The software is free and open-source. You pay for the Azure resources to host it (typically Azure Functions, Storage, Key Vault) — usually low single-digit dollars per managed tenant per month. Add the value of your time to operate it.

Does Lavawall® have CIPP's bulk-standardisation features?

Lavawall® focuses on detecting drift and rolling back unwanted changes. Bulk 'apply this CA policy to every tenant' workflows are CIPP's strength. Some MSPs run both.

What about rollback in CIPP?

CIPP has change tracking and some recovery patterns, but a structured plan → approve → execute rollback workflow with dry-run mode and explicit audit trails isn't its primary design. That's a Lavawall® differentiator.

Lavawall® vs CIPP — managed SaaS vs self-hosted M365 management for MSPs

CIPP — short for “CyberDrain Improved Partner Portal” — is a free, open-source M365 management platform built by and for MSPs. CIPP self-hosts on Azure (the MSP runs the deployment in their own subscription, paying only for the underlying Azure resources) and uses Microsoft Graph to manage all of an MSP's customer tenants from one console. Standardisation of tenant settings, alerting on configuration changes, and bulk operations across tenants are the headline use cases.

CIPP is genuinely impressive technology. It's actively developed, has a strong community, and gives MSPs that are willing to host and maintain it a tool that no commercial vendor offers at the same price (zero, plus Azure costs). For MSPs who have the engineering capacity and the time to operate an open-source platform, CIPP is a credible answer to a lot of M365 management problems.

Lavawall® is positioned at the MSPs for whom “build and maintain it yourself” is the wrong trade. The configuration backup & rollback module ships as a managed SaaS, with the data, audit-log correlation, plan → approve → execute rollback workflow, and the rest of the Lavawall® platform (patching, breach detection, GRC, helpdesk) all running on infrastructure Lavawall® operates. An MSP doesn't run an Azure deployment, doesn't tend a CIPP instance, doesn't backport upstream changes — they get a vendor with a support obligation.

Where Lavawall® wins

Managed SaaS, not self-hosted. CIPP requires you to host it in your own Azure subscription, manage updates, and operate the platform. Lavawall® is a vendor product — software updates, scaling, infrastructure, and support are all the vendor's problem. For MSPs without the engineering capacity to run open-source infrastructure, that's the difference between “available” and “actually used.”

Plan → approve → execute rollback workflow. Lavawall® treats rollback as a strict three-step lifecycle with audit trails. Dry-run mode previews every Graph call before any are made. CIPP provides change tracking and some standardisation tooling, but explicit configuration rollback with a structured approval workflow isn't its primary design point.

Azure subscription scope. Lavawall® covers Azure Network Security Group rules, Key Vault access policies, RBAC role assignments, and managed identities — not just M365 / Entra. CIPP focuses on M365 management with limited Azure subscription depth.

Bundled with the rest of the MSP platform. Configuration backup is one Lavawall® module. The same console covers patching, RMM, breach detection, GRC, helpdesk, and remote support. CIPP is M365-management-only; you stack it next to your RMM, your GRC tool, your helpdesk, etc.

Vendor support & SLA. Lavawall® is supported by ThreeShield, an audit firm. CIPP is supported by the open-source community — generous and responsive in many cases, but not contractually obligated to fix your incident.

Where CIPP wins

Free. Beyond the Azure hosting cost (often single-digit dollars per tenant per month), CIPP itself costs nothing. For MSPs with the engineering capacity to host and maintain it, the price-performance ratio is unbeatable.

Open source & transparent. Every line of code is visible. For MSPs whose clients require source-code transparency or who want to audit exactly how the tool interacts with M365, that's a meaningful property.

Active community development. New features ship continuously, often driven by the working MSPs in the community. Edge cases that commercial vendors might never prioritise often get addressed in CIPP.

Bulk standardisation across tenants. CIPP is unusually strong at applying standardised settings across many tenants — “every client gets this CA policy” workflows. Lavawall® focuses on detecting drift; CIPP also focuses on enforcing standards.

Feature comparison

Feature	Lavawall®	CIPP
Hosting model	Managed SaaS	Self-hosted on your Azure
Software cost	MSP add-on or bundled in Complete tier	Free (open source); pay Azure costs
Conditional Access policies	Yes	Yes
Entra ID role assignments	Yes	Yes
App registrations / service principals	Yes	Yes
Intune device-config / compliance profiles	Yes	Yes
Azure subscription RBAC role assignments	Yes	Limited
Azure NSG rules / Key Vault / managed identities	Yes	No
Bulk standardisation across tenants	Limited	Yes — primary use case
Configuration change feed with severity ratings	Yes	Limited
Plan → approve → execute rollback workflow	Yes (auditable)	No
Dry-run rollback (preview every API call)	Yes	No
Audit-log correlation in change feed	Yes	Yes
Bundled with breach detection / ITDR	Yes	No
Bundled with patching / RMM	Yes	No
Bundled with GRC / framework evidence	Yes — 15+ frameworks	No
Bundled with helpdesk & remote support	Yes	No
Vendor support / SLA	Yes (ThreeShield)	Community

Who should pick which?

Pick Lavawall® if…

You don't have spare engineering capacity to host and maintain CIPP.

You want config backup bundled with patching, breach detection, GRC, and helpdesk on one platform.

You need Azure subscription scope (NSG, Key Vault, RBAC) — not just M365 / Entra.

You need a vendor with a support obligation, not a community.

Pick CIPP if…

You have the engineering capacity to operate self-hosted Azure infrastructure and want maximum control.

Bulk tenant standardisation (“every client gets this baseline”) is a primary use case.

Software cost is a hard constraint and you're prepared to do the operational work yourself.

You can use both. CIPP for bulk standardisation; Lavawall® for the config backup & rollback workflow plus the rest of the platform. They're complementary patterns of M365 governance.

Frequently asked

Is CIPP really free?: The software is free and open-source. You pay for the Azure resources to host it (typically Azure Functions, Storage, Key Vault) — usually low single-digit dollars per managed tenant per month. Add the value of your time to operate it.
Does Lavawall® have CIPP's bulk-standardisation features?: Lavawall® focuses on detecting drift and rolling back unwanted changes. Bulk “apply this CA policy to every tenant” workflows are CIPP's strength. Some MSPs run both.
What about rollback in CIPP?: CIPP has change tracking and some recovery patterns, but a structured plan → approve → execute rollback workflow with dry-run mode and explicit audit trails isn't its primary design. That's a Lavawall® differentiator.