Offboarding Overview
During onboarding, ContraForce deploys resources to your environment. Complete offboarding requires removing:Enterprise Applications
ContraForce service principals in Microsoft Entra ID
Azure Resources
Resource groups, Logic Apps, and API connections
Role Assignments
RBAC permissions granted to ContraForce
Agent Infrastructure
AI agent resource groups (if deployed)
Before You Begin
Prerequisites
1
Admin Access
Ensure you have Global Administrator access to Microsoft Entra ID
2
Azure Permissions
Ensure you have Owner or Contributor access to the Azure subscription
3
Document Current State
Note which ContraForce modules and features are currently deployed
4
Export Data
Export any incident data, reports, or configurations you need to retain
What Was Deployed?
The resources you need to remove depend on your deployment:| Deployment Type | Resources to Remove |
|---|---|
| XDR Module Only | Enterprise applications only |
| XDR + SIEM Module | Enterprise applications + Apollo resources + Sentinel resources |
| With AI Agents | All above + Agent Center resource groups |
Step 1: Remove Enterprise Applications
Enterprise applications consented during onboarding must be removed from Microsoft Entra ID.Accessing Enterprise Applications
- Microsoft Entra Admin Center
- Azure Portal
1
Navigate to Admin Center
Go to entra.microsoft.com
2
Open Enterprise Applications
Navigate to Identity > Applications > Enterprise applications
3
Search for ContraForce
Use the search box to find “ContraForce”
Applications to Remove
Remove the following enterprise applications:| Application Name | Application ID |
|---|---|
| ContraForce API | 24d97bc0-8f2b-45d5-8e0b-7fe286732ef2 |
| ContraForce Portal | 8b7cb435-9526-47ee-b79a-34433f0daad2 |
| ContraForce Sentinel Hunting | 6bf1c74d-7ade-4671-a507-166936f89a1f |
| ContraForce for MDE | 6efccc6a-f0d3-49e5-92d0-17d4afa9ba52 |
| ContraForce Gamebooks for MDE | ad7b0e79-3c37-4408-bf8f-eb89522cc920 |
| ContraForce Gamebooks for Identity | 36b0d51c-4c0f-4810-9cc4-bfbd40c7dd4a |
| ContraForce User Management | 460b65b7-3a5e-4a2c-98d0-e48fd35374a9 |
| ContraForce Gamebooks for Email | 44dbf6fe-45e3-48a3-bac3-f8d4cf1dba6d |
Deleting an Enterprise Application
For each application in the list above:1
Select the Application
Click on the application name in the list
2
Open Properties
Click Properties in the left navigation
3
Delete Application
Click Delete at the top of the page
4
Confirm Deletion
Confirm when prompted
Not all applications may be present—only delete applications that exist in your directory. The applications present depend on which modules and features were enabled during onboarding.
Step 2: Remove Azure Resources (Sentinel Deployments)
If you deployed the XDR + SIEM module with Microsoft Sentinel, remove the following Azure resources.Remove Apollo Resource Group
The Apollo resource group contains the infrastructure for real-time incident notifications.1
Open Azure Portal
Go to portal.azure.com
2
Navigate to Resource Groups
Click Resource groups in the left navigation
3
Find Apollo Resource Group
Search for
rg-contraforce-apollo4
Delete Resource Group
Click the resource group, then click Delete resource group
5
Confirm Deletion
Type the resource group name to confirm, then click Delete
Resources in Apollo Resource Group
The following resources are removed when you delete this resource group:| Resource Type | Name |
|---|---|
| Log Analytics Workspace | contraforce-apollo-* |
| Application Insights | contraforce-apollo-* |
| Function App | contraforce-apollo-* |
| App Service Plan | contraforce-apollo-* |
| Storage Account | contraforceapollo* |
Remove Sentinel Workspace Resources
Resources were also deployed to the resource group containing your Microsoft Sentinel workspace.1
Navigate to Sentinel Resource Group
Find the resource group containing your Sentinel workspace
2
Delete API Connection
Find and delete:
microsoftsentinel-Publish-Incident-To-Apollo3
Delete Logic App
Find and delete:
Publish-Incident-To-Apollo4
Delete Automation Rule
In Sentinel, go to Automation and delete:
Run-Playbook-Publish-Incident-To-ApolloDeleting Individual Resources
For each resource:1
Select Resource
Click on the resource name
2
Click Delete
Click Delete in the toolbar
3
Confirm
Confirm deletion when prompted
Step 3: Remove Role Assignments
ContraForce was granted RBAC permissions on your Azure resources. These should be removed.Finding Role Assignments
1
Navigate to Resource Group
Go to the resource group containing your Sentinel workspace
2
Open Access Control
Click Access control (IAM) in the left navigation
3
View Role Assignments
Click the Role assignments tab
4
Find ContraForce
Search for “ContraForce” in the list
Role Assignments to Remove
| Service Principal | Role | Scope |
|---|---|---|
| ContraForce API | Sentinel Contributor | Sentinel resource group |
| ContraForce API | Reader | Sentinel resource group |
Removing a Role Assignment
1
Select Assignment
Check the box next to the role assignment
2
Click Remove
Click Remove in the toolbar
3
Confirm
Click Yes to confirm removal
Step 4: Remove Agent Resource Groups (If Applicable)
If you deployed ContraForce AI Agents, additional resource groups must be removed.Agent Center Resource Group
1
Find Agent Center
Search for resource group:
cf-rg-agent-center2
Delete Resource Group
Click Delete resource group
3
Confirm
Type the name and confirm deletion
Resources in Agent Center
| Resource Type | Description |
|---|---|
| AI Foundry | AI model hosting |
| CosmosDB | Agent data storage |
| Container Apps Environment | Agent runtime |
| Virtual Network | Network isolation |
| Key Vaults | Secret management |
| Storage Accounts | Agent file storage |
Per-Agent Resource Groups
Each deployed agent has its own resource group:1
Search for Agent Groups
Search for resource groups matching:
cf-rg-agent-*2
Delete Each Group
Delete each agent resource group individually
3
Confirm Each Deletion
Confirm each deletion when prompted
Step 5: Remove Azure Lighthouse Delegation (If Applicable)
If Azure Lighthouse was configured for cross-tenant management, remove the delegation.1
Navigate to Service Providers
In Azure Portal, search for Service providers
2
View Delegations
Click Service provider offers to see active delegations
3
Find ContraForce
Locate the ContraForce delegation
4
Remove Delegation
Click the delegation, then click Delete
Offboarding Checklist
Use this checklist to ensure complete removal:Enterprise Applications
- ContraForce API removed
- ContraForce Portal removed
- ContraForce Sentinel Hunting removed
- ContraForce for MDE removed
- ContraForce Gamebooks for MDE removed
- ContraForce Gamebooks for Identity removed
- ContraForce User Management removed
- ContraForce Gamebooks for Email removed
Azure Resources (Sentinel Deployments)
-
rg-contraforce-apolloresource group deleted -
microsoftsentinel-Publish-Incident-To-ApolloAPI connection deleted -
Publish-Incident-To-ApolloLogic App deleted -
Run-Playbook-Publish-Incident-To-ApolloAutomation Rule deleted - ContraForce API role assignments removed
Agent Resources (If Applicable)
-
cf-rg-agent-centerresource group deleted - All
cf-rg-agent-*resource groups deleted
Azure Lighthouse (If Applicable)
- ContraForce delegation removed
Verifying Complete Removal
After completing the offboarding steps, verify removal:Check Enterprise Applications
1
Search Applications
In Entra ID, search Enterprise applications for “ContraForce”
2
Verify Empty Results
Confirm no ContraForce applications appear
Check Azure Resources
1
Search Resources
In Azure Portal, use the global search for “contraforce”
2
Verify Empty Results
Confirm no ContraForce resources appear
Check Role Assignments
1
Review IAM
Check Access Control (IAM) on your Sentinel resource group
2
Verify No ContraForce
Confirm no ContraForce service principals have assignments
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Can’t delete enterprise app | Insufficient permissions | Ensure you have Global Administrator role |
| Resource group won’t delete | Resources have locks | Remove resource locks before deleting |
| Role assignment won’t remove | Permission denied | Ensure you have Owner access to the subscription |
| Can’t find Apollo resource group | Different naming | Search for “contraforce” in all resource groups |
| Logic App deletion fails | Automation rule dependency | Delete the automation rule first |
Resource Locks
If you encounter “Cannot delete due to resource locks”:1
Navigate to Resource Group
Open the resource group in Azure Portal
2
Open Locks
Click Locks in the left navigation
3
Delete Locks
Delete any locks on the resource group
4
Retry Deletion
Attempt to delete the resource group again
Re-Onboarding After Offboarding
If you need to reconnect ContraForce in the future:- Contact the ContraForce team for a new onboarding wizard link
- Follow the standard onboarding process
- All resources will be recreated
- Historical data from before offboarding will not be available
Offboarding is permanent. If you think you may reconnect in the future, consider disabling functionality instead of fully removing it. Contact [email protected] to discuss options.
Getting Help
If you encounter issues during offboarding:Related Guides
Enterprise Applications
Overview of all service principals
Azure Resources Deployed
Complete resource documentation
XDR Onboarding
Re-onboarding the XDR module
Sentinel Onboarding
Re-onboarding the SIEM module
Questions about offboarding? Contact us at [email protected].