Skip to main content

Post-Install Configuration

At this point you should have completed all the steps in manual installation or click-to-deploy installation and your deployment has succeeded. Any Red cross means your deployment has failed and you should retry, following all the steps.

Add yourself as a user

After deployment, go to your resource group in Azure and select your Static Web Application (cipp-swa-xxxx if using click-to-deploy). Select Role Management and invite the users you want. Currently CIPP supports three roles, reader, editor, and admin. Further information on the roles and how to assign these is on the Roles page. For setup you must give yourself the admin role.

Setting up access to tenants

If you are logged in, you'll be greeted by the Dashboard that will most likely tell you to setup your SAM application. You can do this by going to Settings -> SAM Wizard and following the instructions.

Secure Application Model account

It is strongly recommended that you use a separate global administrator account for each Secure Application Model application you create. This avoids conflicts that occur when using existing accounts which may be in customer tenants as guest users and provides better tracing in audit logs.

This service account should be a Global Admin (in your tenant) and given Admin Agent permissions in partner Center. This account must have MFA enforced and cannot be excluded from Conditional Access in any way. Each logon must require a MFA Request..

After setup you must clear the token cache. To clear the token cache follow these instructions

Adding Users

After deployment, go to your resource group in Azure and select your Static Web Application (cipp-swa-xxxx if using click-to-deploy). Select Role Management and invite the users you want. Currently CIPP supports three roles, reader, editor, and admin. Further information on the roles and how to assign these is on the Roles page.

Enable Run From Package mode for better performance and lower costs

  1. Go to CIPP
  2. Visit each page you want to save the contents of, e.g. Standards, Intune Templates, Applications, Alerts, Visiting the page automatically migrates the data to Azure Tables.
  3. Go to Settings -> Backend
  4. Click on "Function app Configuration"
  5. Click on "New Application Setting"
  6. Add an application setting with the name "WEBSITE_RUN_FROM_PACKAGE" and the value "1"
  7. Click Save at the top
  8. Click on Deployment Center
  9. Click on "Disconnect"
  10. Select the source "Github"
  11. Login if required
  12. Select the Organisation, Repository, and Branch you want for your CIPP-API. Click on "Add a worklow". Do not change any other settings.
  13. Click save at the top.
  14. Restart the Function App

Adding a Custom Domain Name

Why setup a custom domain?
  1. The automatically generated domain uses azurewebsites.net which is often blocked by web filtering products as it's often used by spammers and phishing sites due to the ease of obtaining an azurewebsites.net subdomain.
  2. Your bookmark stays the same if you redeploy.
  3. Easier to communicate internally and looks better for your team.

At the moment of deployment, the application uses a generated domain name. To change this, go to your Resource Group in Azure, select your Static Web App (cipp-swa-xxxx if using click-to-deploy) and select Custom Domains. You can add your own domain name here. Microsoft Docs - Set up a custom domain with free certificate in Azure Static Web Apps

I want to manage my own tenant

If you want to manage your own tenant, or if you are not a Microsoft Partner but still want to use CIPP you can set a flag in the configuration for this.

Unsupported configuration

This configuration option is not officially supported. Configuring this means you are on your own for any bugs that occur on your instance. It is advised to not add the Partner Tenant inside a CSP environment and to really use this as a 'Single Tenant' mode.

If you enable this setting, any user with access to CIPP will be able to make any change to your internal tenant, including changing permissions to mailboxes, security groups, and all the aspects that CIPP manages. When running on the hosted environment we ask you to confirm you've read this statement before enabling the feature.

It is not recommended to use this functionality, and this might break at any point in time.

To set the flag follow these steps:

  1. Go to your CIPP instance
  2. Go the the settings menu
  3. Go to the Backend tab.
  4. Go to Function App (Configuration)
  5. Add a new variable called "PartnerTenantAvailable" and set this to "True"
  6. Clear the tenant cache. Users of CIPP now have access to the CSP Partner tenant.