CIPP for MSPs: Multi-Tenant M365 Management Made Practical
10 min read
If you manage more than a handful of Microsoft 365 tenants, you’ve felt the pain of logging into one admin center after another — resetting passwords, checking license counts, verifying MFA enrollment, deploying conditional access policies — repeating the same tasks across 30, 50, or 100 clients. CIPP (CyberDrain Improved Partner Portal) is the open-source tool that most MSPs eventually discover when they get tired of that workflow. It wraps Microsoft Graph API calls in a multi-tenant management interface so you can see and act on every client’s M365 environment from a single dashboard.
CIPP isn’t new, but it’s become central enough to the MSP stack that not understanding what it does — and what it doesn’t do — is a gap. This post covers what CIPP is, how MSPs use it, where it falls short, and how an AI layer on top of CIPP turns a management portal into an automation platform.
What CIPP Is and Where It Came From
CIPP was created by Kelvin Tegelaar, the developer behind CyberDrain — a collection of PowerShell scripts and tools that MSPs used for years to automate M365 management. The original CyberDrain tools were individual scripts: one for password resets, one for license reporting, one for tenant health checks. They worked, but they were scattered, required PowerShell knowledge, and didn’t scale cleanly across dozens of tenants.
CIPP consolidated those tools into a single web-based portal. Instead of running scripts one tenant at a time, MSPs got a dashboard that connected to all their managed M365 tenants through a single set of GDAP (Granular Delegated Admin Privileges) credentials and the Microsoft Graph API. The project is open-source and hosted on GitHub, with an active community contributing features and fixes. There’s also a managed hosted version for MSPs who don’t want to maintain their own Azure Functions deployment.
The core value proposition is simple: manage every M365 tenant from one place, without logging into each admin center individually.
What CIPP Actually Does
CIPP’s feature set maps directly to the tasks MSPs perform daily in the Microsoft 365 admin center, Entra ID, Exchange Online, and Intune — but across all tenants simultaneously.
Tenant Overview Dashboard
The dashboard shows all your managed tenants with health indicators: license utilization, recent sign-ins, alerts, and compliance status. Instead of opening 50 browser tabs to check on 50 clients, you see the whole portfolio at a glance. Tenants with issues surface to the top.
Standards Deployment
This is the feature that saves the most time. CIPP lets you define a set of standards — security baselines, conditional access policies, mailbox configurations, Intune policies — and deploy them across all tenants or a selected subset. Need every client to enforce MFA? Define it as a standard, apply it, and CIPP pushes the conditional access policy to every tenant.
Standards can include:
- Conditional access policies — require MFA for all users, block legacy authentication, enforce compliant devices
- Exchange settings — disable SMTP auth, enable audit logging, set default mailbox language
- SharePoint policies — external sharing restrictions, default link permissions
- Intune compliance policies — device encryption requirements, OS version minimums
- Security defaults — enable or disable Microsoft’s built-in security defaults per tenant
When a new client onboards, you apply your standard baseline and the tenant is configured to your security requirements in minutes instead of hours.
User Management
Create, edit, disable, and delete users across any tenant without leaving CIPP. Password resets, MFA management, license assignment, group membership changes — all the tasks that make up the bulk of MSP M365 work. The interface lets you act on a user in any tenant without authenticating separately to that tenant’s admin center.
License Management
View license counts, assignments, and utilization across all tenants. See which tenants are approaching their license limits, which have unused licenses, and which users are over-provisioned. This is the same data you’d get from running Get-MgSubscribedSku per tenant via Microsoft Graph API, but aggregated into a single view.
Conditional Access and Security
Review, create, and deploy conditional access policies across tenants. CIPP shows you which tenants have which policies enabled — critical for identifying clients that are missing your security baseline. You can also run BEC (Business Email Compromise) checks that scan sign-in logs for suspicious activity across all tenants.
Alerts and Monitoring
Configure alerts for events across your tenant portfolio: new admin role assignments, failed MFA registrations, impossible travel sign-ins, mailbox rule changes (a common BEC indicator). Alerts aggregate across tenants so you’re not monitoring each one individually.
The Problem CIPP Solves
The math is straightforward. If you manage 50 M365 tenants and need to verify MFA enrollment across all of them, you have two options without CIPP:
- Log into each tenant’s Entra admin center individually. At 3-5 minutes per tenant (authenticate, navigate, check, log out), that’s 2.5-4 hours of clicking.
- Write a PowerShell script using the Microsoft Graph SDK that iterates through tenants, authenticates via GDAP, queries authentication methods, and compiles a report. That works, but someone has to write it, test it, handle token management, and maintain it when Graph API permissions change.
With CIPP, you open the dashboard, navigate to the identity report, and see MFA status across all tenants in one view. A task that took hours takes minutes.
Scale this across every M365 management task an MSP performs — password resets, license audits, conditional access reviews, user provisioning, security checks — and CIPP saves days of labor per month. For MSPs managing 50+ tenants, it’s not optional tooling. It’s infrastructure.
CIPP and the Graph API
Under the hood, CIPP is a Graph API orchestration layer. Every action you take in CIPP — reset a password, assign a license, deploy a conditional access policy — translates to one or more Microsoft Graph API calls executed against the target tenant.
This matters for two reasons.
First, if you’ve been migrating from deprecated PowerShell modules to Graph API, CIPP is doing the same thing with a UI on top. The old Set-MsolUserPassword command is dead. CIPP executes the equivalent PATCH /users/{id} Graph call for you, across any tenant, without you writing the request. For MSPs who don’t have the time or inclination to write Graph API scripts for every management task, CIPP provides the same capability through a web interface.
Second, CIPP’s multi-tenant authentication model solves one of the hardest parts of Graph API scripting at MSP scale: token management. Authenticating to 50 different tenants via Graph requires managing 50 sets of credentials or GDAP relationships. CIPP handles this through its Secure Application Model — a single Azure AD application with delegated access to all managed tenants. You authenticate once, and CIPP handles the per-tenant token exchange. This is the same infrastructure headache that keeps most MSPs from building their own multi-tenant Graph API tooling.
Where CIPP Falls Short
CIPP is excellent at what it is: a multi-tenant M365 management portal. But it’s important to understand what it isn’t.
It’s a Portal, Not an Automation Platform
CIPP gives you a faster way to perform M365 management tasks. But it still requires a human to open the dashboard, identify what needs to be done, and execute the action. Standards deployment is the closest thing to “set it and forget it” — but even standards need to be defined, reviewed, and updated as your security baseline evolves.
When a ticket comes in saying “new hire at Acme Corp, please set up their M365 account,” CIPP makes the provisioning faster. But someone still has to read the ticket, open CIPP, look up the client’s tenant, determine the correct license tier, create the user, assign the license, add them to the right groups, and close the ticket. The portal accelerates each step, but it doesn’t eliminate the workflow.
Alerts Require Manual Response
CIPP’s alerting surfaces issues — suspicious sign-ins, unauthorized admin changes, MFA gaps. But when an alert fires, a tech has to see it, open CIPP, investigate, and decide what to do. There’s no built-in mechanism to automatically triage an alert, correlate it with other data (PSA tickets, RMM device status, documentation), and take action.
For a BEC alert at 2 AM, the alert sits in the queue until someone checks it. The investigation and response are entirely manual.
No Cross-Tool Context
CIPP knows about M365. It doesn’t know about your PSA, your RMM, your documentation platform, or your billing system. When you’re looking at a user in CIPP, you can see their M365 status, but you can’t see their NinjaOne device health, their ConnectWise ticket history, or their ITGlue documentation. The tech still has to swivel between tools to get the full picture.
This is the fundamental limitation of any single-tool portal. CIPP is the best M365 multi-tenant portal available. But MSP work rarely lives in a single tool.
No Ticket-Driven Workflows
CIPP doesn’t read your PSA tickets and determine what actions to take. It’s a tool you go to, not a tool that comes to you. The gap between “a ticket was created” and “the right action was taken in CIPP” is still filled by a technician manually connecting the dots.
Junto + CIPP: Turning a Portal Into a Platform
This is where the two tools complement each other. CIPP provides multi-tenant M365 management and Graph API orchestration. Junto provides AI-driven ticket triage, cross-tool context, and runbook automation. Together, they close the gaps that each tool has on its own.
Junto integrates with CIPP directly, which means the AI can query and act on M365 tenant data through CIPP’s multi-tenant infrastructure rather than making raw Graph API calls per tenant. Here’s what that looks like in practice.
License Checks During Onboarding
A new hire ticket comes into ConnectWise. Junto’s AI reads the ticket, identifies the client, pulls their onboarding SOP from ITGlue, and checks CIPP for available licenses in that tenant — all before a tech touches it. If the client is out of E3 licenses, Junto flags it in the triage note instead of letting a tech discover it halfway through provisioning.
The license assignment itself happens through CIPP’s multi-tenant Graph orchestration. No per-tenant auth tokens, no PowerShell scripts. The tech approves the onboarding runbook, and Junto executes the full provisioning workflow — user creation, license assignment, group membership, MFA enrollment — using CIPP as the M365 execution layer.
Tenant Health in Triage
When a ticket mentions M365 issues for a client, Junto pulls tenant health data from CIPP as part of its triage enrichment. The tech sees the client’s current M365 status — service health, recent alerts, conditional access policy status — alongside the NinjaOne device data, ConnectWise ticket history, and ITGlue documentation. One triage note, every tool’s context, no swiveling.
Standards Compliance Verification
CIPP’s standards deployment ensures tenants meet your security baseline. Junto’s runbooks can verify compliance on a schedule — checking every tenant against your defined standards and surfacing drift. A client’s IT admin disabled MFA for a “temporary” test two weeks ago and forgot to re-enable it? Junto catches the standards drift through CIPP, creates an internal alert, and gives the tech a one-click remediation option.
Automated BEC Response
A CIPP alert fires for suspicious sign-in activity on a client’s tenant. Instead of sitting in a queue, Junto picks up the alert, correlates it with the user’s recent activity across tools (ConnectWise tickets, NinjaOne device status, M365 sign-in logs via CIPP), and assembles an incident response triage note. If the indicators are clear — impossible travel, new inbox rule, unfamiliar device — a runbook can disable the account through CIPP, revoke sessions, and notify the tech for review. The human-in-the-loop approval ensures nothing happens without a tech’s sign-off, but the investigation and proposed response are automated.
License Optimization at Scale
CIPP gives you the data: license counts, assignments, and utilization across all tenants. Junto turns that data into action. By cross-referencing CIPP license data with Pax8 billing and M365 usage analytics, Junto can identify over-provisioned licenses, orphaned seats, and shared mailboxes that don’t need licenses across your entire client base — and present the findings as a QBR-ready report without anyone running a manual audit.
Getting Started With CIPP
If you’re not already using CIPP, the setup path depends on your preference for self-hosted vs. managed:
Self-hosted (CIPP): Deploy the Azure Functions backend and static web app to your own Azure tenant. The CIPP documentation walks through the setup, including the Secure Application Model configuration for GDAP access to managed tenants. This gives you full control but requires Azure infrastructure management.
Hosted: Use the managed hosted version. Less infrastructure overhead, but you’re trusting a third party with your multi-tenant access tokens. For many MSPs, the convenience trade-off is worth it.
Either way, the core setup involves configuring GDAP relationships with your managed tenants and granting the CIPP application the appropriate Microsoft Graph API permissions. Plan 30-60 minutes for initial setup, plus time to onboard each tenant.
Once CIPP is running, connecting it to Junto takes minutes. The integration uses CIPP’s API to give Junto read and write access to your managed tenants’ M365 data — the same data you see in the CIPP dashboard, now available to the AI for triage enrichment and runbook execution.
CIPP Is the Foundation. AI Is the Automation Layer.
CIPP solved a real problem: multi-tenant M365 management without logging into 50 admin centers. It’s the best tool available for that job, and most MSPs managing significant M365 client bases should be running it.
But a management portal is a starting point, not an endpoint. The MSPs getting the most value from CIPP aren’t just using it to click faster — they’re connecting it to an automation layer that reads tickets, pulls cross-tool context, and executes multi-step workflows that span M365, the PSA, the RMM, and the documentation platform.
CIPP gives you the multi-tenant M365 infrastructure. Junto gives you the AI that knows when and how to use it.
Already running CIPP? Connect it to Junto and see your M365 tenant data show up in every ticket triage — automatically. See the full list of supported tools at juntoai.com/integrations.