if enabled): Auto-purchase option appears when licenses unavailable, allows you to select license SKU for purchase for system to handle for you along with onboarding.
Professional Details: Job Title, Department, Company Name
Contact Details: Street Address, Postal Code, Mobile Phone, Business Phone, Alternate Email Address
Management: Set Manager (select from existing users), Copy groups from another user
Custom Attributes
Custom attributes can be configured in Preferences > General Settings
These include specific Azure AD attributes that will be available when creating new users:
Available Attributes: consentProvidedForMinor, employeeId, employeeHireDate, employeeLeaveDateTime, employeeType, faxNumber,legalAgeGroupClassification, officeLocation, otherMails, showInAddressList, state
Configuration:
Go to Preferences page under your user profile.
Under General Settings
Find Added Attributes when creating a new user
Select desired attributes from dropdown
Selected attributes will appear on Add User form
Notes about Custom Attributes:
Attributes selected will appear as additional fields on the Add User form
Each attribute has its own text field
Values are saved with the user's profile in Azure AD
Must be configured before they appear on the form.
Attributes are standard Azure AD attributes
Values persist in Azure AD and can be queried/updated later
Not all attributes may be relevant for every user
Changes to Preferences affect all new user creation forms
License assignment requires valid usage location
Password complexity rules apply to manual passwords
Group copying includes all accessible groups
Scheduled creation can be monitored in tasks
If you need assistance with or aren't comfortable navigating these requirements alone, take a look at our page, which offers a paid option for those who need a bit more hands on guidance with GDAP & CIPP deployment.
Subscription Activation: Start by signing up for the $99 subscription using your GitHub account on the page.
Welcome Email: Upon subscription, you will receive an email with detailed instructions to kickstart your deployment. This email will guide you to the for deployment steps.
Configure CIPP Deployment: Login to your using the GitHub credentials you used to initiate the sponsorship. This is where you can kickoff your deployment, add custom domain names, and begin inviting users into CIPP.
Service Account Creation: Follow the instructions carefully on the page to ensure there are no permission issues when connecting your tenants within CIPP in the subsequent steps.
Add Yourself to CIPP: On the page in your management portal, ensure you've invited your work account as an admin into your newly deployed instance to avoid 403 Forbidden errors during login. Further guidance, can be found on the page.
Execute SAM Wizard: Follow the instructions on the page once logged into your CIPP instance using your newly invited account, NOT the service account. The service account is only used during specific configuration steps within the SAM Setup Wizard.
Onboard Existing Relationships: If your GDAP relationships with clients are already configured and you do not need to create new invites, proceed to to start managing your clients immediately.
Establish New Relationships: If you need to establish new GDAP relationships for new clients, use the to generate invites. Once you have completed the invite process, continue the onboarding process and follow up by
If you are unsure about whether your clients environments are GDAP ready, or need more information about the process, continue to the page for more granular details & next steps.
User management. Equal to and extending .
Create a temporary access password for a user to enroll in .
Both passwordless authentication and the temporary access password function must be enabled on the tenant. See
When is enabled and a license shows "(0 available)", you'll see an alert stating: "This will Purchase a new Sherweb License for the user, according to the terms and conditions with Sherweb. When the license becomes available, CIPP will assign the license to this user."
👁 View User
Displays comprehensive user account details in the admin interface
- Read access to user objects - Shows all available user information - Display advanced user account details. [More information]
✏️ Edit User
Modifies user account details and settings: - Basic information - License assignments - Group memberships - Contact details
- Write access to user objects - Can copy group memberships from another user - Changes apply immediately
Delete User
Permanently removes user account
- Administrative privileges required - Irreversible action - Consider backup/archival first
Research Compromised Account
Analyzes Indicators of Compromise (IoC): - Sign-in patterns - Mail rules - Suspicious activities
- Security admin rights - Provides comprehensive security review - Single pane of glass review of common indicators of compromise (IoC) [More information]
Create Temporary Access Password
Creates temporary password for passwordless enrollment
- Time-limited access - Create a temporary password to allow full passwordless enrollment. [More information]
Re-require MFA registration
Forces new MFA setup by: - Resetting MFA status to Enabled - Requiring new registration
- User must complete new MFA setup - Affects all MFA methods - Authentication Methods must be migrated from legacy - You will need Security Defaults or a CA policy and registration campaign to force registration again
Send MFA Push
Sends test MFA prompt to user's devices
- Verifies MFA configuration - Tests user's registered devices
Set Per-User MFA
Configures MFA state: - Enforced - Enabled - Disabled
- Overrides tenant-level settings - Immediate effect on sign-ins
Block Sign In
Prevents account access
- Immediate effect - Doesn't affect existing sessions
Unblock Sign In
Restores account access
- Immediate effect - User can sign in again
Revoke all user sessions
Forces re-authentication on all devices
- Terminates all active sessions - Requires new sign-in everywhere
Reset Password (Must Change)
Sets random password and forces change
- User must create new password at next login - Example format: 2WcAu%VMy89P
Reset Password
Sets new random password
- Password immediately active - No change requirement
Convert to Shared Mailbox
Transforms user mailbox to shared type
- Requires Exchange Online license - Maintains data and access
Enable Online Archive
Activates archival mailbox
- Requires appropriate license - Additional storage space
Set Out of Office
Configures automatic replies
- Single message for internal/external - No HTML formatting Note: Setting a different internal and external autoreply is currently not supported
Disable Out of Office
Removes automatic replies
- Immediate effect - Clears all auto-reply settings
Disable Email Forwarding
Removes all email forwarding rules
- Clears ForwardingAddress - Clears ForwardingSMTPAddress
Pre-provision OneDrive
Initializes OneDrive storage
- No user login required - Speeds up first access
Add OneDrive Shortcut
Creates SharePoint site shortcut
- Adds to OneDrive root - Requires existing OneDrive
Add to Group
Assigns user to specified group(s)
- Immediate membership - Inherits group permissions
Clear Immutable ID
Breaks on-premises AD sync
- Sets onPremisesImmutableId to null - Stops directory synchronization
More info
Opens Extended Info panel showing: - Common profile fields - Additional actions
- Quick access to key information - Alternative action access point
customerId
Client Tenant ID(Only required field)
businessPhones
Business Phone Number
city
User City Location
companyName
Company Name
country
Country
department
Department
displayName
Display Name
givenName
First Name
jobTitle
Job Title
mailNickname
Username before the email address part(User<@domain.com>)
mobilePhone
Mobile Phone Number
addedAliasses
Added Aliasses, Multiple allowed via linebreak(%0A)
postalCode
Zip or post code
streetAddress
Address information
surname
Last Name
usageLocation
User location for license, can be left blank for default.
primDomain
User Primary Domain (User<@domain.com>)
MustChangePass
Boolean, default is false.
Send MFA Push
Sends a push notification to the user's Microsoft Authenticator (if setup). This is useful to confirm you are speaking with the user.
Convert to User Mailbox
If this is a shared mailbox, then this will allow you to convert the mailbox to a user mailbox. This will be grayed out if the mailbox is already a user mailbox.
Convert to Shared Mailbox
If this is a user mailbox, then this will allow you to conver the mailbox to a shared mailbox. This will be grayed out if the mailbox is already a shared mailbox.
Convert to Room Mailbox
If this is a user or shared mailbox, then this will allow you to convert the mailbox to a room mailbox. This will then make the user object available as a Room. This will be grayed out if the mailbox is already a room mailbox.
Enable Online Archive
Enable Auto-Expanding Archive
If the online archive has been enabled, this will allow you to enable the auto-expanding archive
Hide from Global Address List
If the mailbox is visible in the Global Address List, this option will allow you to hide the mailbox.
Unhide from Global Address List
If the mailbox has been hidden from the Global Address list, this option will allow you to unhide the mailbox.
Start Managed Folder Assistant
Delete Mailbox
Copy Sent Items to Shared Mailbox
If this mailbox is a shared mailbox, this will set the attribute to copy sent items to the shared mailbox.
Disable Copy Sent Items to Shared Mailbox
If the mailbox is a shared mailbox, this will set the attribute to disable copy items to the shared mailbox.
Set mailbox locale
Opens a modal to set the locale of the mailbox, e.g. en-US or da-DK
Set Send Quota
Set Send and Receive Quota
Set Quota Warning Level
Mailbox Type
Displays the type of mailbox assigned to this user. "UserMailbox" or "ShareMailbox"
Mailbox Usage
Shows percentage of mailbox quota used.
Hidden From Address Lists
A Boolean value indicating if this user has been hidden from the Global Address List.
Forward and Deliver
A Boolean value indicating if this user's mailbox has been set to forward email to another user.
Forwarding Address
If set, the e-mail address of the person email is forwarded to.
Archive Mailbox Enabled
A Boolean value indicating if the archive mailbox has been enabled.
Auto Expanding Archive
A Boolean value indicating if the archive mailbox has been set to auto expand.
Total Archive Item Size
The value, in GB, of the size of the archive.
Total Archive Item Count
The value, in total number of items, of the size of the archive.
Litigation Hold
A Boolean value indicating if the account has been placed in litigation hold.
Mailbox Protocols
A listing of the protocols this mailbox has enabled.
Blocked For Spam
A Boolean value indicating if this account has been blocked by Microsoft due to spam activity.
Current Mailbox permissions
Displays information regarding any mailbox permissions that have been granted to other users for this user's mailbox.
Current Calendar permissions
Displays information regarding any calendar permissions that have been granted to other users for this user's mailbox.
Current Mailbox Rules
Displays any currently configured mailbox rules.
Mailbox Permissions
A widget that allows for updating mailbox permissions other users can be granted to this user's mailbox.
Calendar Permissions
A widget that allows for updating calendar permissions other users can be granted to this user's mailbox.
Mailbox Forwarding
A widget that allows for updating mail forwarding options for this user's mailbox.
Out of Office
A widget that allows you to edit the out of office settings for this user's mailbox.
The table below outlines the keyboard shortcuts that have been enabled in CIPP.
Open Search
Ctrl + k
Cmd + k
This page lists the tenant's risky users. Here, you can review the information associated with the risk detection.
Dismiss Risk - This action will mark the risk as dismissed.
More Info - Displays the Extended Info flyout.
We value your feedback and ideas. Please raise any feature requests on GitHub.
The View User page provides a comprehensive overview of user details and settings. It serves as the main landing page when viewing a user, with additional tabs available for more specific operations, such as Edit User, Compromise Remediation, etc.
Primary display of user information including a quick link to view the user in Entra
Additional tabs at top for extended functionality (Edit, Compromise Remediation, etc.)
Inherits Actions dropdown from list users page
The actions dropdown carries forward the same actions from the list users page.
User Photo
Displays user's Entra ID photo; shows initials if no photo is uploaded
Display Name
User's full display name as shown in the directory
User Principal Name
Primary username/login identity for the user
Account Enabled
Boolean indicator showing if user can sign in (✓/✗)
Synced from Active Directory
Boolean indicator showing if account is AD-synced (✓/✗)
Licenses
List of currently assigned M365/Azure licenses
Email Address
Primary and alternative email addresses
Business Phone
Primary business contact number
Mobile Phone
User's mobile contact number
Job Title
User's current position/role
Department
Organizational department
Office Location
Physical office location
Address
Street address details
Postal Code
ZIP/Postal code
Last Logon
Most recent sign-in information • Expandable for additional details (click arrow)
Applied Conditional Access Policies
Active security policies • Expandable for policy details (click arrow)
Multi-Factor Authentication Devices
Registered MFA devices • Expandable for device details (click arrow)
Group Memberships
Admin Roles
Table of assigned administrative roles
Information is read-only in this view
Use Edit tab to modify information
Expandable sections (▼) provide additional details
Direct links to related management pages
Real-time data from Entra ID/Azure AD
This view serves as the central hub for user information, providing quick access to both basic details and advanced management options through the tabbed interface.
This wizard will allow you to bulk create new users.
This page displays options for editing the user's properties, license assignment, password reset, and group memberships.
Navigate to: Identity Management > Administration > Users
Select a user > Click Edit User in the Actions menu
You will be landed on the "Edit User" tab.
Header Information on this page displays the user's Display Name, their User Principal Name (with copy option), their User ID (with copy option, the Account Creation Date, and a button to launch Entra to view the user.
User Identity: First Name, Last Name, Display Name, Username (before the @ symbol), Primary Domain name (select from dropdown)
Email Aliases: Add multiple email aliases one per line without domain (added automatically)
Professional Details: Job Title, Department, Company Name
Contact Details: Street Address, Postal Code, Mobile Phone, Business Phone, Alternate Email Address
Management: Set Manager (select from existing users), Copy groups from another user
Password Options
Create password manually (toggle)
When enabled: Enter custom password
When disabled: System generates secure password
Require password change at next logon (toggle)
Location Settings
Usage Location (required for licensing)
Select country from dropdown
Current Licenses
Shows currently assigned licenses
Drop down box allows you to multi-select the licenses you want the user to have after editing
Option to remove all licenses (toggle)
SherWeb Integration (if enabled)
Auto-purchase option appears when licenses unavailable
Select license SKU for purchase
System handles purchase and assignment
Copy groups from user
Allows you to select another Entra ID user to copy groups from
Add to Groups
Multi-select dropdown that will allow you to add the user to groups
Custom attributes can be configured in Preferences > General Settings
These include specific Azure AD attributes that will be available when creating new users:
Available Attributes: consentProvidedForMinor, employeeId, employeeHireDate, employeeLeaveDateTime, employeeType, faxNumber,legalAgeGroupClassification, officeLocation, otherMails, showInAddressList, state
Configuration:
Go to Preferences page under your user profile.
Under General Settings
Find Added Attributes when creating a new user
Select desired attributes from dropdown
Selected attributes will appear on Add User form
Changes take effect immediately upon saving
License changes require valid usage location
Password resets follow complexity requirements
Group membership changes are processed in order (removals then additions)
On-premises synced accounts show warning about limited editability
This page displays the following information:
Members - This table will display the current membership of the group for your review while making changes.
Add - You can use each of these drop downs to add one or more Members, Owners, or Contacts.
Remove - You can use each of these drop downs to remove one or more Members, Owners, or Contacts.
Let people outside the organization email the group - If selected, it allows external senders to send emails to the group.
Send Copies of team emails and events to team members inboxes - If selected, it enables sending copies of team emails and events to the inboxes of team members.
On this page you will enter all of the necessary information to create a group.
Dynamic Group Parameters: For Dynamic Groups, a text box for entering the dynamic group parameters syntax becomes available e.g.: (user.userPrincipalName -notContains "#EXT#@") -and (user.userType -ne "Guest").
Interact with Microsoft 365 groups.
This page presents each group in a structured table, including the following columns. You can select which columns are visible.
These actions and information are available in the fly-out menu when you click the ellipsis button in the "Actions" column:
Single pane of glass review of common Indicators of Compromise (IoC)
Upon page load, CIPP will run an analysis on the user to identify common Indicators of Compromise (IoC). Once that analysis is returned, review the information presented and determine if the user has been compromised. The analysis performs the checks listed in the table below. A green check will indicate that information was found for the check and needs review.
Note: This page is intended to surface information about potential information that should be reviewed when a compromise is suspected. The existence of information in one of the indicators should not be interpreted as an absolute sign of compromise but rather as a useful tool to help quickly surface the basic information that should be reviewed during your investigation.
The Group Templates page allows administrators to define templates for creating groups. These templates can speed up the process of creating new groups by pre-defining certain group parameters. Once a template is created, it can be reused multiple times to create new groups with similar settings.
*Additional Fields for Specific Group Types
For some types of groups, additional fields become available when that type is selected:
Allow External: For Distribution Lists, a checkbox labeled "Let people outside the organization email the group" becomes available.
Dynamic Group Parameters: For Dynamic Groups, a text box for entering the dynamic group parameters syntax becomes available e.g.: (user.userPrincipalName -notContains "#EXT#@") -and (user.userType -ne "Guest").
Explore and review members for M365 roles
The Roles page provides a comprehensive list of all Microsoft 365 roles such as Billing Administrator, Global Administrator, etc. It offers the ability to view members associated with each role. This capability promotes efficiency and transparency in managing role assignments.
The Roles page presents each role in a structured table, including the following details:
While navigating the Roles page, please consider the following:
Tenant Selection: This page does not yet support the "All Tenants" overview. Please use the tenant selector to view roles specific to a selected tenant.
Scope of Roles: This page displays Microsoft 365 admin roles only. Exchange, Azure IAM, and Purview rights are outside the scope of this area.
Streamline group creation across multiple tenants in Microsoft 365
The Deploy Group Templates page provides an interface for creating and deploying group templates in Microsoft 365. This feature offers an easy and efficient way to manage group creation, allowing users to select from a list of pre-defined templates and apply them across chosen tenants.
This document provides a step-by-step guide on how to navigate and utilize the Deploy Group Templates page.
In this step, you can choose to apply one of the previously created templates or manually enter the group information. If you opt for a template, select it from the dropdown menu. The page will automatically populate the rest of the fields based on the chosen template.
However, you have the flexibility to adjust the options as needed:
Group Type: Select the type of group. Options include Dynamic Group, Security Group, Distribution Group, Azure Role Group, and Mail Enabled Security Group.
Group Display Name: Enter the name that will be displayed for the group.
Group Description: Provide a brief description of the group. This field is optional.
Group Username: Specify the username for the group.
Let people outside the organization email the group: Check this box if you want the group to be able to receive emails from outside the organization. This option is available only for Distribution Groups.
Membership Rule: If you chose Dynamic Group as the group type, you can specify the rule for membership here.
Remember, the options presented depend on the Group Type selected. For instance, the "Membership Rule" field only appears if you select "Dynamic Group" as the Group Type.
This page will allow you to create a group template for ease of deployment to your clients' tenants. Enter the group's "Display Name", "Description", and "Username" before selecting the radial for the group type you'd like to set.
Dynamic Group Parameters: For Dynamic Groups, a text box for entering the dynamic group parameters syntax becomes available e.g.: (user.userPrincipalName -notContains "#EXT#@") -and (user.userType -ne "Guest").
Table of all group associations • Includes per-row actions • Direct link to page for the associated group to manage membership.
The Groups page is equivalent to . It offers an overview of all groups within the organization and allows users to manage group details and memberships.
We value your feedback and ideas. Please raise any on GitHub.
We value your feedback and ideas. Please raise any on GitHub.
We value your feedback and ideas. Please raise any on GitHub.
For more details on these settings, please refer to the .
We value your feedback and ideas. Please raise any on GitHub.
Display Name
Set the display name that you want visible for this group
Description
Set the description for the group
Username
Set the group's username. This will be used in setting the mail nickname, e-mail address, etc.
Primary Domain Name
Select the domain from the dropdown that you wish to set as the primary domain name for the group
Owners
Select one or more owners of the group from the dropdown
Members
Select one or more members of the group from the dropdown
Azure Role Group
None
Security Group
None
Microsoft 365 Group
None
Dynamic Group
Dynamic Group Parameters (see below)
Dynamic Distribution Group
Dynamic Group Parameters (see below)
Distribution List
Let people outside the organization email the group - Allows the group to receive messages from both inside and outside the organization.
Mail Enabled Security Group
None
ID
The GUID of the group
Created Date Time
The relative time since group creation
Display Name
The name that displays for the group
Mail Enabled
A Boolean field for if the group is mail enabled
Mail Nickname
Resource Provisioning Options
Security Enabled
A Boolean field for if the group is security enabled
Organization Id
The GUID for the organization
Group Types
Members
Clicking the result in this column will pop open a modal that contains a table with the members of the group
Prim Domain
Members Csv
The membership of the group in a comma separated list
Teams Enabled
A Boolean field for if the group has had Teams enabled
Calculated Group Type
This will display the type of group based on the properties returned by Graph
Dynamic Group Bool
A Boolean field for if the group is dynamic
Description
The e-mail address for the group, if any
Visibility
Will display "Private" if the group is set to private
Edit Group
Allows navigation to the 'Edit Group' page.
Hide from Global Address List
Hides the group from the Global Address List.
Unhide from Global Address List
Makes the group visible in the Global Address List.
Only allow messages from people inside the organization
Restricts the group to only receive messages from people inside the organization.
Allow messages from people inside and outside the organization
Allows the group to receive messages from both inside and outside the organization.
Delete Group
Deletes the group using the ExecGroupsDelete endpoint listed below.
More Info
Displays extended information about the group, such as the creation date and unique ID.
Mailbox Rules
This will present any mailbox rules found for the client.
Recently added users
This will display any newly created users in the tenant.
New Applications
This will display any newly registered enterprise applications.
Mailbox permission changes
This will identify any suspicious mailbox permission changes.
Mailboxes and review the indicated mailboxes for the permissions data.
MFA Devices
This will identify any MFA devices for review, including when the type of device and the datetime when it was registered.
Password Changes
This will display any recent password changes for the tenant.
Refresh Data
This will refresh the analysis for the user and update the Indicators of Compromise checks.
Remediate User
This action will block user sign-in, reset the user's password, disconnect all current sessions, remove all MFA methods for the user, and disable all inbox rules for the user.
Download Report
This will download a JSON file for the checks completed in the analysis.
Display Name
This is the name that will be given to the group when a group is created using this template. It should be unique and descriptive.
Description
This field should contain a more detailed explanation of the group's purpose. This might include information about who should be added to the group, what resources the group provides access to, or any other information that helps describe the group.
Username
The username of the creator of the group template.
Group Type
The type of group that the template creates. Options include:
Azure Role Group
Security Group
Distribution List*
Mail Enabled Security Group
Dynamic Group*
Allow External
Are external people allowed to email this group?
Display Name
The official name of the role.
Description
A brief summary of the role.
Members
A list of members assigned to the role.
More Info
Displays the Extended Info flyout
Azure Role Group
None
Security Group
None
Microsoft 365 Group
None
Dynamic Group
Dynamic Group Parameters (see below)
Dynamic Distribution Group
Dynamic Group Parameters ( see below)
Distribution List
Let people outside the organization email the group - Allows the group to receive messages from both inside and outside the organization.
Mail Enabled Security Group
None
Ensure temporary admin accounts aren't left active. CIPP lets you create accounts with specific roles as needed and easily removes them automatically when no longer required. JIT Admin accounts will be displayed in the table.
ID
GUID of the user
Display Name
Display name of the JIT admin user
User Principal Name
UPN of the JIT admin user
Account Enabled
Boolean for if the account is enabled
Jit Admin Enabled
Boolean for if the JIT admin roles are enabled
Jit Admin Expiration
Expiration of the JIT admin
Member Of - Display Name
Display name of the admin role(s) the user is a part of
Member Of - Id
GUID of the admin role(s) the user is a part of
This table doesn't utilize a per-row Actions column like many of the other tables introduced with CIPP v7.
We value your feedback and ideas. Please raise any feature requests on GitHub.
Get up and running with CIPP quickly and confidently—no guesswork, no headaches.
We get it—GDAP can be confusing, but setting up CIPP doesn’t have to be painful!
Let our CIPP experts show you the ropes. They’ve seen it all and know the best tips and tricks to help you get up to speed. Stop banging your head against the wall and start benefiting from the time-saving, streamlined features CIPP offers once it’s configured correctly.
✅ Recorded Sessions: Use the recordings to train your team and replicate processes effortlessly. ✅ Future-Proofing: Establish scalable systems that grow with your business. ✅ Expert Guidance: Work with a seasoned CIPP specialist who has hands-on experience. ✅ Save Time: Avoid trial-and-error setups and get clear, actionable steps.
For a one-time fee of $750 USD, you’ll receive:
A 90-minute live session with a CIPP expert.
A recording of your session for easy reference and team training.
By the end of the session, you’ll:
Understand the step-by-step process for onboarding clients to CIPP.
Learn how to configure regional settings and custom domain names.
Identify and resolve common performance issues related to region selection.
Use the CIPP management portal for user role assignments and permissions.
Implement best practices for inviting and managing additional users.
Gain familiarity with the SAM wizard and GDAP setup process.
Complete a full GDAP setup for one client within CIPP.
Note: If you’ve already completed parts of the setup or need a specific focus, discuss this with your CIPP expert before scheduling. Unique requirements must be communicated in advance to ensure they’re addressed within the allotted time.
Fill Out the Form: Share your name, email, company name, and deployment status.
Check Your Email: Receive onboarding details and the sign-up link.
Complete Payment: Submit your payment securely to confirm your session.
Relax and Wait: Your dedicated CIPP expert will contact you to schedule the session.
Note: Sponsorship is required for onboarding services, whether using a hosted or self-hosted instance of CIPP. Complete the sponsorship process to access full support.
To make the most of your session, have the following ready:
A Global Administrator account for your Partner Tenant.
Access to at least two Customer Global Admin accounts for GDAP testing.
Verify access to the CIPP Management Portal: https://management.cipp.app.
Prepare a list of:
Any errors or challenges you’ve encountered.
Screenshots of relevant issues (e.g., CIPP access failures, portal errors).
Have a mailbox license ready for the CIPP Service Account.
This will be converted into a shared mailbox during onboarding.
Here’s what you can expect during your onboarding session:
Recap your current environment, goals, and any pre-identified issues.
Guided walkthrough of key configurations, starting with GDAP setup and validation.
Test access to customer tenants using CIPP links.
Verify notifications and critical configurations.
Review and implement:
“AllTenants” Standard configurations.
Scripted alerts and audit log alerts with remediation workflows.
Address any outstanding questions or unique requirements.
Ensure you’re confident replicating processes for additional tenants.
To build on your onboarding success:
Refine Your Standards:
Adjust your “AllTenants” Standard to align with business needs.
Finalize Notifications:
Test and confirm email notifications for critical alerts.
Expand GDAP:
Use the GDAP Invite Wizard to onboard additional customers efficiently.
Document and Train:
Leverage your session recording to train team members and reinforce processes.
Ready to simplify your CIPP setup and take full advantage of its features?
If you have questions or need additional assistance before your session, reach out to our team—we’re here to help!
This report provides an overview of the Multi-Factor Authentication (MFA) status for all users within the tenant. It's a combination of the built in Entra MFA report, and getting the Per User MFA state and combining them for a complete picture.
Note: To utilize the Entra MFA report part of this report, the tenant must be licensed for Entra P1 or higher. Per-User MFA status will still function even if the tenant isn't licensed.
A user must have at least one checkmark in any of the following categories to be protected by MFA:
Per-User MFA: This means MFA is enabled directly on a per-user basis. It ensures that any sign-in attempt by the user is subjected to MFA verification.
Covered by Security Defaults (SD): This indicates that the user is protected by default security settings, automatically enabling and enforcing usage of MFA, when Microsoft deems a sign-in as risky.
Covered by Conditional Access (CA): In this case, MFA is enabled through Conditional Access policies which might require MFA based on conditions like user location, device compliance, etc.
The report lists every user in the tenant and provides detailed information about their MFA status, including:
Whether MFA is enabled and enforced through Per-User MFA settings.
If the user is safeguarded by Security Defaults that enforce MFA.
Whether Conditional Access policies require MFA for the user.
If the user is capable of using MFA.
The MFA methods the user has setup.
For tenants with over 250 user accounts, the Per User MFA status might appear as blank or null due to API throttling. In such cases, it could indicate any of the following states: disabled, enabled, or enforced.
This table doesn't utilize a per-row Actions column like many of the other tables introduced with CIPP v7.
We value your feedback and ideas. Please raise any feature requests on GitHub.
Lists all deleted users, groups and applications in the tenant
Shows all deleted items in the tenant. What else did you expect? Monkeys? 🐒
Restore Object
Restores the deleted item
More Info
Displays the Extended Info flyout
We value your feedback and ideas. Please raise any feature requests on GitHub.
This page allows you to create a new JIT admin
Tenant selection
Use the dropdown to select the tenant for JIT Admin access
User selection
Select if you would like to create a new user or use an existing user
Start Date
Sets the start date for JIT Admin access
End Date
Sets the end date and time for JIT Admin access
Roles
Select the Entra ID admin roles you want assigned to the user. Remember: Use the principle of least privilege to only assign the role with the minimum set of permissions needed to complete your tasks.
Generate TAP
Set this option to generate a Temporary Access Pass (TAP) to to satisfy the need for strong authentication/MFA
Expiration Action
Select what you want to happen to the user at expiration of the JIT admin access requested.
Notification Action
Select the option or options for how you would like to be notified of JIT admin creation. Note that only options that are configured in CIPP settings will work.
To use Temporary Access Passes (TAP), you must enable the authentication method in the customer tenant. This can be done easily via the CIPP Entra Standard: "Enable Temporary Access Passwords"
This page will allow you to test your conditional access policies before putting them in production. The returned results will show you if the user is allowed or denied access based on the policy.
Application to Test
Select the application you wish to test against the policy.
Country
Select the country you want to test logging in from.
IP Address
Enter the IP address you want to test logging in from.
Device Platform
Select the device platform you want to test.
Client Application
Select the client application you want to test.
Sign-In Risk Level
Select the sign-in risk level of the user signing in you want to test.
User Risk Level
Selec thte user risk level of the user signing in you want to test.
This table will outline the following information about the conditional access policies configured for the tenant and the results of the test.
Display Name
The display name of the conditional access policy.
State
The enablement state of the conditional access policy.
Policy Applies
A Boolean showing if the policy applies to the test settings.
Reasons
A value for the reason for the decision on policy application.
The columns for this table are laregely created from the Graph API response received from the device object. For reference, please review the on field descriptions.
We value your feedback and ideas. Please raise any on GitHub.
We value your feedback and ideas. Please raise any on GitHub.
We value your feedback and ideas. Please raise any on GitHub.
This table utilizes the column headings returned from Graph API. For reference on this, please see the Graph .
We value your feedback and ideas. Please raise any on GitHub.
Enable Device
Enables the device to be logged in with tenant credentials
Disable Device
Disables the device from being logged in with tenant credentials
Retrieve BitLocker Keys
Pulls BitLocker keys stored in Entra ID
Delete Device
Deletes the device from Entra ID
More Info
Opens the "Extended Info" flyout
ID
The GUID of the tenant concatenated with the GUID of the user separated by an underscore
Tenant ID
GUID of the tenant
Tenant Display Name
Azure Ad User Id
GUID of the user
Display Name
User's display name
User Principal Name
User's UPN
User Type
User type of "Member", "Guest", or "SharedMailbox"
Created Date Time
Relative time since the account was created
Number of Assigned Licenses
Last Refreshed Date Time
Relative time since the last refresh on the login statistics
Last Sign In Date Time
Relative time since the last login
Last Non Interactive Sign In Date Time
Relative time since the last non interactive sign in. For more information on what a non interactive sign in is, please see Microsoft Learn.
View User
Opens the CIPP user page for the selected user
Edit User
Opens the CIPP edit user page for the selected user
Block Sign In
Opens a modal to confirm if you want to block sign in for the user
Delete User
Opens a modal to confirm if you want to delete the user
More Info
Opens Extended Info flyout
Research Compromised Account
Launches the CIPP user page to research the compromise
More Info
Opens the Extended Info flyout
View and manage your Microsoft 365 CSP tenants.
When you select one of the portal links, the permissions of the currently logged in user are the ones that matter. They need permission to access the portal in question either by virtue of direct administrative roles or the Admin Agent/Helpdesk Agent role in Partner Center.
The Tenant page provides the ability for you to jump to the specific tenant administration centers for that client using your individual partner credentials. Allowing you to administer that specific tenant.
Tenants are cached for 24 hours. By using the Clear Tenant Cache button in settings, you are able to reload the tenants from the partner center immediately. Remember to also clear your browser cache.
Name
The tenant name.
Default Domain
The tenant's default domain.
The page also features several columns which contain links to the different Microsoft 365 administration centers for the tenant.
Edit Tenant
Opens a page to edit the tenant alias and manage tenant group membership.
We value your feedback and ideas. Please raise any feature requests on GitHub.
This page allows you to view and manage your custom tenant groups. Groups can be used in easily including similar tenants in your Standards.
Name
Name of the group
Description
Description set for the group
Members
Click to view a table of the tenants in this group
This page allows you to edit some basic information about a tenant. The following tabs have information that you can manage:
This includes basic tenant details like the Display Name and Tenant ID pulled from your GDAP contract with the client.
Here you can view/edit a custom alias for the tenant. This alias will currently only populate in the tenant dropdown in the menu bar. You can also manage the tenant's CIPP group membership.
This tab presents a way to manage Custom Variables on a per-tenant basis. For example, you need to set a client's RMM site ID.
This page will allow you to create a new tenant group. Set the Group Name, Group Description, and initial tenants to add to the group.
Edit Group
Opens the page for the selected row
Delete Group
Opens a modal to confirm you want to delete the selected group.
We value your feedback and ideas. Please raise any on GitHub.
We value your feedback and ideas. Please raise any on GitHub.
Tenants
Shows the tenants selected for the alert
Event Type
"Audit log Alert" or "Scheduled Task"
Conditions
Shows the alert conditions configured
Repeats Every
Shows the cadence for the alert
Actions
Shows the actions selected when an alert is generated
Opens the alert to be able to adjust settings as needed
Clone & Edit Alert
Copies the selected alert allowing you to make adjustments before saving it as a new alert.
Delete Alert
Opens a modal to confirm you want to delete the alert
ID
GUID of object
Display Name
Display name of object
Created Date Time
Relative time since the object was created
On Premises Provisioning Errors
Any errors with syncing the object
Object Type
Type of the object
This page allows you to modify the tenant group's information such as Group Name, Group Description, and make bulk changes to the group membership.
Setup your Conditional Access policies for CIPP.
To make sure CIPP is able to access your tenants securely we recommend the usage of Conditional Access. Both your, and your clients Conditional Access Policies will need to be configured for optimal usage.
Exclude the CIPP service account from each existing policy, this way we have a dedicated policy for the CIPP service account
Create a new policy and include the CIPP user. Enforce Azure Multi-factor Authentication for each logon (set sign in frequency under session to every time) and for all cloud applications, do not add any exclusions or trusted locations.
If you have trusted locations under the classic MFA portal you must always remove those.
Save this policy under the name "CIPP Service Account Conditional Access Policy"
For each policy listed. Add an exclusion to "Users and Groups" with the following settings: - Guest or external users - Service Provider Users - Selected, enter your tenantid. If you do not know what your tenant id is you can look this up at https://whatismytenantid.com
Browse to the blade in Azure.
DAP and GDAP are affected by your clients conditional access policies. To make sure you can access your clients using your CIPP integration user we recommend excluding the MSP from the Conditional Access Policy per
Browse to your client's blade in Azure.
View captured Audit Logs from the Alerts Wizard.
CIPP saves Audit Logs when an alert matches the rules defined in your Alert Configuration.
Select a time range in the Search Options to find Audit Log entries. Use the table filter to narrow down the results to what you are looking for.
We value your feedback and ideas. Please raise any feature requests on GitHub.
This page shows all the app consent requests that have been made in the tenant.
Please note: App consent requests are only available for tenants that have disabled user consent for applications or have the Require admin consent for applications standard enabled.
To not miss any requests, it is recommended to set up the Scripted CIPP Alert Alert on new apps in the application approval list.
We value your feedback and ideas. Please raise any feature requests on GitHub.
This page shows all the relationships that the selected tenant(s) have.
We value your feedback and ideas. Please raise any feature requests on GitHub.
This page provides an overview of the Secure Score of the tenant. It also provides a way to remediate the issues that are lowering the score, if CIPP already has a standard that can be applied to solve the issue.
We value your feedback and ideas. Please raise any feature requests on GitHub.
This page will allow you to map the GDAP roles to a group in your partner tenant. The default is that the group will be created with the format of "M365 GDAP RoleName". You can optionally create your own group suffix if you have a need to map the same role to multiple groups (e.g. you use different group templates to provide different access by department, etc.).
Click "Add CIPP Default Roles" to automatically add the 15 recommended roles from the Recommended Roles page.
Certain roles may not be compatible with GDAP. See the Microsoft documentation on GDAP role guidance.
The Company Administrator role is a highly privileged role that should be used with caution. GDAP Relationships with this role will not be eligible for auto-extend.
This page shows all the roles and what security group in the partner tenant, that are available to be mapped to a GDAP relationship via CIPP.
To create new mappings, click the Map GDAP Roles button.
Add to Template
Delete Mapping
We value your feedback and ideas. Please raise any feature requests on GitHub.
This page will list the GDAP role templates that you have created. If this is your first time setting up CIPP, this page will prompt you to create the "CIPP Defaults" template that includes the 12 roles included on the Recommended Roles page.
This page shows all the relationships that are attached to your Microsoft partner tenant. It shows the status of the relationship, the tenant name, when it was created, when it expires, if auto extend is enabled, if the relationship includes a Global Admin and more.
Opens the relationship summary page for the selected relationship
Start Onboarding
Opens the CIPP onboarding wizard for the selected relationship
Open Relationship in Partner Center
Opens a new link to the relationship in your Microsoft Partner Center
Enable automatic extension
If the relationship is eligible for automation extension, this will enable the relationship to auto extend
Remove Global Administrator from Relationship
The Global Administrator (Company Admin in GDAP) role will be removed from the relationship. This is the lone role edit that is currently able to be made on an existing relationship.
Reset Role Mapping
Allows you to select a new Role Template to map to the relationship fixing relationships that have overlapping roles or incorrect group assignments.
Terminate Relationship
More Info
Opens Extended Info flyout
Select actions are available as bulk actions. Check the box next to the tenant(s) you wish to complete the following actions on en masse.
Enable automatic extension
If the relationship is eligible for automation extension, this will enable the relationship to auto extend
Remove Global Administrator from Relationship
The Global Administrator (Company Admin in GDAP) role will be removed from the relationship. This is the lone role edit that is currently able to be made on an existing relationship.
Reset Role Mapping
Allows you to select a new Role Template to map to the relationship fixing relationships that have overlapping roles or incorrect group assignments.
Terminate Relationship
This page currently lacks content and serves as a placeholder.
FOSS (Free and Open-Source Software) lives and dies by the contributions of their communities. Pages like this go unfinished because no one has been able to spare the time it takes to write something up for this.
If you are reading this and have the time to contribute, please consider doing so! We have an edit button at the top of this page and others in order to make it easy for users to contribute. Simply click on the three-dot menu for additional options, including Edit.
This page currently lacks content and serves as a placeholder.
FOSS (Free and Open-Source Software) lives and dies by the contributions of their communities. Pages like this go unfinished because no one has been able to spare the time it takes to write something up for this.
If you are reading this and have the time to contribute, please consider doing so! We have an edit button at the top of this page and others in order to make it easy for users to contribute. Simply click on the three-dot menu for additional options, including Edit.
Onboarding tenants can be a challenge sometimes, especially when you haven't really taken care of your GDAP environments yet. We've made sure to ease this for you; Tenant onboarding now automatically adds missing groups, missing users, and it finishes everything for you. Use the onboarding wizard whenever you're adding a tenant to have a really good time. It removes all of the manual GDAP labour for you except accepting the invite.
We value your feedback and ideas. Please raise any feature requests on GitHub.
This will ensure that the correct roles are mapped to the GDAP relationship, and test that the CIPP-SAM application is correctly pushed to the tenant. The invite wizard is part of the Tenant Onboarding flow, unless an already existing pending invite is selected.
Please note: Any other user that needs to gain access to your Microsoft CSP Tenants will need to be manually added to these groups. To easily add users to these groups, you can do the following
Create a new security group in your partner tenant with the Microsoft Entra roles can be assigned to the group option set to yes. Ex. GDAP_CIPP_Recommended_Roles
Add the users to the created group
Add the created group to the individual GDAP security groups that CIPP created for you. Ex. M365 GDAP Exchange Administrator
If multiple invites are generated, but not used, the unused ones can either be found on the page or on the page. Here onboarding of the tenant can be started again. The invite needs to be accepted by a Global Administrator in the customer tenant.
All mapped can be selected from the list, or you can the "Use CIPP recommended roles and settings" option to go with the recommended roles.
We value your feedback and ideas. Please raise any on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
We value your feedback and ideas. Please raise any feature requests on GitHub.
Manage scheduled tenant alerts.
CIPP offers a set of scheduled, recurring alert checks. Some of these duplicate Microsoft Alerts functionality in a more MSP-friendly manner and some are not available as a Microsoft Alert at this time. Similar to Tenant Standards, you configure alerts using the wizard to select one or more tenants or -All Tenants- to apply alerts globally, then select from the list of available alerts.
Within CIPP, there are two types of alerts:
Audit Log Alert - These alerts are based on Microsoft audit logs.
Scripted CIPP Alert - These alerts have been developed by CIPP to pull from sources other than the audit logs.
Audit Log Alerts - Processed in near real-time, but a small delay of up to 15 minutes is normal.
Scripted CIPP Alerts - Each alert comes with a default value suggested by the CIPP team, but you can adjust it as needed. The available timings are:
365 days / 1 year
30 days / 1 month
7 days / 1 week
1 day
4 hours
1 hour
30 minutes
Webhook - This will deliver a JSON payload to the webhook configured in CIPP Settings.
PSA - This will deliver a formatted payload to the configured PSA in CIPP Settings.
Email - This will deliver an HTML-formatted table to the email address provided in CIPP Settings.
Alert on users without any form of MFA
Alert on admins without any form of MFA
Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available.
Alert on changed admin Passwords
Alert on licensed users that have not logged in for 90 days
Alert on % mailbox quota used
Alert on % SharePoint quota used
Alert on licenses expiring in 30 days
Alert on new apps in the application approval list
Alert on Security Defaults automatic enablement
Alert if Defender is not running (Tenant must be on-boarded in Lighthouse)
Alert on Defender Malware found (Tenant must be on-boarded in Lighthouse)
Alert on new Defender Incidents found
Alert on unused licenses
Alert on overused licenses
Alert on Entra ID P1/P2 license over-utilization
Alert on expiring application secrets
Alert on new Apple Business Manager terms
Alert on expiring application certificates
Alert on expiring APN certificates
Alert on expiring VPP tokens
Alert on expiring DEP tokens
Alert on soft deleted mailboxes
Alert on device compliance issues
Alert on (new) potentially breached passwords. Generates an alert if a password is found to be breached.
Alert on Huntress Rogue Apps detected
A new Inbox rule is created
A new Inbox rule is created that forwards e-mails to the RSS feeds folder
A new Inbox rule is created that forwards e-mails to a different email address
A new Inbox rule is created that redirects e-mails to a different email address
A existing Inbox rule is edited
A existing Inbox rule is edited that forwards e-mails to the RSS feeds folder
A existing Inbox rule is edited that forwards e-mails to a different email address
A existing Inbox rule is edited that redirects e-mails to a different email address
A user has been added to an admin role
A user sessions have been revoked
A users MFA has been disabled
A user has been removed from a role
A user password has been reset
A user has logged in from a location not in the input list
A service principal has been created
A service principal has been removed
A user has logged in a using a known VPN, Proxy, Or anonymizer
A user has logged in a using a known hosting provider IP
You might want to be alerted when a particular account logs into one of your tenants. For example, Global Admins or break glass accounts. This is relatively simple if you have consistent naming across your tenants i.e. mylovelybreakglassaccount@tentantdomains.com
Create an Audit log alert
In the tenant selector, select All Tenants
Selecting All Tenants will allow you to optionally exclude tenants from the alert
Select Azure AD as the log source
Select "Operation" as the When property
Select "Equals To" as the is property
In the unput field select "A user logged in"
Add an extra set of variables
Select "Username" as the When property
Select Like as the is property
Enter the username to test for across all tenants i.e. mylovelybreakglassaccount@* (Note the * after the @ to match all domains)
Choose the action(s) you want and save the alert.
Easily find all the valid unused GDAP invites in your partner organization.
Timestamp
Relative time since the invite was created
Row Key
Table row key from CIPP
Invite URL
URL for the customer to accept the relationship
Onboarding URL
Direct link to start the process, allowing users to swiftly begin and complete onboarding.
We value your feedback and ideas. Please raise any feature requests on GitHub.
With the launch of CIPP v7, there are now new, more powerful tables at your disposal.
🔃 Refresh data
This action will refresh the column data
🔍 Search
This window will perform a search on table contents for the value you type into the box. Clicking on the magnifying glass will allow you to change from the default fuzzy search method to contains or starts with.
Preset Filters
This will present options for preset filters for the table you are viewing. All tables have an option to "Reset all filters"
Show/Hide Filters
This will optionally display the column filters just below the column headers for more granular filtering than the fuzzy search
Toggle Column Visibility
This will allow you to select which columns are visible on the page. You will also be presented with the options to "Reset to preferred columns", "Save as preferred columns", and "Delete preferred columns". Preferred columns are saved as part of your browser cookies.
Export to PDF
This button will export the visible columns in PDF format
Export to CSV
This button will export the visible columns in CSV format
View API Response
This button will open a flyout window where you can view the API response received from the CIPP backend
Clear sort
This will clear any sorting set on this column
Sort by <column name> ascending
This will sort the column by ascending values (smallest to largest, 0 to 9, and/or A to Z)
Sort by <column name> descending
This will sort the column by descending values (largest to smallest, 9 to 0, and/or Z to A)
Clear filter
Clears any filters placed on the column
Filter by <column name>
This will present additional filtering options (See below)
Pin to left
Pin to right
Unpin
Hide <column name> column
Show all columns
Fuzzy
Will return all results where the value is similar to what is input
Contains
Will return all results where the value contains the input
Starts With
Will return all results where the value starts with the input
Ends With
Will return all results where the value ends with the input
Equals
Will return all results where the value exactly matches the input
Not Equals
Will return all results where the value does not match the input
Between
Will return all results where the value is in between the inputs. This will not include the inputs in the returned results
Between Inclusive
Will return all results where the value is in between the inputs. This will include the inputs in the returned results
Greater Than
Will return all results where the value is greater than the input
Greater Than Or Equal To
Will return all results where the value is greater than or equal to the input
Less Than
Will return all results where the value is less than the input
Less Than OR Equal To
Will return all results where the value is less than or equal to the input
Empty
Will return all results where there is no value for this column
Not Empty
Will return all results where there is a value for this column
Some values have special display settings for ease of reading.
Boolean
Colunns that display information in a Boolean will utilize a graphical representation instead of trueand false . The value for truewill display as a check mark. The value for falsewill display as a circle with an X in it.
Every table also includes an "Actions" column that will always be visible to the right of the table. Clicking the elipses will open the menu for available per-row actions that can be taken for this table.
Reports available within CIPP - Identity Management
This page shows all the enterprise applications that are available in the tenant.
This can for example be very helpful when trying to identify SAM applications from previous MSPs.
To do this, first clear the filter and then select the All non-Microsoft Enterprise Apps filter. If not done in this order, the filter will not work as expected.
We value your feedback and ideas. Please raise any feature requests on GitHub.
Offboard the selected user with standard requirements
The Offboarding Wizard is an interactive guide that streamlines the process of offboarding a user from a tenant in Microsoft 365. It provides a step-by-step process where you can select from a variety of offboarding tasks. These tasks include revoking sessions, removing mobile devices, resetting passwords, and more. This wizard also allows for easy setting of a user's Out of Office message and forwarding their mail to another user.
The Offboarding Wizard offers a range of settings that can be performed during the offboarding process. These tasks include:
Convert to Shared Mailbox
Converts the user's mailbox to a shared mailbox
Hide from Global Address List
Hides the user from the Global Address List
Cancel all calendar invites
Revoke all sessions
Revokes all active sessions of the user
Remove all Mobile Devices
Removes all mobile devices associated with the user
Remove all Rules
Removes all rules associated with the user
Remove Licenses
Removes all licenses associated with the user
Disable Sign-In
Disables the user's ability to sign in
Clear Immutable ID
Clears the Immutable ID for a user synced from on-premises Active Directory. Note: This only works after the link is broken from AD
Reset Password
Resets the user's password
Remove from all Groups
Removes the user from all groups
Set Out of Office
Sets an out of office message for the user
Give another user access to the mailbox (without auto mapping)
Gives another user full access to the offboarded user's mailbox without auto mapping
Give another user access to the mailbox (with auto mapping)
Gives another user full access to the offboarded user's mailbox with auto mapping
Give another user access to OneDrive
Gives another user full access to the offboarded user's OneDrive
Forward all e-mail to another user
Forwards all e-mails of the offboarded user to another user
Keep a copy of the forwarded mail in the source mailbox
Keeps a copy of the forwarded mail in the offboarded user's mailbox
Delete User
Deletes the user from the tenant
Mailbox Full Access (no automap)
The selected user or users will be granted full access to the offboarded user's mailbox but will not have that mailbox auto mapped in Outlook
Mailbox Full Access (automap)
The selected user or users will be granted full access to the offboarded user's mailbox and they will have that mailbox auto mapped in Outlook
OneDrive Full Access
The selected user or users will be granted full access to the offboarded user's OneDrive
Forward Email To
The selected user will be set as the forwarding recipient on the offboarded user
Keep a copy of forwarded email
Toggling on this option will retain received mail in the offboarded user's mailbox while also forwarding it to the user selected above
Out of Office Message
This WYSIWYG editor will allow you to craft the Out of Office message set on the offboarded user's mailbox
Schedule this offboarding
If toggling this switch to on, will present the remaining options in this table
Scheduled Offboarding Date
The date and time you would like the offboarding to run
Webhook
Enable this to send a notification to your configured webhook in CIPP notifications settings
Enable this to send a notification to your configured e-mail address in CIPP notifications settings
PSA
Enable this to send a notification to your configured PSA in CIPP notifications settings
We value your feedback and ideas. Please raise any feature requests on GitHub.
The role mappings page associate security groups with their admin roles, displayed in a table for easy management. The table includes group names, assigned admin roles, and member lists, providing clarity on responsibilities and access levels. This format simplifies tracking roles and ensures proper access control within the organization.
This page will allow you to view details about a particular GDAP relationship.
The GDAP (Granular Delegated Admin Privileges) relationships summary page provides an overview of a particular relationship. It displays details like the relationship status and assigned admin roles, helping manage and audit access efficiently.
We value your feedback and ideas. Please raise any feature requests on GitHub.
A chart showing a high-level view of your GDAP statistics including number of relationships, number of mapped admin roles, number of role templates, and pending invites.
Will launch the GDAP Invite wizard.
A guided process to ensure that you have set up GDAP according to best practices to include mapping admin roles, creating role templates, creating invites, and setup completed.
A tool to be used in troubleshooting for any failed issues with onboarding relationships, etc.
Shows the status of the authentication methods for the tenant.
This page currently lacks content and serves as a placeholder.
FOSS (Free and Open-Source Software) lives and dies by the contributions of their communities. Pages like this go unfinished because no one has been able to spare the time it takes to write something up for this.
If you are reading this and have the time to contribute, please consider doing so! We have an edit button at the top of this page and others in order to make it easy for users to contribute. Simply click on the three-dot menu for additional options, including Edit.
We value your feedback and ideas. Please raise any feature requests on GitHub.
This page will help ensure that all necessary steps are taken when offboarding a tenant such as:
Removing vendor applications
Remove all guest users originating from the CSP tenant.
Remove all notification contacts originating from the CSP tenant (technical,security,marketing notifications).
The following actions will terminate all delegated access to the customer tenant!
Remove all multitenant applications originating from CSP tenant (including CIPP-SAM).
Terminate all active GDAP relationships (will send email to tenant admins and contacts).
Terminate contract relationship (reseller, etc).
We value your feedback and ideas. Please raise any feature requests on GitHub.