User Management

ContraForce provides flexible user management with role-based access control. Add users from your Entra ID directory, assign organizational and workspace roles, and control exactly what each team member can access.

Recommended Default Groups

Setting up default groups during initial configuration saves time and ensures consistent access patterns. Suggested Partner Groups

Group Name	Description	Suggested Workspace Role
SOC Tier 1	Front-line analysts handling initial triage	Incident Analyst
SOC Tier 2	Senior analysts with response capabilities	Incident Responder
SOC Managers	Team leads overseeing operations	Admin
Integration Engineers	Technical staff managing connectors	Data Source Admin
Account Managers	Customer relationship managers	Incident Analyst (read-only)

ContraForce integrates with Microsoft Entra ID (formerly Azure AD) to pull user identities. Users must exist in Entra ID before they can be added to ContraForce.

User Management Overview

Organizational Roles

Control who can manage users, groups, and workspace settings across your organization

Workspace Roles

Define what users can do within specific customer workspaces

User Roles at a Glance

ContraForce uses a two-tier role system: Organizational Roles control administrative access, while Workspace Roles control operational access.

Workspace Roles Quick Reference

Role	View Incidents	Run Gamebooks	Manage Endpoints	Manage Data Connectors	Manage Users
Admin	✓	✓	✓	✓	✓
Incident Responder	✓	✓	✓	—	—
Incident Analyst	✓	—	—	—	—
Data Source Admin	✓	—	—	✓	—

Complete Role Reference

View detailed permissions for all organizational and workspace roles

Adding Users During Onboarding

The easiest time to add users is during the initial ContraForce onboarding process.

Onboarding Wizard

When you deploy ContraForce modules, the Onboarding Wizard provides the first opportunity to add users:

Select User

Click the User dropdown to see available users from your Entra ID directory

Verify Name

Confirm the first and last name displayed matches the intended user

Assign Role

Select the appropriate workspace role from the dropdown

Add More Users

Repeat for additional users, or continue with onboarding

Add at least one Admin user during onboarding. This ensures you have full access to manage the workspace after setup is complete.

Managing Users After Onboarding

After initial setup, you can add and manage users through the Settings page. Before you can manage users post-onboarding, you must consent the User Management service principal:

Navigate to Workspaces

Go to the Workspaces page

Open Workspace Settings

Click the gear icon on the right side of the workspace row

Find User Management

Locate the User Management service principal in the list

Click Consent

Complete the Microsoft consent flow with admin credentials

User Management service principal consent

You must have Global Administrator or appropriate admin privileges in the Microsoft tenant to complete the consent flow.

Step 2: Access User Management

Open Settings

Click Settings in the navigation menu

Select User Management

Click the User Management tab

View Current Users

The user list displays all users with access to ContraForce

Step 3: Add New Users

Click Add User

Click the Add User button in the top right corner

Search for User

Search for the user by name or email in the Entra ID directory

Select User

Click the user to select them

Assign Roles

Choose organizational and workspace roles

Save

Click Add to complete the process

The Add User button only appears if your account has User Admin or Org Admin permissions.

Understanding Role Types

Organizational Roles

Organizational roles control administrative functions across your entire ContraForce instance:

Role	Add/Manage Users	Add/Manage Groups	Add Workspaces	View All Workspaces
Org Admin	✓	✓	✓	✓
User Admin	✓	✓	—	—
Workspace Admin	—	—	✓	✓
Org Member	—	—	—	—

Workspace Roles

Workspace roles control what users can do within specific customer workspaces:

Admin
Incident Responder
Incident Analyst
Data Source Admin

Full access to all workspace features

View and manage all incidents
Run any Gamebook action
Manage endpoints and data connectors
Configure workspace settings
Manage workspace users

Best for: Team leads, senior analysts, workspace owners

User Groups

Simplify access management by organizing users into groups.

Benefits of Groups

Bulk Assignment

Assign workspace access to multiple users at once

Easier Management

Update group membership instead of individual users

Consistent Access

Ensure team members have the same permissions

Creating Groups

Navigate to Groups

Go to Settings > Groups

Create New Group

Click Add Group and enter a name

Add Members

Search for and add users to the group

Assign to Workspaces

Assign the group to workspaces with appropriate roles

Assigning Users to Workspaces

Users need workspace assignments to access customer data.

Individual Assignment

Open the workspace settings
Navigate to Users or Access
Click Add User
Select the user and assign a workspace role
Save changes

Group Assignment

Open the workspace settings
Navigate to Groups or Access
Click Add Group
Select the group and assign a workspace role
All group members inherit access

Use groups for teams that need access to the same set of workspaces. This makes onboarding new team members faster—just add them to the appropriate group.

Managing Existing Users

Viewing User Details

Click any user in the User Management list to view:

Assigned organizational role
Workspace assignments and roles
Group memberships
Last login time

Editing User Roles

Select User

Click the user in the User Management list

Edit Roles

Modify organizational or workspace roles as needed

Save Changes

Click Save to apply the new permissions

Removing Users

Select User

Click the user you want to remove

Click Remove

Click the Remove User or Delete button

Confirm

Confirm the removal when prompted

Removing a user revokes all their access to ContraForce immediately. This action cannot be undone—you’ll need to re-add the user if you want to restore access.

Best Practices

Follow the principle of least privilege

Assign the minimum role necessary for each user’s job function. Start with Incident Analyst and escalate to Responder or Admin only when needed.

Use groups for team-based access

Create groups that mirror your team structure (e.g., “Tier 1 Analysts”, “Senior Responders”). This simplifies access management as team members change.

Audit user access regularly

Review user assignments quarterly to ensure former team members have been removed and current roles are still appropriate.

Document role assignments

Maintain records of who has access to which workspaces and why. This helps with compliance audits and access reviews.

Separate admin duties

Don’t give everyone Admin access. Reserve Admin roles for users who genuinely need to manage configurations and other users.

Troubleshooting

Common Issues

Issue	Possible Cause	Solution
Can’t see Add User button	Missing User Admin or Org Admin role	Contact your administrator for elevated permissions
User not found in dropdown	User doesn’t exist in Entra ID	Verify user exists in Microsoft Entra ID
Consent flow fails	Insufficient admin privileges	Use Global Administrator or appropriate admin account
User can’t access workspace	No workspace assignment	Assign user directly or via group to the workspace
User has wrong permissions	Incorrect role assignment	Edit user and assign correct workspace role

User Roles Reference

Complete permissions for all roles

Workspaces Page

Manage workspace settings

Enterprise Applications

Service principals and consent

Multi-Tenant Features

Managing multiple customers

Questions about user management? Contact us at support@contraforce.com.

Getting started

Onboarding

Technical

General Support

Recommended Default Groups

User Management Overview

Organizational Roles

Workspace Roles