CIPP Setup
CIPP (CyberDrain Improved Partner Portal) is an open-source Microsoft 365 management platform for MSPs. Once connected, Junto can manage users, reset passwords, configure MFA, manage mailboxes, monitor security alerts, handle devices, and much more across your M365 tenants.
Prerequisites
A CIPP instance with API access
Azure AD app registration credentials (Application ID, Application Secret, and Tenant ID)
Step 1: Create Azure AD App Registration
See CIPP API Setup & Authentication for detailed instructions.
In Azure Active Directory, create a new app registration for Junto.
Under Certificates & secrets, create a new client secret.
Copy the Application (client) ID, Directory (tenant) ID, and the client secret value.
Step 2: Configure in Junto
In Junto, go to Settings > Integrations > CIPP.
Click Add Configuration and fill in:
Application ID -- The client ID from Step 1.
Application Secret -- The client secret from Step 1. This is encrypted before storage.
Tenant ID -- The Azure AD tenant ID from Step 1.
Click Create. Junto validates the connection by listing your CIPP tenants.
Step 3: Map Companies to Tenants
After connecting, Junto lists available tenants from your CIPP instance.
Use the company mapping interface to link each Junto company to its M365 tenant.
Auto-map is available with exact and fuzzy name matching. Exact matches are applied automatically; fuzzy matches are presented as suggestions for review.
Save mappings.
What the AI Agent Can Do
User Management
Tool | Description | Risk Level | Approval |
List Users | List all M365 users with UPN, display name, status, and licenses | Low | None |
Get User Details | View detailed information about a specific user | Low | None |
Add User | Create a new M365 user account | High | Always |
Edit User | Update user properties (name, job title, department, phone, address) | Medium | Once |
Disable User | Disable a user account | High | Always |
Enable User | Re-enable a previously disabled user account | Medium | Once |
Remove User | Delete an M365 user account | High | Always |
Reset Password | Reset a user's password | High | Always |
Offboard User | Full offboarding: disable sign-in, reset password, revoke sessions, remove groups and licenses | High | Always |
Dismiss Risky User | Dismiss risk flag from Azure AD Identity Protection | Medium | Once |
MFA & Authentication
Tool | Description | Risk Level | Approval |
List MFA Status | View MFA registration status and Conditional Access coverage for all users | Low | None |
Reset MFA | Re-require MFA registration for a user | High | Always |
Set Per-User MFA | Set per-user MFA state (enabled, enforced, or disabled) | High | Always |
Revoke Sessions | Revoke all active sign-in sessions for a user | High | Always |
Mailbox & Exchange
Tool | Description | Risk Level | Approval |
List Mailboxes | List all Exchange mailboxes for the tenant | Low | None |
Get Mailbox Details | View detailed mailbox information | Low | None |
Convert Mailbox | Convert between shared and regular mailbox types | Medium | Once |
Enable Archive | Enable the online archive mailbox for a user | Medium | Once |
Set Email Forwarding | Configure email forwarding for a mailbox | Medium | Once |
Set Out of Office | Enable or disable out-of-office auto-reply with custom message | Medium | Once |
List Mailbox Rules | List all inbox rules across the tenant | Low | None |
Get Shared Mailbox Stats | View statistics for shared mailboxes (size, item count, last logon) | Low | None |
Get Mailbox Client Access | View client access settings (OWA, ActiveSync, IMAP, POP) | Low | None |
List Contacts | List Exchange mail contacts for the tenant | Low | None |
Trace Messages | Trace email messages to track delivery status | Low | None |
List Shared Mailboxes with Sign-In | Identify shared mailboxes with sign-in enabled (security risk) | Low | None |
List Deleted Items | List recently deleted M365 objects that can be restored | Low | None |
Email Security
Tool | Description | Risk Level | Approval |
List Blocked Senders | View tenant allow/block list entries | Low | None |
Block Sender | Add a sender or domain to the tenant block list | Medium | Once |
Unblock Sender | Remove a sender or domain from the block list | Medium | Once |
Security Monitoring
Tool | Description | Risk Level | Approval |
List Security Alerts | View Microsoft Defender security alerts | Low | None |
Update Security Alert | Update the status or assignment of a security alert | Medium | Once |
List Security Incidents | View Microsoft Defender security incidents | Low | None |
Update Security Incident | Update the status or assignment of a security incident | Medium | Once |
List Audit Logs | View M365 audit logs (admin and user activity) | Low | None |
List Defender Status | View Defender protection status per device | Low | None |
Sign-In & Activity Monitoring
Tool | Description | Risk Level | Approval |
List Sign-Ins | View recent sign-in events with optional filtering for failed sign-ins | Low | None |
Get AD Connect Status | Check Azure AD Connect synchronization status | Low | None |
List Inactive Accounts | List accounts inactive for 6+ months | Low | None |
Device Management
Tool | Description | Risk Level | Approval |
List Devices | List Intune-managed devices with name, OS, compliance, and user info | Low | None |
Get BitLocker Key | Retrieve the BitLocker recovery key for a device | High | Always |
Sync Device | Trigger an Intune sync to pull latest policies | Medium | Once |
Reboot Device | Remotely reboot a managed device | Medium | Once |
Retire Device | Retire a device from Intune management (removes company data) | High | Always |
Wipe Device | Factory reset a device (erases all data -- cannot be undone) | High | Always |
List Autopilot Devices | List Windows Autopilot enrolled devices | Low | None |
Groups & Teams
Tool | Description | Risk Level | Approval |
List Groups | List all M365 groups (security, distribution, M365, mail-enabled) | Low | None |
Get Group Members | List all members of a group | Low | None |
Get Group Owners | List all owners of a group | Low | None |
Add Group | Create a new M365 group | Medium | Once |
Edit Group | Update group properties (name, description, visibility) | Medium | Once |
Edit Group Members | Add or remove members and owners | Medium | Once |
Delete Group | Delete an M365 group (permanently removes group and content) | High | Always |
Hide Group from GAL | Hide or unhide a group from the Global Address List | Medium | Once |
Licensing & Tenant Admin
Tool | Description | Risk Level | Approval |
List Licenses | View all M365 license subscriptions with usage counts | Low | None |
List Tenants | List all managed tenants from CIPP | Low | None |
List Domains | List all domains registered in the M365 tenant | Low | None |
List Roles | List Azure AD directory roles | Low | None |
List Conditional Access Policies | View all Conditional Access policies | Low | None |
Add CA Exclusion | Add a user exclusion to a Conditional Access policy | High | Always |
List Named Locations | View named locations used in Conditional Access policies | Low | None |
List OAuth Apps | List OAuth/enterprise applications registered in the tenant | Low | None |
List Service Health | Check M365 service health and availability status | Low | None |
Teams & SharePoint
Tool | Description | Risk Level | Approval |
List Teams | List all Microsoft Teams | Low | None |
List Teams Activity | View Teams user activity (meetings, calls, chat counts) | Low | None |
List SharePoint Sites | List SharePoint sites or OneDrive accounts with usage statistics | Low | None |
Provision OneDrive | Pre-provision OneDrive for a user before their first login | Medium | Once |
High-impact actions like user deletion, device wipes, and password resets always require explicit technician approval.
Troubleshooting
Connection fails -- Verify your Application ID, Application Secret, and Tenant ID. Ensure the Azure AD app registration has the required permissions.
No tenants listed -- Confirm your CIPP instance is configured with access to the expected M365 tenants.
User not found -- Check that the company mapping is correct for the target tenant.
Permission denied on action -- Some actions require specific Azure AD permissions. Verify the app registration has the necessary API permissions granted.
Device wipe or retire fails -- Ensure the device is enrolled in Intune and the app registration has device management permissions.