CIPP link (Cyberdrain improved partner portal) is a web application targeted at Microsoft MSPs (Managed Service Providers) that mange multiple tenant organizations in Microsoft 365. The CIPP solution is a free GitHub project link that you can clone and use inside your own Azure environment to run an MSP partner portal. CIPP is meant to run alongside or replace the Lighthouse portal or the old process of having multiple admin accounts across each tenant. CIPP can then be used by administrators and help desk staff to maintain client organizations in Microsoft 365.
About CIPP
CIPP is focused on quick access to common IT tasks, applies templates and standards across multiple tenants, and centralizes the help desk function.
The Azure environment is resource-based billing, so will be $10 to $30 / month.
The creators of CIPP also offer a hosted model, in exchange for sponsorship ($99 / month). They will stand up your instance for you and give you access to the web page. They offer limited email-based support in this case.
Microsoft has a similar effort underway called Lighthouse.
Focus of this guide
The installation can be difficult if you go down the wrong path. This guide was created to over a basic path to self-hosting.
This guide is for the IT administrator that is already an MSP and wishes to set up the self-hosted version of CIPP. You may want to self-host to try it out before subscribing. Or you may have compliance requirements that prohibit hosting with an outside party.
The steps here are not necessarily required or even recommended, but they are steps that worked.
Notes
- We will follow this guide: CIPP Documentation, but it’s difficult for these reasons:
- It’s accurate but short on information and explanation.
- Help is scarce (for free users). You can try the CIPP Discord room link.
- There are sub-steps that are unlisted (or not very explicit). This is mostly due to the fact that every MSP has a slightly different configuration, so it’s hard to cover all the options.
- It’s entirely cloud, which is cool but complicated. The code is on Github, the website is in Azure, the primary tenant is the MSP, and the tenants are all Microsoft tenants with DAP or GDAP access. Not to mention the soup that is Microsoft licensing. And then all these things have to be linked together in a secure way (essentially via a secure chain of trust).
- It’s better if your MSP tenant is independent (and above) your own office’s tenant.
- This way, your company is like all your other customers’ companies.
- Otherwise, you can’t self-manage yourself unless you follow those steps (indicates not supported)
- If you get stuck and need to start over
- Delete the created Azure resource group: Resource Groups > [CIPP1]
- Delete and re-fork the Github projects: CIPP and CIPP-API
- Didn’t need to do this
- Didn’t need to make a new token
- Deleting CIPP1 might take a bit long, but you can create CIPP2, etc…
Requirements
- A working MSP portal from Microsoft.
- In the examples below, it is called pp.com.
- You will need a free Azure Subscription link to run the processes and store data.
- Azure might be free, but you will pay $30 / month or so depending on usage.
- For GDAP wizard in Lighthouse, you will need maybe a trial for Azure Active Directory Premium P2 link
- You may need email services like Microsoft 365 F3 for the CIPP to send reports
- Get a free Lighthouse license if you can.
- Your partner accounts should have MFA
- Your admin@pp.com account should be in the AdminAgents group and already able to manage tenants via the portal: https://partner.microsoft.com.
GDAP Setup
GDAP is the new MS requirement and it’s better to have this taken care of in advance.
Not sure if this is required – CIPP also has a wizard.
- We used the Lighthouse wizard to convert to GDAP, and it was easy.
- The MS defaults in that wizard are all OK.
- It saves your selections, and you can re-run the wizard many times until it is complete.
- For my group names, I used the prefix GDAP_.
- One of the wizard features requires AADP2 license to complete.
CIPP Guide Notes: Getting started
We are following this guide: CIPP Documentation
However:
- The official guide is deceptively simple and doesn’t show an example to follow.
- Follow each step (each word actually) exactly.
- Consider the notes below as additional / example information for each step.
- We are attempting to explain what’s going on (as much as we understand)
CIPP Guide Notes: Prerequisites Steps
CIPP Guide link
Explanation
You have set up your partner org as needed. You have set up an Azure subscription as a place to run some processes and store some files. You will use the popular Github open-source code repository system (owned by Microsoft) to create a copy of the original source code. Your copy of the code will be accessed and run by the Azure resource groups that you create.
- Create a Partner portal ‘service’ account for this purpose: cipp@pp.com
- It should also be in the AdminAgents group.
- It should have MFA
- Licensing for this account: (not sure)
- Create a free Github account for the forked code to live o
- Use cipp@pp.com email
- Use cipp_pp for the username
- Fork the Github for CIPP and CIPP-API
- Create a Github access token
- The directions refer to the process described as legacy in Github.
- Logon to the partner portal using the cipp@pp.com account (not necessary but easier)
CIPP Guide Notes: Install CIPP steps
CIPP Guide link
Explanation
The deploy button installs CIPP, which consists of 5 resources created in an Azure resource group (called CIPP1 below). Azure will access your Github repository via the URLs and the token string. The runbooks will take a few minutes to complete.
- When logged on to the portal as an admin, run the automated install link Deploy to Azure
- Use your forked Github URLs (from above)
- Token (from above)
- Create a resource group (eg): CIPP1
CIPP Guide Notes: Add Yourself
CIPP Guide link
Explanation
Within the Azure resource group (CIPP1) is the web site (static web application). You must be invited to this resource to get access to it.
Resource Groups > [CIPP1] > Overview > Static web application
> Role Management > Invite
(leave everything as is except:)
Email address: admin@pp.com
Domain: portal.pp.com or Default domain (if Custom domain hasn’t been set up yet)
Role: admin
Click Generate and copy/send link
Invite the cipp@pp.com also
Pause here and make sure the App loads
At this point, the App should load the basic web page (with errors and no tenants)
You can find the assigned URL here:
Resource Groups > [CIPP1] > Overview > Static web application
> Overview > URL (top right)
Notes
- The collapsible menus are not initially obvious.
- Click the triangle button at the top left to show/hide the main menu on the left
- Click the little picture icons on the left to show/hide sub-menus
- You will need to go to these areas (shortly)
- Settings > CIPP > Settings
- Settings > CIPP > SAM Setup Wizard
CIPP Guide Notes: Run From Package Mode steps
CIPP Guide link
Explanation
Adjusts the Function App so that it consumes fewer Azure resources, perhaps by using local storage tables instead of remote calls. Seems to adjust for less processing power and save Azure money (I think).
Note: Can be skipped and done after all the below is working, because the steps say to open all the portal areas first, which can’t be done until SAM setup. (I think).
To complete:
Logon as cipp@pp.com in both Edge profile and Github portal (Delete cookies if necessary)
All other steps in this guide should be run as admin@pp.com
Resource Groups > [CIPP1] > Overview > Function App
> Configuration > New Application Setting
Add the WEBSITE_RUN_FROM_PACKAGE value of 1 and Save
> Deployment Center > Click Disconnect
Click Source (should see your Github already logged on)
Github > Organization cipp_pp> Repository CIPP-API > Branch master
Click Add a workflow
Do not change any other settings
> Overview (on left) > Stop
Wait 5 minutes
Start
Close the cipp@pp.com Edge profile
Then it says to follow the Clear Token Cache steps
CIPP Guide Notes: SAM Setup steps
CIPP Guide link
Explanation
Runs a process through your tenants, giving access to the cipp@pp.com service account so the app can do its job. Somewhat unintuitively, the setup process requires you run it as yourself (not the service account). You won’t see tenants without doing this.
Follow these steps carefully but basically use the Settings > SAM Setup Wizard
Don’t do these steps as cipp@pp.com, they will fail.
Do them from your admin@pp.com account.
Then it will ask you for the cipp@pp.com logon as part of the steps.
CIPP Guide Notes: Clear Token Cache steps
CIPP Guide link
Explanation
Not really sure which token is referred to here. Not the Github token. Probably not the tokens mentioned in the CIPP Settings buttons either.
Resource Groups > [CIPP1] > Overview > Function App
> Configuration (left)
This is a weird requirement, but it works. Go slowly.
RefreshToken > Rename to RefreshToken2
Save
Overview > Stop and wait 5 minutes
Overview > Start
Rename token back
Stop and wait 5 minutes
Start
CIPP Guide Notes: Conditional Access best practices steps
CIPP Guide link
Explanation: Didn’t have to do anything with this. Maybe it was already OK.
CIPP Guide Notes: Adding a Custom Domain Name steps
CIPP Guide link
Explanation: Optionally, you can change the assigned URL (some Azure assigned string of words) to a real URL (with a free certificate attached).
Resource Groups > [CIPP1] > Overview > Static web application
> Custom Domains (left) > Add
Step1: Add your root domain: Add > on Other DNS > pp.com
Validate at your DNS provider using the given @ TXT record
Step 2: Add your portal record: Add > on Other DNS > portal.pp.com
At your DNS provider, add the given CNAME record
Validation takes about 10 minutes.
When it’s done you should see the new URL https://pp.com here
Resource Groups link > [CIPP1] > Overview > URL
and https://portal.pp.com should work
Final Steps
CIPP Guide link
Explanation: The website should be working at this point. Sometimes you have to give it 30 mins to refresh. Try clearing the cache in the settings too: CIPP > Settings > Clear Cache
Invite other admins (or readers)
Resource Groups > [CIPP1] > Overview > Static web application
> Role Management > Invite
(leave everything as is except:)
Email address: admin@pp.com
Domain: portal.pp.com or Default domain (if Custom domain hasn’t been set up yet)
Role: admin (or reader)
Click Generate and copy / send link
Invite the cipp@pp.com also