In this episode, Simon discusses the CyberDrain Improved Partner Portal (CIPP), an Azure app designed to streamline the administration of Office 365 tenants for Managed Service Providers (MSPs). Simon explains the features, benefits, and cost-effectiveness of this open-source tool, which allows MSPs to manage multiple tenants from a single platform. He highlights its rapid release cycle, integrations with other tools like Hudu and Ninja, and its ability to enhance first and second-line support productivity. Additionally, Simon addresses common concerns about open-source software, emphasising the robust support community and ongoing development behind CIPP.
00:00 Introduction and Welcome
00:21 Overview of CIPP
01:12 Cost and Hosting Options
02:50 Core Features and Functionality
06:08 Open Source and Community Support
17:16 Implementation and Best Practices
23:41 Conclusion and Contact Information
Listen on Spotify or Apple Podcasts
Connect with Simon Butler on LinkedIn by clicking here – https://www.linkedin.com/in/sembee/
Connect with Daniel Welling on LinkedIn by clicking here – https://www.linkedin.com/in/daniel-welling-54659715/
Connect with Adam Morris on LinkedIn by clicking here – linkedin.com/in/adamcmorris
Visit The MSP Finance Team website, simply click here – https://www.mspfinanceteam.com/
We look forward to catching up with you on the next one. Stay tuned!
Transcript:
Dan: Thanks for joining us, Simon. Great to have you with us on the podcast. Welcome along.
Simon: Hello.
Dan: So, Simon, as we often do, before we kick off with one of our podcast episodes, we have a chat in the green room. And of course, Simon, you and I have known each other for some years beforehand as well. And, today what we wanted to do was, I guess shine a light on The CIPP opportunity, and for some of our listeners, they’ll be fully aware and conversant with CIPP.
Dan: Others though may not have heard of it. And, and in fact I first came across this at a tech tribe meeting, and a good number of the MSPs in the room weren’t aware of it, at that point. So, Simon, perhaps you could give us a bit of a summary and educate those who aren’t aware.
Simon: Okay, CIPP, which stands for CyberDrain Improved Partner Portal, is a Azure app that allows an MSP to administrate all of their tenants that are within their partner portal from a single browser login. The cost of the app, let’s go straight to that. It’s an open source app, so it’s has a zero cost from that side.
Simon: The only cost you incur is the cost of hosting it within X, which for most MSPs is less than 10 pounds a month. And it does depend on how many, tenants you have in the app on the cost. because obviously there’s a database backend. So from a cost point of view, it is very low end.
Simon: It is very highly functional and it’s going through a very rapid release cycle. I think we get releases like every two weeks. features and functionality.
Adam: And, and Simon, I’m just on the website actually at the moment, because it was just interesting looking at this and I can see self hosted is 0, but you can go to a sponsored or a corporate sponsor package,
Simon: yeah, so basically, so they would look after it for you. So when you’re self hosting it, the only thing you have to do is every time there is a new release, you have to sync your release, with the master release. It uses the, the GitHub. back end system. So you basically fork the project and you sync it up and about 20 minutes later, then your release is up to date.
Simon: So it really comes down to, how you want to work. If some clients, they won’t necessarily want to even go through any of the hassle of setting up all the Azure subscription and everything. So they’ll just go down the hosted route, but from, for many small MSPs, particularly if you’re in one of the partner programs and you’ve got a pile of Azure credits, which is what I.
Simon: It doesn’t actually cost me anything to host it because I just use my unused Azure credits to pay for it. So the
Dan: And, what does it actually do? Inexpensive as it might be. So
Simon: core idea of it, is to do the day to day management of an Office 365 tenant. So it’s ideal for first and second line support people. So they just, they log into it with credentials on the MSP’s own. And then by using, it has uses GDAP and that’s granular delegated, administrative privileges. So it allows you to log in to any one of your, partner tenants.
Simon: So your customer tenants to do day to day stuff. password resets, or setting up accounts, or changing accounts, or changing permissions, and all this sort of stuff. So from an MSP’s point of view, it means that, say particularly for first line, if you like, they’re not having to log in to each tenant in turn to do something, which can be a massive time saver, because it means you just log into one screen and do what you need to do.
Simon: Particularly, we hate to talk about it, but if someone leaves, you then haven’t got to worry about, credentials being scat about across all of your Office 365 clients, because they’re just logging into one set of credentials and they’re using delegated permissions to make the changes. So there’s a lot of functionality in there. That’s what it’s, that’s it, that was its core thing that the guy created it, Microsoft MVP called Kelvin over in the US who, so the legend goes, created the first version in a weekend. That’s quite true, but that’s what we’re told. And, but now they’ve started to build it up.
Simon: So now you can do a lot of Intune management. You can do, you can start to apply standards. So that’s best practices across the tenant. So again, there’s a massive time saving there. So I was recently configuring a new tenant for one of my MSP customers. normally would have taken me between two and three hours to set up, which included, searching through the Office 365 documentation to see whether the commands that I’d written down from last time have changed, because it’s a new week.
Simon: I literally did within like less than an hour. And because it’s in SIP, that means that the MSP could then say, Oh, something that I’ve set is causing a problem. They can see it in the list, right? That’s what the problem is. Go and untick it. And it lists them, whether it’s a low impact, high impact, or.
Simon: Medium impact or no impact so that the MSP can know whether the change they’re proposing to make is likely to have an impact on the end users and it just gives you a lot of reporting and a lot of other things in there that can just make you the day to day management. Okay, you’re not going to be able to do a lot of the really complex stuff that your third line of guys are maybe doing.
Simon: That’s not what it’s designed to do. It’s designed to be able to have an interface that you know, it’s day to day. You log into it and there you go. You’ve got your you’ve got your all your tenants there. Someone phones up and you’re on 10 and 1. Then the next call is 10 and 2. The next call is 10 and 3.
Simon: You’re just flicking between screens. You’re not having to like. Run as most people do like five browsers with, incognito mode and everything to try and because they’re logging into multiple tenants,
Adam: And is there already other commercial solutions available that do this or part of it? But the difference is this is open source.
Simon: this is open source. So it runs. Microsoft had an attempt at it, which was called lighthouse. And you have to sign up for Lighthouse, which is free to be able to open, which opens up a load of APIs. There are similar kind of tools. Probably the first one that comes to mind for me is MSP Easy Tools, which works and does a very similar thing.
Simon: But obviously that has a, that’s a paid option. There, there are, there’s another one, which I can’t remember the name of. API, please. It’s, and you can also just do it with your own self created PowerShell scripts, I guess, because that’s what effectively all these tools are, is they’re just lots and lots of PowerShell scripts in the back end.
Simon: But the biggest problem is keeping up to date. With Office 365, a tool that hasn’t been updated for six months effectively is useless to you because things will have changed, the APIs have changed, things have been depreciated or new things have been brought in. And what’s happened with SIP is they’ve actually managed to get Microsoft to introduce new things that they can use.
Simon: And they, they’ve actually. They’ve got enough, contacts and influence within Microsoft to actually have new functionality introduced for them to use. They were one of the first to come out of the box with, with a GDAP compatible, multi tenanted tool when that first was launched and all this sort of stuff.
Simon: So, it’s very much a, A very dynamic tool that’s been constantly updated and they’re obviously working very closely with Microsoft to get these, to get the tools that the MSPs need to be able to manage multiple tenants,
Dan: it sounds like an absolute no, no brainer then, once you know about it to use it, and I guess,not everyone will immediately know about it and, hopefully this will help spread the word, but,what are the downsides? If it’s too good to be true, it’s too good to be true, right?
Dan: So what’s the, what are we missing here?
Simon: but it’s not going to do everything that you need in Office 365. It is not designed to do everything. So there are still going to be cases where you’re going to have to log into the tenant directly. That happens even now with, With GDAP permissions where there are some things you just cannot do under delegated permissions, and you’ve got to have a global admin on the actual tenant to be able to do, and that’s not going to go away.
Simon: But what it will mean is that potentially the, where you’re in your traditional 1st, 2nd, 3rd line support structure in an MSP, 1st line and 2nd line potentially can do more. Because it’s in a more controlled environment, if you like, and then only escalate up to third line, what really needs to be logged into the actual tenant and actually do the nitty gritty stuff that often involves, a PowerShell session or whatever being, being opened up to the tenant.
Simon: So it has its limitations, but I would say almost those limitations are probably almost by design, if you like. Because it’s not going to replace, the 300 portals we’ve got in Office 365 to, to manage all these various things. Everyone who works at Office 365, they’ll say, you’re spending most of your time in either the Exchange portal or the Endpoint portal, or in the Entra portal, and that’s about it.
Simon: And so it’s having. The key stuff and they’re very feature requests from their users. So they, someone says, we’re constantly using this. Can you add it in? They’re putting it in. One of the favorite features they’ve introduced, which I like and everyone I’ve introduced it to really like is vacation mode.
Simon: So where you’re using conditional access and you’re locking down the tenant to maybe country level or IP address level. That’s great. Someone then goes on holiday. So what were you having to do then? You were then having to create an exception for them in the conditional access rule. They go on holiday and then two weeks later you’ve got to remember to go back and take the rule out or, as heaven forbid, you have a ticket hanging around in your, ticketing system for two weeks waiting for them to come back on holiday to close off.
Simon: And anyone who’s a bit of a, a ticket ninja, be going, oh, I don’t like this ticket hanging around and sticking on hold and all this sort of stuff. What their vacation mode does is, a ticket comes in, so they say on the Thursday, I’m going on holiday from Monday. You can go on to vacation mode and say, from Monday for two weeks, put the exception in.
Simon: On Monday, it puts the exception in automatically. Two weeks time, it then takes the exception out again and you haven’t got to worry about it. And that feature alone, can save so much time, headache and, ticket close rates for clients. They just love that. And that’s that’s unique to not unique to them, but it’s not part of Office 365 in general.
Simon: So. It’s something that, it brings to the table that, is only available either by writing your own PowerShell scripts or via a third party tool.
Dan: So it sounds like some of the downsides may be limited by having a narrow range of, of, of use, but still, it sounds pretty. Sounds pretty far reaching and an MSP could become really reliant on this in terms of, gearing up their resource levels to be able to, all this extra time is great for profitability and efficiency.
Dan: But, I guess one of my, and I don’t know whether this is just my mindset on this, but I was always quite wary of open source, products that I wasn’t paying for, because if I’m paying for it, then that gives me some control as a purchaser. But obviously nothing is risk free, but, any, any thoughts around that, or is that just me to change my mindset?
Simon: I think, yeah, I think to be honest these days it’s a change, a bit of a change of mindset really because, open source, all the scripts are there, they’re very responsive, they, You can literally go on to, one of their support methods, which they have multiple methods and flag up something, and, it’s corrected very quickly.
Simon: The GitHub, they have the formal releases, but the GitHub is being constantly updated, so I think those kind of concerns are, are out there. No longer valid these days. They’re working for them. So, they’re working for other. They’re an MSP working for other MSPs.
Simon: So something that’s going to impact you is going to impact everyone else. They’ve built up this reputation over, a couple of years since it’s released in 2021. So they’re not going to want to, ruin it in any way or anything like that. So, that’s what they’re working to.
Simon: And going back to your point about the time saving. When I work, Yeah. For an MSP who hasn’t got it, it gets frustrating because I’m having to log in, I’m used to the save and time saving. And log in. Oh, no, hang on. Oh, I’m on client one. Hang on. I’ve got to log out of client and log into this other one, or I’ve got to start up another browser in incognito mode because I’m waiting for something to happen over here or something to happen over there.
Simon: And that’s often where I’ve introduced it because I’m working for it and going, well, haven’t you heard of SIP? I could have done this in like 15 minutes. It’s taking me half an hour because I’ve had to log out one to log into another. And then I’ve had to go looking for it. Again, because obviously Microsoft like to move things around, as we all know,
Dan: Okay.
Simon: And so that’s the other thing about them.
Simon: Obviously, they’re keeping up to date with where Microsoft are making the changes. So for some of the run of the mill day to day stuff, I don’t have to do that anymore. I still do, but
Adam: So, so I’m just following up really on, on Dan’s question, because I kind of share the same reservation in general. If you’re not buying, if you’re not paying for anything, what accountability do they have to provide any support to you? And how does that work?
Simon: product. It’s
Adam: Yeah. It’s a community product.
Adam: Yeah. Yeah. It’s reliant on goodwill, it’s reliant on, community of people, doing good things, but ultimately they could wake up tomorrow and go, do you know what, maybe
Simon: say that about a lot of things, and it’s happened when, particularly within the, within the Linux crowd where, someone has literally gone on, I’ve had enough of this and, something’s been dropped, okay, it started off with one bloke, but there’s now, there’s a team of them and they’re very high profile within the American MSP community. So, they could say, yeah, I’m going to, going to drop out or whatever, but it’s PowerShell. There’s a lot, PowerShell has been around for a very long time. There’s a lot of people who are very screwed up on PowerShell. I expect, I would expect that if one of the key developers was to say, I’ve had enough, someone else would pick it up, or it would even get, forked off.
Simon: Everyone who uses SIP has their own fork of SIP. So that would effectively mean that, if the core, product was to stop being developed, people would just carry on and just say, instead of forking off to this one, you fork off mine. So, from a, from that point of view, I, I wouldn’t have any reservations, I don’t think the reservations really are valid.
Simon: We’re not talking about a little niche product that’s bloke in his bedroom. And if you look at their website, you can see that, they’ve got a lot of heavy hitting within the MSP community sponsors, Huntress, Ninja,
Adam: So, so in some ways, an MSP owner could look at this and they could take a view, whichever camp they’re in. They could, if they’re into open source, then they can embrace it. Or if they want to pay something more, they can go perhaps and look at one of the more commercial products out there.
Adam: So there’s kind of choice ultimately. And
Simon: the way it works, obviously the product has, it’s an app that you’ve granted permissions to within your tenant, it’s a GitHub thing, et cetera, et cetera. So, if you don’t like what it’s doing, you can just cut it off. You can take all his permissions away, you can kill the GitHub, etc.
Simon: And then it’s, it’s not doing anything anymore. So, it’s not like it’s doing stuff, effectively on its own that you can’t. Get rid of, okay, it has high level permissions, but it has to. That’s the kind of job. That’s the kind of product it is. A commercial product has the same thing.
Simon: You’re not
Adam: the power, the ability to do lots more in less time and across different tenants. Does that introduce questions around mistakes and the impact that mistakes have? Does it mean a little mistake could be a much bigger mistake?
Simon: making the same change across all of your tenants at the same time. Yes, there are things like standards and things like that. It’s got plenty of warnings where, you know, and it’s saying, you don’t let, you don’t apply the sorry to all of your tenants, or if you’re going to do, it’s going to have this impact.
Simon: But again, it’s GDAP, you would set permissions within your own tenant as to what people would do. So it’s not like you’re giving the first line of support. people, the keys to the kingdom.
Adam: Okay.
Dan: Yeah. And, and in truth, I think probably Simon hit the nail on the head for me with the traditional, or historical sort of open source, what one, one person, no backup, what happens if then, if they’re not available and there are commercial options for this, you can pay, and have a commercial, accountable, level of service and which, which makes it very much the same as any other.
Dan: Software product vendor that you partner with, there’s always risks there. So, so yeah,certainly I’m sold. But, maybe Simon, for those that are listening, that, that have, that have yet to come across this and therefore don’t know how to go about implementing it.
Dan: What guidance would you have there? For someone getting started.
Simon: Go to the website first off, which is cipp. app. There’s a lot of documentation on there. Now, just thing to be wary of is sometimes the documentation can be a little behind the releases because they’re releasing at such a rapid rate. But if you’re used to Office 365, you’ll be well, well familiar with documentation not really being with reality, but it’s often not that far away. The main thing I want to tend to tell clients if you’re going to implement is the first thing you do is you go and sign up for Lighthouse, which doesn’t cost you anything, but it can take a couple of hours for the full APIs and all the permissions and everything to filter through so you can actually move on to the next step. Then you just basically follow their instructions. So you’ll need a GitHub account, and you follow their instructions to tie the GitHub account to your Azure subscription and things like this you can then you can do things like put a custom URL on it so it’s nice and easy for your staff to find it and all this sort of stuff and it’s just a matter of sitting there and taking your time.
Simon: It does take an hour and a half or so to, to, to set up because you’re granting a lot of permissions and you have to basically you. Select those. You can’t just sort of like blanket choose everything because GDAP doesn’t let you do that. You have to be more selective because if you try and give GDAP too many permissions, it actually stops you from doing things.
Simon: So you have to be very selective. So you just have to sit there and go through this long list of permissions, but it’s a one time thing. So you know, one of your third line guys probably would, do it like an hour and a bit and then you can hand it off and say, look, get on with it. It’s quite intuitive to use.
Simon: Everyone I’ve introduced it to that sort of got onto it quite quickly. It’s got a fairly standard. structure to how it works on in your web browser. So it’s quite easy to like, jump into it and start looking at it. It’s got a lot of wizards, it’s got a lot of permissions check things.
Simon: So if it’s not working, it has things built into it that can go and check that you’ve actually done the setup correctly. You’ve granted it the right permissions and everything else. So, even though it’s an open source thing, it’s four or five people creating on it. And it’s, it’s been going since 2021.
Simon: It feels very mature. It feels very slick. It feels very professional. You don’t feel like it’s, a bedroom hobby project.
Dan: And, and then once, once it’s in, in place, any sort of best practice tips in terms of the ongoing management,
Simon: basically keep it up to date, but of course it will nag you. So as soon as you log in, if there’s a new release available, then it says, look, you’re out of date. It tells you, go off to GitHub and sync your, sync your fork up. So that’s probably pretty much it. And then obviously read the release notes and everything else.
Simon: I get the emails with the release notes on it and all this sort of stuff. We’re seeing so much, being, being released with it. They’ve recently released, an integration with Hudu. So you, where Hudu can now pull information from SIP and populate its database.
Simon: So, we’re starting to, see a lot of the, what IMSP’s are looking for is, all the integrations with all their tools, so they have all this information, they can, there’s an integration with, with Ninja, which I believe where if you log into Ninja and you look at a user, you can then open that user in SIP to make changes straight from Ninja and all this sort of stuff.
Simon: So all your tools are integrating together. So yeah, it’s a matter of, looking at, yeah. Not just as a tool on its own, but what else it can do for you to work with your other tools and, where you can make best use of the reporting that they’ve done quite a lot of work on as well and the other things that it’s coming along and, it’s, everyone I’ve introduced it to, they’ve sort of said, it’s quite a game changer with regards to, how they’ve been able to work and purely mainly on the time saving. But also the fact that, it’s a single interface, it’s difficult to make a mistake because you’re not interacting with PowerShell. You’re only seeing what you have, what is required to see. You’re going to Office 365, you often see lots and lots of things you don’t necessarily are interested in.
They’ve looked at it and gone, what’s the MSP actually need? That would
Dan: and pre presumably, another benefit here is that if you’re introducing less experienced, people into the service desk, they’re able to become productive sooner, with less risk. So time saved, but also. onboarding accelerated. Although what I am hearing is the, as with any, element in an MSP stack, they should be applying some time to proactive management and, if nothing else, just being a top of the product and knowing how it’s developing and communicating that to the rest of the team, taking
Simon: be the same with any
Dan: updating.
Dan: Yeah. Yeah.
Simon: It’s not, I don’t think these days any product is set and forget, you’ve got to keep on top of everything because you’ll either be caught out by a feature change or something being, depreciated or discontinued or just not working.
Simon: And this is just the same. It’s just another tool, but it’s something that, if you’ve got someone whose job that is to keep on top of your tools within your, in your third line team or whatever, which is quite common, I’m finding. Then it’s just another one that they need to add. It’s and it’s like every couple of weeks they get an email that says, there’s a new release, right?
Simon: Jump onto GitHub. Do sync. Thank you very much. Off you go. You can automate it. There is a GitHub method for automating it so you can completely make it so it will update itself for you. What your risk to that is, is up to you as to whether you want to actually go down that path or not. Personally, I don’t, but you know, if you want something that’s completely hands off, then you could set up, they do have a supportive way of making it so the self hosted solution does update itself automatically.
Simon: But yes, get the email so you get the release information so that you know what’s. What’s nice and new to play with?
Dan: Brilliant. I mean, this, as I say, it sounds pretty straightforward. And if, if you’re listening and you’re not, and you’re not part of this, then yeah, do, do follow up and, and learn about this. And, and I guess Simon, if anyone’s got any particular questions, they can always pick your brain as well.
Simon: Yeah, I’ve deployed it now a number of times, myself because I messed it up the first time, but, and I’ve done it for, for a number of my MSP clients as well. So, we’re well up to date with, the best way of doing it and getting everything in place that needs to be put in place.
Dan: Super. And, and that kind of leads us into our sort of shameless plug, part of the episode,other than CIPP, how else can you help?
Simon: Well, basically, I provide third line support for MSPs, whether that’s project based or ticket, just, trundling through tickets or whatever. So that’s what I, that’s what I do. So I You know, I have run on MSP. I’ve had my own MSP for almost 20 years. I’m down to probably about 50 seats because my main focus now is helping other MSPs.
Simon: If you find me on LinkedIn, you’ll find me going on about various stuff. I’m a former Exchange MVP. So obviously, Microsoft Exchange is an area that I still work in a lot because a lot of MSPs don’t have that skill set in house any longer. So that can be migrations or that can be looking after.
Simon: Exchange service that they’ve inherited and for whatever reason, they can’t get up into the cloud. So I do that for some clients, but you know, otherwise, I’m sort of like Jack of all trades, a master of one, and just sort of tend to get involved in all sorts of things, networking, Office 365, migrations, you name it on, the third line support, whether that’s, project based, ad hoc based or whatever.
Dan: Brilliant. Well, really appreciate your time today and taking us, through the CIPP opportunity and, yeah, hopefully, well, perhaps we’ll have you back on again sooner to talk about another topic.
Simon: Thank you very much.
Dan: Thank you very much. Cheers.