> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Microsoft Defender for Endpoint Module
> Enable endpoint visibility and management in ContraForce by consenting the Microsoft Defender for Endpoint enterprise application.
The Microsoft Defender for Endpoint enterprise application enables ContraForce to access Microsoft Defender for Endpoint (MDE) data. Once consented, you gain visibility into endpoints across your managed tenants and can perform response actions directly from ContraForce.
This enterprise application is required for the Endpoints page, device insights, and endpoint-related Gamebook actions in ContraForce.
## What This Application Enables
View all devices managed by Defender for Endpoint across your workspaces
Access device information including OS, health state, and exposure level
See device-related incidents and timeline data during investigations
Execute endpoint Gamebooks (with additional consent)
***
## Features Enabled
Once consented, the Microsoft Defender for Endpoint enterprise application enables the following capabilities:
### Endpoints Page
The ContraForce Endpoints page aggregates MDE data from all connected workspaces:
| Feature | Description |
| ------------------ | ---------------------------------------------- |
| **Device List** | View all endpoints across managed tenants |
| **Device Info** | Access hardware, OS, and configuration details |
| **Health State** | Monitor device security health |
| **Exposure Level** | See risk assessment for each device |
| **Last Seen** | Track when devices last checked in |
### Entity Insights
During incident investigation, access device-related insights:
| Insight | Description |
| --------------------- | -------------------------------------------- |
| **Device Timeline** | Chronological view of events on the endpoint |
| **Device Info** | Detailed hardware and software information |
| **Related Incidents** | Other incidents involving the same device |
### Incident Data
The application also enables:
* Bi-directional incident streaming from Defender for Endpoint
* Fetching incident entities and evidence
* Alert timelines and investigation audit trails
For full endpoint response capabilities (isolate, scan, quarantine), you'll also need to consent the **Gamebooks for Defender for Endpoint** enterprise application.
***
## Permissions
The Microsoft Defender for Endpoint enterprise application requests the following Microsoft Graph and Defender API permissions:
### Required Permissions
| Permission | Type | Purpose |
| -------------------------------- | ----------- | ------------------------------------------ |
| **Machine.Read.All** | Application | Read device information from MDE |
| **Machine.ReadWrite.All** | Delegated | Access device details during user sessions |
| **SecurityEvents.Read.All** | Application | Read security alerts and incidents |
| **SecurityEvents.ReadWrite.All** | Delegated | Update incident status and assignments |
These permissions grant read access to endpoint data across the tenant. Ensure you have proper authorization before consenting on behalf of customers.
### Permission Types Explained
| Type | Description | Use Case |
| --------------- | -------------------------------- | ------------------------------- |
| **Application** | Runs without user context | Background data synchronization |
| **Delegated** | Runs on behalf of signed-in user | Interactive portal access |
***
## Prerequisites
Before consenting this enterprise application:
MDE must be deployed and active in the target tenant
Microsoft 365 Business Premium, E3, or E5 (or standalone MDE license)
Cloud App Admin, Application Admin, or Global Admin role in the target tenant
The workspace must be created and the tenant onboarded
***
## How to Consent
### Step 1: Navigate to Workspace Modules
Go to the **Workspaces** page in ContraForce
Find the workspace you want to configure
Click the **gear icon** or **Modules** to access workspace settings
### Step 2: Add the Module
Click the **Add Module** button
Choose **Microsoft Defender for Endpoint** from the list
Click **Confirm** to add the module to the workspace
### Step 3: Consent Permissions
Click on the **Microsoft Defender for Endpoint** module you just added
Scroll down to see the list of permissions required
Click the **Consent** button to start the consent flow
Sign in with a Cloud App Admin, Application Admin, or Global Admin account from the target tenant
Review and accept the requested permissions
The consent flow is a 3-step process. Ensure you complete all steps for the application to function correctly.
***
## Verifying Consent
After consenting, verify the application is working:
### In ContraForce
1. Navigate to the **Endpoints** page
2. Select the workspace you just configured
3. Confirm devices are populating in the list
### In Microsoft Entra ID
1. Go to **Azure Portal** > **Microsoft Entra ID** > **Enterprise Applications**
2. Search for "ContraForce" or the application name
3. Verify the application appears with **Enabled** status
4. Check **Permissions** to confirm grants are in place
***
## Capability Matrix
The Microsoft Defender for Endpoint integration capabilities vary by license:
| Capability | Business Premium | E3 | E5 |
| --------------------------------- | :--------------: | :-: | :-: |
| **Incident Management** | | | |
| Bi-directional incident streaming | ✓ | ✓ | ✓ |
| Fetch incident entities | ✓ | ✓ | ✓ |
| Fetch incident evidence | ✓ | ✓ | ✓ |
| Alert timelines | ✓ | ✓ | ✓ |
| **Device Insights** | | | |
| Device info | ✓ | ✓ | ✓ |
| Device timeline | ✓\* | ✓\* | ✓ |
| Related incidents | ✓\* | ✓\* | ✓ |
| **Endpoint Management** | | | |
| View device list | ✓ | ✓ | ✓ |
| View device info | ✓ | ✓ | ✓ |
\*Requires Microsoft Defender for Endpoint Plan 2 add-on
View the complete Defender capability matrix including Gamebook actions
***
## Related Enterprise Applications
The Microsoft Defender for Endpoint application works alongside other ContraForce enterprise applications:
| Application | Purpose |
| ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- |
| **[Gamebooks for Defender for Endpoint](/guides/technical/contraforce-gamebooks-for-defender-for-endpoint-enterprise-application)** | Endpoint response actions (isolate, scan, quarantine) |
| **[Gamebooks for Identity](/guides/technical/contraforce-gamebooks-for-identity-enterprise-application)** | User response actions (disable, reset password) |
| **[Microsoft 365 Response](/guides/technical/contraforce-microsoft-365-response-enterprise-application)** | Email response actions (delete email) |
| **[Azure Response](/guides/technical/contraforce-azure-response-enterprise-application)** | Azure resource response actions |
For a complete MXDR setup, consent all relevant enterprise applications based on the response capabilities you need.
***
## Troubleshooting
### Common Issues
| Issue | Possible Cause | Solution |
| ---------------------------- | ------------------------ | ----------------------------------------------------------------- |
| **No devices showing** | Consent incomplete | Re-run the consent flow and complete all steps |
| **Consent fails** | Insufficient permissions | Use a Cloud App Admin, Application Admin, or Global Admin account |
| **Partial data** | MDE not fully deployed | Verify MDE is active on target devices |
| **Stale device data** | Sync delay | Wait 15-30 minutes for initial sync |
| **Permission denied errors** | Consent revoked | Check Entra ID enterprise apps and re-consent |
### Checking Consent Status
In the workspace modules view, consented applications show a green checkmark or "Consented" status. If you see "Not Consented" or a warning icon, re-run the consent process.
### Revoking Consent
If you need to revoke consent:
1. Go to **Azure Portal** > **Microsoft Entra ID** > **Enterprise Applications**
2. Find the ContraForce Defender for Endpoint application
3. Go to **Properties** and set **Enabled for users to sign-in** to **No**
4. Or delete the application entirely
Revoking consent will disable MDE data access in ContraForce for that workspace. The Endpoints page will no longer show devices.
***
## Best Practices
Add and consent the Microsoft Defender for Endpoint module during initial workspace onboarding for a smoother setup experience.
Create a dedicated service account with Cloud App Admin or Application Admin permissions for consenting enterprise applications across customer tenants.
Track which enterprise applications are consented for each workspace to simplify troubleshooting.
If you need Gamebook response actions, consent both Microsoft Defender for Endpoint and Gamebooks for Defender for Endpoint at the same time.
Always verify the Endpoints page is populating data after completing the consent flow.
***
## Related Guides
Overview of all ContraForce enterprise applications
Enable endpoint response actions
Using the Endpoints page in ContraForce
Full Defender feature capabilities
***
Questions about the Microsoft Defender for Endpoint enterprise application? Contact us at [support@contraforce.com](mailto:support@contraforce.com).