This enterprise application is required for the Endpoints page, device insights, and endpoint-related Gamebook actions in ContraForce.
What This Application Enables
Endpoint Visibility
View all devices managed by Defender for Endpoint across your workspaces
Device Details
Access device information including OS, health state, and exposure level
Incident Correlation
See device-related incidents and timeline data during investigations
Response Actions
Execute endpoint Gamebooks (with additional consent)
Features Enabled
Once consented, the Microsoft Defender XDR enterprise application enables the following capabilities:Endpoints Page
The ContraForce Endpoints page aggregates MDE data from all connected workspaces:
| Feature | Description |
|---|---|
| Device List | View all endpoints across managed tenants |
| Device Info | Access hardware, OS, and configuration details |
| Health State | Monitor device security health |
| Exposure Level | See risk assessment for each device |
| Last Seen | Track when devices last checked in |
Entity Insights
During incident investigation, access device-related insights:| Insight | Description |
|---|---|
| Device Timeline | Chronological view of events on the endpoint |
| Device Info | Detailed hardware and software information |
| Related Incidents | Other incidents involving the same device |
Incident Data
The application also enables:- Bi-directional incident streaming from Defender XDR
- Fetching incident entities and evidence
- Alert timelines and investigation audit trails
Permissions
The Microsoft Defender XDR enterprise application requests the following Microsoft Graph and Defender API permissions:Required Permissions
| Permission | Type | Purpose |
|---|---|---|
| Machine.Read.All | Application | Read device information from MDE |
| Machine.ReadWrite.All | Delegated | Access device details during user sessions |
| SecurityEvents.Read.All | Application | Read security alerts and incidents |
| SecurityEvents.ReadWrite.All | Delegated | Update incident status and assignments |
Permission Types Explained
| Type | Description | Use Case |
|---|---|---|
| Application | Runs without user context | Background data synchronization |
| Delegated | Runs on behalf of signed-in user | Interactive portal access |
Prerequisites
Before consenting this enterprise application:1
Microsoft Defender for Endpoint
MDE must be deployed and active in the target tenant
2
Appropriate Licensing
Microsoft 365 Business Premium, E3, or E5 (or standalone MDE license)
3
Admin Permissions
Global Administrator role in the target tenant
4
ContraForce Workspace
The workspace must be created and the tenant onboarded
How to Consent
Step 1: Navigate to Workspace Modules
1
Open Workspaces
Go to the Workspaces page in ContraForce
2
Select Workspace
Find the workspace you want to configure
3
Open Modules
Click the gear icon or Modules to access workspace settings
Step 2: Add the Module
1
Click Add Module
Click the Add Module button
2
Select Microsoft Defender XDR
Choose Microsoft Defender XDR from the list
3
Confirm
Click Confirm to add the module to the workspace
Step 3: Consent Permissions
1
Open the Module
Click on the Microsoft Defender XDR module you just added
2
Review Permissions
Scroll down to see the list of permissions required
3
Click Consent
Click the Consent button to start the consent flow
4
Authenticate
Sign in with a Global Administrator account from the target tenant
5
Accept Permissions
Review and accept the requested permissions
The consent flow is a 3-step process. Ensure you complete all steps for the application to function correctly.
Verifying Consent
After consenting, verify the application is working:In ContraForce
- Navigate to the Endpoints page
- Select the workspace you just configured
- Confirm devices are populating in the list
In Microsoft Entra ID
- Go to Azure Portal > Microsoft Entra ID > Enterprise Applications
- Search for “ContraForce” or the application name
- Verify the application appears with Enabled status
- Check Permissions to confirm grants are in place
Capability Matrix
The Microsoft Defender XDR integration capabilities vary by license:| Capability | Business Premium | E3 | E5 |
|---|---|---|---|
| Incident Management | |||
| Bi-directional incident streaming | ✓ | ✓ | ✓ |
| Fetch incident entities | ✓ | ✓ | ✓ |
| Fetch incident evidence | ✓ | ✓ | ✓ |
| Alert timelines | ✓ | ✓ | ✓ |
| Device Insights | |||
| Device info | ✓ | ✓ | ✓ |
| Device timeline | ✓* | ✓* | ✓ |
| Related incidents | ✓* | ✓* | ✓ |
| Endpoint Management | |||
| View device list | ✓ | ✓ | ✓ |
| View device info | ✓ | ✓ | ✓ |
Full Capabilities Matrix
View the complete Defender capability matrix including Gamebook actions
Related Enterprise Applications
The Microsoft Defender XDR application works alongside other ContraForce enterprise applications:| Application | Purpose |
|---|---|
| Gamebooks for Defender XDR | Endpoint response actions (isolate, scan, quarantine) |
| Gamebooks for Identity | User response actions (disable, reset password) |
| Microsoft 365 Response | Email response actions (delete email) |
| Azure Response | Azure resource response actions |
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| No devices showing | Consent incomplete | Re-run the consent flow and complete all steps |
| Consent fails | Insufficient permissions | Use a Global Administrator account |
| Partial data | MDE not fully deployed | Verify MDE is active on target devices |
| Stale device data | Sync delay | Wait 15-30 minutes for initial sync |
| Permission denied errors | Consent revoked | Check Entra ID enterprise apps and re-consent |
Checking Consent Status
In the workspace modules view, consented applications show a green checkmark or “Consented” status. If you see “Not Consented” or a warning icon, re-run the consent process.Revoking Consent
If you need to revoke consent:- Go to Azure Portal > Microsoft Entra ID > Enterprise Applications
- Find the ContraForce Defender XDR application
- Go to Properties and set Enabled for users to sign-in to No
- Or delete the application entirely
Best Practices
Consent during onboarding
Consent during onboarding
Add and consent the Microsoft Defender XDR module during initial workspace onboarding for a smoother setup experience.
Use a dedicated admin account
Use a dedicated admin account
Create a dedicated service account with Global Admin permissions for consenting enterprise applications across customer tenants.
Document consent status
Document consent status
Track which enterprise applications are consented for each workspace to simplify troubleshooting.
Consent related applications together
Consent related applications together
Verify after consent
Verify after consent
Always verify the Endpoints page is populating data after completing the consent flow.
Related Guides
Enterprise Applications Overview
Overview of all ContraForce enterprise applications
Gamebooks for Defender XDR
Enable endpoint response actions
Endpoint Page
Using the Endpoints page in ContraForce
Defender Capability Matrix
Full Defender feature capabilities
Questions about the Microsoft Defender XDR enterprise application? Contact us at [email protected].