Skip to main content
This guide covers the steps required to fully offboard ContraForce from your environment. Follow these procedures to remove all ContraForce enterprise applications, Azure resources, and role assignments.
Offboarding removes all ContraForce functionality from your environment. Ensure you have exported any data you need before proceeding. This action cannot be undone without re-onboarding.

Offboarding Overview

During onboarding, ContraForce deploys resources to your environment. Complete offboarding requires removing:

Enterprise Applications

ContraForce service principals in Microsoft Entra ID

Azure Resources

Resource groups, Logic Apps, and API connections

Role Assignments

RBAC permissions granted to ContraForce

Agent Infrastructure

AI agent resource groups (if deployed)

Before You Begin

Prerequisites

1

Admin Access

Ensure you have Global Administrator access to Microsoft Entra ID
2

Azure Permissions

Ensure you have Owner or Contributor access to the Azure subscription
3

Document Current State

Note which ContraForce modules and features are currently deployed
4

Export Data

Export any incident data, reports, or configurations you need to retain

What Was Deployed?

The resources you need to remove depend on your deployment:
Deployment TypeResources to Remove
XDR Module OnlyEnterprise applications only
XDR + SIEM ModuleEnterprise applications + Apollo resources + Sentinel resources
With AI AgentsAll above + Agent Center resource groups

Step 1: Remove Enterprise Applications

Enterprise applications consented during onboarding must be removed from Microsoft Entra ID.

Accessing Enterprise Applications

1

Navigate to Admin Center

Go to entra.microsoft.com
2

Open Enterprise Applications

Navigate to Identity > Applications > Enterprise applications
3

Search for ContraForce

Use the search box to find “ContraForce”

Applications to Remove

Remove the following enterprise applications:
Application NameApplication ID
ContraForce API24d97bc0-8f2b-45d5-8e0b-7fe286732ef2
ContraForce Portal8b7cb435-9526-47ee-b79a-34433f0daad2
ContraForce Sentinel Hunting6bf1c74d-7ade-4671-a507-166936f89a1f
ContraForce for MDE6efccc6a-f0d3-49e5-92d0-17d4afa9ba52
ContraForce Gamebooks for MDEad7b0e79-3c37-4408-bf8f-eb89522cc920
ContraForce Gamebooks for Identity36b0d51c-4c0f-4810-9cc4-bfbd40c7dd4a
ContraForce User Management460b65b7-3a5e-4a2c-98d0-e48fd35374a9
ContraForce Gamebooks for Email44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6d

Deleting an Enterprise Application

For each application in the list above:
1

Select the Application

Click on the application name in the list
2

Open Properties

Click Properties in the left navigation
3

Delete Application

Click Delete at the top of the page
4

Confirm Deletion

Confirm when prompted
Not all applications may be present—only delete applications that exist in your directory. The applications present depend on which modules and features were enabled during onboarding.

Step 2: Remove Azure Resources (Sentinel Deployments)

If you deployed the XDR + SIEM module with Microsoft Sentinel, remove the following Azure resources.
Skip this step if you only deployed the XDR module without Sentinel integration.

Remove Apollo Resource Group

The Apollo resource group contains the infrastructure for real-time incident notifications.
1

Open Azure Portal

Go to portal.azure.com
2

Navigate to Resource Groups

Click Resource groups in the left navigation
3

Find Apollo Resource Group

Search for rg-contraforce-apollo
4

Delete Resource Group

Click the resource group, then click Delete resource group
5

Confirm Deletion

Type the resource group name to confirm, then click Delete

Resources in Apollo Resource Group

The following resources are removed when you delete this resource group:
Resource TypeName
Log Analytics Workspacecontraforce-apollo-*
Application Insightscontraforce-apollo-*
Function Appcontraforce-apollo-*
App Service Plancontraforce-apollo-*
Storage Accountcontraforceapollo*

Remove Sentinel Workspace Resources

Resources were also deployed to the resource group containing your Microsoft Sentinel workspace.
1

Navigate to Sentinel Resource Group

Find the resource group containing your Sentinel workspace
2

Delete API Connection

Find and delete: microsoftsentinel-Publish-Incident-To-Apollo
3

Delete Logic App

Find and delete: Publish-Incident-To-Apollo
4

Delete Automation Rule

In Sentinel, go to Automation and delete: Run-Playbook-Publish-Incident-To-Apollo

Deleting Individual Resources

For each resource:
1

Select Resource

Click on the resource name
2

Click Delete

Click Delete in the toolbar
3

Confirm

Confirm deletion when prompted

Step 3: Remove Role Assignments

ContraForce was granted RBAC permissions on your Azure resources. These should be removed.

Finding Role Assignments

1

Navigate to Resource Group

Go to the resource group containing your Sentinel workspace
2

Open Access Control

Click Access control (IAM) in the left navigation
3

View Role Assignments

Click the Role assignments tab
4

Find ContraForce

Search for “ContraForce” in the list

Role Assignments to Remove

Service PrincipalRoleScope
ContraForce APISentinel ContributorSentinel resource group
ContraForce APIReaderSentinel resource group

Removing a Role Assignment

1

Select Assignment

Check the box next to the role assignment
2

Click Remove

Click Remove in the toolbar
3

Confirm

Click Yes to confirm removal
You can also use Azure CLI to remove role assignments:
az role assignment delete --assignee "24d97bc0-8f2b-45d5-8e0b-7fe286732ef2" --resource-group "your-sentinel-rg"

Step 4: Remove Agent Resource Groups (If Applicable)

If you deployed ContraForce AI Agents, additional resource groups must be removed.
Skip this step if you did not deploy AI Agents. Most deployments do not include agents.

Agent Center Resource Group

1

Find Agent Center

Search for resource group: cf-rg-agent-center
2

Delete Resource Group

Click Delete resource group
3

Confirm

Type the name and confirm deletion

Resources in Agent Center

Resource TypeDescription
AI FoundryAI model hosting
CosmosDBAgent data storage
Container Apps EnvironmentAgent runtime
Virtual NetworkNetwork isolation
Key VaultsSecret management
Storage AccountsAgent file storage

Per-Agent Resource Groups

Each deployed agent has its own resource group:
1

Search for Agent Groups

Search for resource groups matching: cf-rg-agent-*
2

Delete Each Group

Delete each agent resource group individually
3

Confirm Each Deletion

Confirm each deletion when prompted

Step 5: Remove Azure Lighthouse Delegation (If Applicable)

If Azure Lighthouse was configured for cross-tenant management, remove the delegation.
1

Navigate to Service Providers

In Azure Portal, search for Service providers
2

View Delegations

Click Service provider offers to see active delegations
3

Find ContraForce

Locate the ContraForce delegation
4

Remove Delegation

Click the delegation, then click Delete

Offboarding Checklist

Use this checklist to ensure complete removal:

Enterprise Applications

  • ContraForce API removed
  • ContraForce Portal removed
  • ContraForce Sentinel Hunting removed
  • ContraForce for MDE removed
  • ContraForce Gamebooks for MDE removed
  • ContraForce Gamebooks for Identity removed
  • ContraForce User Management removed
  • ContraForce Gamebooks for Email removed

Azure Resources (Sentinel Deployments)

  • rg-contraforce-apollo resource group deleted
  • microsoftsentinel-Publish-Incident-To-Apollo API connection deleted
  • Publish-Incident-To-Apollo Logic App deleted
  • Run-Playbook-Publish-Incident-To-Apollo Automation Rule deleted
  • ContraForce API role assignments removed

Agent Resources (If Applicable)

  • cf-rg-agent-center resource group deleted
  • All cf-rg-agent-* resource groups deleted

Azure Lighthouse (If Applicable)

  • ContraForce delegation removed

Verifying Complete Removal

After completing the offboarding steps, verify removal:

Check Enterprise Applications

1

Search Applications

In Entra ID, search Enterprise applications for “ContraForce”
2

Verify Empty Results

Confirm no ContraForce applications appear

Check Azure Resources

1

Search Resources

In Azure Portal, use the global search for “contraforce”
2

Verify Empty Results

Confirm no ContraForce resources appear

Check Role Assignments

1

Review IAM

Check Access Control (IAM) on your Sentinel resource group
2

Verify No ContraForce

Confirm no ContraForce service principals have assignments

Troubleshooting

Common Issues

IssuePossible CauseSolution
Can’t delete enterprise appInsufficient permissionsEnsure you have Global Administrator role
Resource group won’t deleteResources have locksRemove resource locks before deleting
Role assignment won’t removePermission deniedEnsure you have Owner access to the subscription
Can’t find Apollo resource groupDifferent namingSearch for “contraforce” in all resource groups
Logic App deletion failsAutomation rule dependencyDelete the automation rule first

Resource Locks

If you encounter “Cannot delete due to resource locks”:
1

Navigate to Resource Group

Open the resource group in Azure Portal
2

Open Locks

Click Locks in the left navigation
3

Delete Locks

Delete any locks on the resource group
4

Retry Deletion

Attempt to delete the resource group again

Re-Onboarding After Offboarding

If you need to reconnect ContraForce in the future:
  1. Contact the ContraForce team for a new onboarding wizard link
  2. Follow the standard onboarding process
  3. All resources will be recreated
  4. Historical data from before offboarding will not be available
Offboarding is permanent. If you think you may reconnect in the future, consider disabling functionality instead of fully removing it. Contact [email protected] to discuss options.

Getting Help

If you encounter issues during offboarding:

Email Support

[email protected]

Submit a Ticket

Open a support ticket

Enterprise Applications

Overview of all service principals

Azure Resources Deployed

Complete resource documentation

XDR Onboarding

Re-onboarding the XDR module

Sentinel Onboarding

Re-onboarding the SIEM module
Questions about offboarding? Contact us at [email protected].