How to restrict CyberDrain Improved Partner Portal (CIPP) to specific IP addresses using Conditional Access

CyberDrain Improved Partner Portal (CIPP) is a self-hosted or CIPP-as-a-Service multi-tenant Microsoft 365 management platform. Many organizations use it to access operational tools, scripts, reporting, and automation resources.

If unauthorized users gain access to a partner portal, they could gain access privileged information, automation workflows, customer data, or management capabilities that could impact multiple environments.

By restricting CIPP access to specific IP addresses using Conditional Access policies, organizations can ensure that only users connecting from approved networks are able to access the platform.

This adds an important layer of protection by controlling where access can originate, helping reduce risk even if credentials are compromised.

Why restrict CIPP access by IP address

Restricting access based on IP address helps organizations enforce stronger environmental controls around sensitive operational platforms.

Key benefits:

• Limits access to trusted environments only
• Reduces the blast radius from compromised credentials
•  Protects privileged operational access
• Adds a preventative layer of security
• Supports Zero Trust security strategies
• Helps reduce exposure from unmanaged devices and networks

For MSPs and IT providers managing multiple customer environments, restricting access to trusted locations can significantly reduce risk and improve operational security.

Step-by-step: How to restrict CIPP access to a specific IP address using Conditional Access

Unlike other applications, CIPP is not a third-party SaaS app that Entra ID federates with. It is deployed inside the MSP's own Azure tenant and its access is controlled entirely by the MSP's own Entra ID Conditional Access policies.

Because CIPP has no external SAML trust relationship to configure, restricting access by IP is done by creating a Named Location and Conditional Access policy in the MSP's Entra ID tenant, the same tenant where CIPP is deployed. There is no SAML enterprise application to target in a client tenant.

CIPP has three distinct access layers, each requiring a different configuration approach:

IMPORTANT: CIPP accesses client tenants via GDAP (Granular Delegated Admin Privileges). Client tenants may have their own Conditional Access policies that can block the CIPP service account from accessing client resources. This is addressed separately in Part D of this article.

Prerequisites

• Microsoft Entra ID P1 or P2 license in the MSP's tenant — required for Conditional Access.
• Conditional Access Administrator role or higher in the MSP's Entra ID tenant.
• Security Defaults disabled in the MSP's tenant.
• Known static IP address(es) —the public IP address or CIDR range of each approved location.
• Break-glass admin account in the MSP's tenant —must be excluded from IP restriction policies.

Step 1: Create a Named Location for your trusted IP(s)

This Named Location will be referenced by both the technician access policy (Part A) and optionally used as context for the service account policy (Part B).

1. Sign in to the Microsoft Entra admin center at entra.microsoft.com using the MSP's tenant credentials.
2. Navigate to Protection > Conditional Access > Named locations.
3. Select + IP ranges location.
4. Name the location — for example: Trusted - MSP Office
5. Check the Mark as trusted location checkbox.
6. Enter your approved IP address or CIDR range and click Create.

Part A: Restrict CIPP technician access by IP

CIPP technicians sign in to the CIPP UI using their Entra ID accounts in the MSP's tenant. Because the CIPP frontend is an Azure Static WebApp registered in the MSP's tenant, a Conditional Access policy targeting All cloud apps will cover CIPP UI access alongside all other cloud resources in the tenant.

NOTE: If your organization already has a broad IP restriction policy covering all cloud apps in the MSP's tenant, CIPP UI access is already restricted by that policy. Confirm your existing policies before creating a new one to avoid conflicts.

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies and select + New policy.
2. Name the policy — for example: Block CIPP Access- Outside Trusted Ips
3. Under Assignments > Users, select the group or users who have CIPP access. Exclude your break-glass admin account.
4. Under Target Resources, select All cloud apps, or select the specific CIPP Azure Static Web App registration if you prefer a narrower scope.
5. Under Conditions > Locations, set Configure to Yes. Set Include to Any location and Exclude to your Named Location from Step 1.
6. Under Access Controls > Grant, select Block access.
7. Set Enable policy to Report-only, validate in sign-in logs, then switch to On.

Part B: Conditional Access policy for the CIPP service account

The CIPP service account is a dedicated Entra ID account that CIPP uses to call the Microsoft Graph API across client tenants. CIPP's own documentation specifies a distinct CA policy for this account, and the requirements differ importantly from the technician access policy.

IMPORTANT: CIPP's documentation explicitly states that the service account CA policy must enforce MFA on every single sign-in and must NOT include any trusted location exclusions. Do not add your Named Location as an exclusion to this policy. The reasoning is that the CIPP service account should always complete MFA regardless of source IP — relaxing this for trusted IPs weakens the security posture of access to all managed client tenants.

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies and select + New policy.
2. Name the policy: CIPP Service Account Conditional Access Policy
3. Under Assignments > Users, include only the CIPP service account user.
4. Under Target Resources, select All cloud apps.
5. Under Access Controls > Grant, select Grant access and require Azure Multi-Factor Authentication.
6. Under Session, set Sign-in frequency to Every time to require MFA on every sign-in.
7. Do not add any location conditions or trusted location exclusions.
8. Set Enable policy to On.

Part C: Restrict CIPP-API access by IP (programmatic access)

If your organization uses the CIPP-API for integration with RMM tools, PSA platforms, or automation workflows, access can be restricted by IP directly within CIPP's Application Settings independently of Entra ID Conditional Access.

1. In the CIPP portal, navigate to CIPP >Integrations > CIPP-API.
2. Locate the API client you wish to restrict in the table.
3. Select the Actions menu (three dots) and choose Edit.
4. In the Allowed IP Ranges field, enter the approved IP addresses or CIDR ranges that are permitted to use this API client. Supports both IPv4 and IPv6 in CIDR notation.
5. Click Save, then select Actions > Save Azure Configuration to apply the changes to the Function App authentication settings.

NOTE: The CIPP-API IP allowlist is per API client. Ifyou have multiple API clients configured, each one must be restrictedindividually. Clients with no IP ranges specified are accessible from any IP.

Part D: Exclude the MSP from client tenant Conditional Access policies

When CIPP accesses client tenants via GDAP, client Conditional Access policies are evaluated for the CIPP service account. If a client tenant has IP-based or other Conditional Access policies without an exclusion for the MSP tenant, CIPP will be blocked from managing that client.

To prevent this, each client tenant's Conditional Access policies should include an exclusion for the MSP's tenant ID.

1. In the Microsoft Entra admin center, navigate to the client tenant (or use CIPP to access the client tenant's CA policies).
2. For each Conditional Access policy in the client tenant, open the policy and navigate to Assignments > Users.
3. Under Exclude, select Guest or external users, then choose Service Provider Users.
4. Enter the MSP's tenant ID in the field provided.
5. Save the policy. Repeat for all active policiesin the client tenant.

NOTE: If you are running CIPP in Direct Tenant mode rather than GDAP mode, exclude the specific CIPP service account user for that tenant instead of using the tenant-wide exclusion.

Summary

The following table summarizes the full configuration:

‍

FAQs

Why is restricting access by IP address important for partner portals?

Partner portals often contain sensitive information like administrative tools, customer information, automation scripts, and operational resources. Restricting access by IP address helps ensure these systems are only accessible from trusted environments.

How do IP restrictions improve security if MFA is already enabled?

MFA verifies identity, while IP restrictions add an additional control that blocks access attempts from unauthorized networks even after successful authentication.

Can IP restrictions help prevent account takeover attacks?

Yes. Even if an attacker compromises valid credentials, IP restrictions can prevent access if the login attempt originates from an unapproved location.

Why are partner portals considered high-value targets?

Partner portals may provide access to customer environments, integrations, automation tools, documentation, and administrative capabilities that attackers can use to expand access or disrupt operations.