Help CenterOverview
CIPP (CyberDrain Improved Partner Portal) is a self-hosted or CIPP-as-a-Service multi
tenant Microsoft 365 management platform. Unlike other applications in this KB series,
CIPP is not a third-party SaaS app that Entra ID federates with. It is deployed inside the
MSP's own Azure tenant and its access is controlled entirely by the MSP's own Entra ID
Conditional Access policies.
Because CIPP has no external SAML trust relationship to configure, restricting access by IP
is done by creating a Named Location and Conditional Access policy in the MSP's Entra ID
tenant — the same tenant where CIPP is deployed. There is no SAML enterprise application
to target in a client tenant.
CIPP has three distinct access layers, each requiring a different configuration approach:
| Access Layer | How it is Secured | Where to Configure |
| CIPP UI (technician access) | Secured by Entra ID CA policies in the MSP's own tenant. Restrict by IP using a Named Location policy targeting All cloud apps or specific Azure app registrations. |
Part A of this article. |
| CIPP Service Account | A dedicated Entra ID account used by CIPP to call the Microsoft Graph API. CIPP documentation requires its own CA policy enforcing MFA on every sign in, with no trusted location exclusions. |
Part B of this article. |
| CIPP-API (programmatic access) |
CIPP's built-in API for RMM/PSA integrations. Has a native IP allowlist configured within CIPP Application Settings, independent of Entra ID CA. | Part C of this article. |
Important: CIPP accesses client tenants via GDAP (Granular Delegated Admin
Privileges). Client tenants may have their own Conditional Access
policies that can block the CIPP service account from accessing client
resources. This is addressed separately in Part D of this article.
Prerequisites
Before proceeding, confirm the following are in place:
- Microsoft Entra ID P1 or P2 license in the MSP's tenant — required for
Conditional Access. - Conditional Access Administrator role or higher in the MSP's Entra ID tenant.
- Security Defaults Disabled in the MSP's tenant
- Known static IP address - the public IP address or CIDR range of each approved location.
- Break-glass admin account in the MSP's tenant - must be excluded from IP restriction policies.
Step 1: Create a Named Location for Your Trusted IP(s)
A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.
- Sign in to the Microsoft Entra admin center at entra.microsoft.com using the MSP's
tenant credentials. - Navigate to Protection > Conditional Access > Named locations.
- Select + IP ranges locations.
- Name the location. For example: Trusted - MSP Office
- Check the Mark as trusted location checkbox.
- Enter your approved IP address or CIDR range and click Create.
| Field/Setting | Value/Notes |
| Single IP address | 203.0.113.10/32 |
| IP range (CIDR) | 203.0.113.0/24 |
Part A: Restrict CIPP Technician Access by IP
CIPP technicians sign in to the CIPP UI using their Entra ID accounts in the MSP's tenant.
Because the CIPP frontend is an Azure Static Web App registered in the MSP's tenant, a
Conditional Access policy targeting All cloud apps will cover CIPP UI access alongside all
other cloud resources in the tenant.
Please Note: If your organization already has a broad IP restriction policy covering all cloud apps in the MSP's tenant, CIPP UI access is already restricted by that
policy. Confirm your existing policies before creating a new one to avoid conflicts.
. In the Entra admin center, navigate to Protection > Conditional Access > Policies and
select + New policy.
2. Name the policy — for example: Block CIPP Access - Outside Trusted IPs
3. Under Assignments > Users, select the group or users who have CIPP access. Exclude
your break-glass admin account.
4. Under Target Resources, select All cloud apps, or select the specific CIPP Azure
Static Web App registration if you prefer a narrower scope.
5. Under Conditions > Locations, set Configure to Yes. Set Include to Any location and
Exclude to your Named Location from Step 1.
6. Under Access Controls > Grant, select Block access.
7. Set Enable policy to Report-only, validate in sign-in logs, then switch to On.
Part B: Conditional Access Policy for the CIPP
Service Account
The CIPP service account is a dedicated Entra ID account that CIPP uses to call the
Microsoft Graph API across client tenants. CIPP's own documentation specifies a distinct CA policy for this account, and the requirements differ importantly from the technician access
policy.
Important: CIPP's documentation explicitly states that the service account CA
policy must enforce MFA on every single sign-in and must NOT include any trusted location exclusions. Do not add your Named Location as an exclusion to this policy. The reasoning is that the CIPP service account should always complete MFA regardless of source IP — relaxing this for trusted IPs weakens the security posture of access to all managed client tenants.
1. In the Entra admin center, navigate to Protection > Conditional Access > Policies and
select + New policy.
2. Name the policy: CIPP Service Account Conditional Access Policy
3. Under Assignments > Users, include only the CIPP service account user.
4. Under Target Resources, select All cloud apps.
5. Under Access Controls > Grant, select Grant access and require Azure Multi-Factor
Authentication.
6. Under Session, set Sign-in frequency to Every time to require MFA on every sign-in.
7. Do not add any location conditions or trusted location exclusions.
8. Set Enable policy to On.
Part C: Restrict CIPP-API Access by IP (Programmatic Access)
If your organization uses the CIPP-API for integration with RMM tools, PSA platforms, or
automation workflows, access can be restricted by IP directly within CIPP's Application
Settings — independently of Entra ID Conditional Access.
1. In the CIPP portal, navigate to CIPP > Integrations > CIPP-API.
2. Locate the API client you wish to restrict in the table.
3. Select the Actions menu (three dots) and choose Edit.
4. In the Allowed IP Ranges field, enter the approved IP addresses or CIDR ranges that
are permitted to use this API client. Supports both IPv4 and IPv6 in CIDR notation.
5. Click Save, then select Actions > Save Azure Configuration to apply the changes to
the Function App authentication settings.
Please Note: The CIPP-API IP allowlist is per API client. If you have multiple API clients configured, each one must be restricted individually. Clients with no IP
ranges specified are accessible from any IP.
Part D: Exclude the MSP from Client Tenant Conditional Access Policies
When CIPP accesses client tenants via GDAP, client Conditional Access policies are
evaluated for the CIPP service account. If a client tenant has IP-based or other Conditional
Access policies without an exclusion for the MSP tenant, CIPP will be blocked from
managing that client.
To prevent this, each client tenant's Conditional Access policies should include an exclusion
for the MSP's tenant ID.
1. In the Microsoft Entra admin center, navigate to the client tenant (or use CIPP to
access the client tenant's CA policies).
2. For each Conditional Access policy in the client tenant, open the policy and navigate
to Assignments > Users.
3. Under Exclude, select Guest or external users, then choose Service Provider Users.
4. Enter the MSP's tenant ID in the field provided.
5. Save the policy. Repeat for all active policies in the client tenant.
Please Note: If you are running CIPP in Direct Tenant mode rather than GDAP mode, exclude the specific CIPP service account user for that tenant instead of using the tenant-wide exclusion.
Summary
The following table summarizes the full configuration process.
| Step | Action |
| Step 1 | Create a Named Location with trusted MSP IP addresses in the MSP's Entra ID tenant |
| Part A | Create a CA policy restricting CIPP technician sign-ins by IP using the Named Location — targeting All cloud apps or the specific CIPP app registration |
| Part B | Create the CIPP Service Account CA policy enforcing MFA on every sign-in — no location exclusions |
| Part C | Restrict CIPP-API clients by IP using the native Allowed IP Ranges setting in CIPP Application Settings |
| Part D | Add MSP tenant ID exclusions to each client tenant's CA policies to ensure GDAP-based access is not blocked |