Description
n8n-nodes-cipp


n8n community node for CIPP.app – Comprehensive Microsoft 365 multi-tenant management.
> ⚠️ Beta Notice: This node is currently in beta and may not be fully functional yet. Some operations may be incomplete or require adjustments. Use in production at your own risk.
>
> 🤝 Contributions Welcome! We welcome bug reports, feature requests, and pull requests. If you encounter issues or have improvements, please open an issue or PR on GitHub.
Features
This node provides full integration with the CIPP API, enabling automation of:
- Identity Management – Users, groups, MFA, devices
- Tenant Administration – Alerts, licenses, standards
- Intune – Applications, Autopilot, device actions
- Teams & SharePoint – Teams, sites, voice numbers, shifts scheduling
- Security & Compliance – Defender alerts, incidents
- CIPP v10.5 APIs – Purview compliance, enrollment profiles, mailbox restores, alert snoozing, license reports
- CIPP v10.6 APIs – Copilot and Shadow AI, SharePoint sharing and recovery, CVE management, audit coverage, and Agent 365 reports
- Tools – Breach search, Graph API requests, ExecGraphRequest
- CIPP System – Scheduled jobs, backups
- Tenant Selector – Searchable dropdown to select tenants by name
- Field Picker – Multi-select for user properties (no need to memorize Graph API field names)
- Smart Defaults – Sensible default selections to keep responses fast and small
User-Friendly Design
Installation
n8n (Self-hosted)
npm install @joshuanode/n8n-nodes-cipp
Or add to your n8n Docker container:
In your Dockerfile
RUN npm install -g @joshuanode/n8n-nodes-cipp
n8n Cloud
Community nodes can be installed via Settings → Community Nodes → Install.
Credentials Setup
1. Create an Azure AD App Registration for CIPP API access
2. Configure the following in n8n:
– CIPP Instance URL: Your CIPP deployment URL (e.g., https://cipp.yourdomain.com)
– Azure AD Tenant ID: The tenant where your CIPP app registration lives
– Application (Client) ID: From your Azure AD app registration
– Client Secret: Generated from your app registration
For detailed authentication setup, see the CIPP API Documentation.
Resources & Operations
| Resource | Operations |
| —————— | ————————————————————————————————————————————————————- |
| Tenant | Get Many, Get Licenses, Get CSP Licenses, CSP License Action, Clear Cache |
| User | Get Many, Add, Disable, Enable, Reset Password, Reset MFA, Revoke Sessions, Remove, Create TAP, Set Per-User MFA, Send MFA Push, Clear Immutable ID, Offboard |
| Group | Add, Edit Members, Delete, Hide from GAL, Set Delivery Management, Get Many |
| Device | Get Many, Manage, Execute Action, Get Recovery Key, Get LAPS Password |
| Autopilot | Get Many, Assign, Remove, Sync, Sync DEP (ABM), Get Configurations |
| Mailbox | Convert, Enable Archive, Set Out of Office, Set Email Forwarding |
| Alert | Add, Get Many, Get Security Alerts, Get Security Incidents, Set Alert Status, Set Incident Status |
| Application | Get Many, Assign, Remove, Add WinGet/Store/Chocolatey/MSP/Office Apps |
| Team | Add, Get Many, Get Sites, Get Activity, Manage Site Members/Permissions |
| Teams Shift | List/Create/Update/Delete Shifts, Open Shifts, Scheduling Groups, Time Off Reasons; List/Create/Approve/Decline Time Off, Swap Shift & Offer Shift Requests |
| Voice | Get Phone Numbers, Get Locations, Assign/Unassign Numbers |
| Scheduled Item | Add, Get Many, Remove |
| Backup | Get Many, Run, Restore, Set Auto-Backup |
| CIPP v10.5 | Purview compliance policy/SIT/sensitivity label actions, enrollment profile actions, mailbox restore/CAS/HVE reports, alert snoozing, package tags, license reports |
| CIPP v10.6 | Copilot/Shadow AI settings and reports, SharePoint sharing/recovery/permissions, CVE exceptions, audit coverage, Agent 365, GDAP repair, and Intune policy cloning |
| Tools | Breach Search (Account/Tenant), Exec Graph Request, Graph Request (List), Graph Request (Exec) |
Example Usage
List All Tenants
Resource: Tenant
Operation: Get Many
Return All: true
List Users with Sign-In Activity
Resource: User
Operation: Get Many
Tenant: Select from dropdown
Fields to Return: Display Name, User Principal Name, Mail, Sign-In Activity
Return All: true
Create a New User
Resource: User
Operation: Add
Tenant: Select from dropdown
First Name: John
Last Name: Doe
Domain: contoso.com
Execute Device Action
Resource: Device
Operation: Execute Action
Tenant: Select from dropdown
Device ID:
Action: SyncDevice
Custom Graph Request
Resource: Tools
Operation: Graph Request (List)
Tenant: Select from dropdown
Endpoint: users
$select: id,displayName,userPrincipalName
$filter: startsWith(displayName,'John')
CIPP v10.5 APIs
Resource: CIPP v10.5
Operation: List Licenses Report
Tenant: Select from dropdown
Return All: true
Complex CIPP v10.5 create/edit/action operations use a validated JSON body so requests can match CIPP’s current API fields without the node guessing incomplete schemas. The node only allows the enumerated CIPP v10.5 endpoints, validates query/body JSON objects, and enforces a maximum serialized body size.
CIPP v10.6 APIs
Resource: CIPP v10.6
Operation: List Copilot Usage
Tenant: Select from dropdown
Return All: true
CIPP v10.6 actions provide typed fields for Copilot settings, Shadow AI sanctions, CVE exceptions, and common SharePoint management operations. Advanced Body Overrides can supply additional CIPP request fields when needed. This resource requires CIPP v10.6.0 or newer and the permissions introduced by that release.
Teams Shifts (Dedicated Resource)
Resource: Teams Shift
Operation: List Shifts
Tenant: Select from dropdown
Team ID:
Filters → Start Date: 2024-03-01T00:00:00Z
Filters → End Date: 2024-03-31T23:59:59Z
Resource: Teams Shift
Operation: Create Shift
Tenant: Select from dropdown
Team ID:
User ID:
Start Date Time: 2024-03-15T08:00:00Z
End Date Time: 2024-03-15T16:00:00Z
Options → Display Name: Morning Shift
Options → Theme: blue
> ⚠️ CIPP-API Requirement: The Teams Shift resource and the Exec Graph Request tool both use POST /api/ExecGraphRequest, which is not part of the standard CIPP API. You must be running a custom fork of CIPP-API that exposes the ExecGraphRequest endpoint. Without this, all Teams Shift operations and the Exec Graph Request tool will return a 404 or 400 error.
>
> If your fork uses a different route name (e.g., /api/GraphRequest), the Graph Request (Exec) tool has a built-in fallback. The dedicated Teams Shift resource does not — it expects /api/ExecGraphRequest to exist.
Graph Request (Exec) — Raw Graph Calls
Resource: Tools
Operation: Graph Request (Exec)
Tenant: Select from dropdown
Endpoint: teams//schedule/shifts
Method: POST
Body: {"userId":"","schedulingGroupId":"","sharedShift":{...}}
Notes:
Graph Request (Exec) sends a POST to /api/ExecGraphRequest and falls back to /api/GraphRequest if your fork uses that route name.teams/{id}/schedule/* (can be disabled in Exec Options).Development
Install dependencies
npm installBuild
npm run buildLint
npm run lintLink for local testing
npm link
Links
License
MIT