Skip to main content
This guide walks you through the initial ContraForce platform setup. Complete these steps to connect your organization’s Microsoft environment before onboarding customer workspaces (partners) or beginning security operations (internal teams).
Who is this for?
  • Internal security teams deploying ContraForce for your own organization
  • MSP/MSSP partners setting up your parent tenant before onboarding customers

What You’ll Accomplish

By the end of this guide, you’ll have:

Connected Microsoft Environment

ContraForce linked to your Microsoft 365 and Azure environment

Active Workspace

Your organization’s workspace configured and receiving incidents

Team Access

Your team members added with appropriate roles

Response Capabilities

Gamebook actions authorized and ready to use

Prerequisites

Required Access

RequirementDetails
Microsoft 365 LicenseBusiness Premium, E3, or E5 with Defender capabilities
Global AdministratorOr Security Administrator role in Microsoft Entra ID
Azure Subscription OwnerRequired only for XDR + SIEM module
ContraForce AccountProvided by ContraForce during contract setup

For XDR + SIEM Module (Optional)

RequirementDetails
Microsoft SentinelActive Sentinel workspace in your Azure subscription
Subscription OwnerTo deploy Azure Lighthouse and Apollo resources
Resource Group AccessAbility to create resource groups in the subscription
If you don’t have Global Administrator access, contact your IT team. The consent process requires admin-level permissions to authorize ContraForce enterprise applications.

Step 1: Sign In to ContraForce

1

Navigate to ContraForce's Onboarding Workflow

Go to https://onboard.contraforce.com/welcome
2

Sign In with Microsoft

Click Sign in with Microsoft and use your organization credentials
3

Complete MFA

Complete any multi-factor authentication prompts
4

Accept Initial Permissions

Accept the basic sign-in permissions for the ContraForce Portal
First-time sign-in uses delegated permissions. Full platform access requires completing the onboarding wizard in the next steps.

Step 2: Create Your Organization Workspace

Your organization workspace is where your own security data lives—separate from any customer workspaces you may create later.
1

Navigate to Workspaces

Click Workspaces in the left navigation
2

Create New Workspace

Click Create Workspace
3

Enter Workspace Details

  • Name: Your organization name (e.g., “Acme Security Operations”)
  • Description: Optional description
  • Type: Select “Internal” for your own organization
4

Save Workspace

Click Create to provision the workspace

Step 3: Launch Onboarding Wizard

1

Open Workspace Settings

Click the gear icon on your new workspace
2

Go to Modules

Select the Modules tab
3

Start Onboarding

Click Configure or Start Onboarding Wizard
The first consent step authorizes ContraForce to access your Microsoft environment.
1

Click Consent for ContraForce API

Click the Consent button next to ContraForce API
2

Sign In as Global Admin

Sign in with your Global Administrator credentials
3

Review Permissions

Review the requested permissions:
  • Read security events
  • Read user profiles
  • Read directory data
4

Accept on Behalf of Organization

Check Consent on behalf of your organization and click Accept
5

Repeat for ContraForce Portal

Complete the same consent flow for the ContraForce Portal application

Core Applications

ApplicationPurpose
ContraForce APIPlatform backend access to your security data
ContraForce PortalUser authentication and portal access

Step 5: Select Your Module

Choose the module that matches your environment:

Choose XDR If:

  • You have Microsoft 365 with Defender but no Sentinel
  • You want the fastest deployment (~15 minutes)
  • You don’t need custom detection rules or log search

What You Get:

  • Defender XDR incident ingestion
  • Entity enrichment (users, devices, IPs, files, emails)
  • Gamebook response actions
  • Endpoint visibility

Click “XDR” to continue

Based on your module selection, consent the required enterprise applications.

Microsoft Defender Applications

ApplicationPurposeRequired For
ContraForce for MDERead endpoint and incident dataAll deployments
ContraForce Gamebooks for MDEExecute endpoint response actionsGamebook actions
ContraForce Gamebooks for IdentityDisable users, reset passwordsIdentity response
ContraForce Gamebooks for EmailQuarantine/release emailsEmail response

Microsoft Sentinel Applications (SIEM Module Only)

ApplicationPurpose
ContraForce Sentinel HuntingQuery Log Analytics for threat hunting
1

Consent Each Application

Click Consent next to each application
2

Authenticate as Admin

Sign in with Global Admin credentials for each consent
3

Accept Permissions

Review and accept the requested permissions
4

Verify Green Checkmarks

Ensure all applications show a green checkmark indicating successful consent

Step 7: Deploy Azure Resources (Microsoft Sentinel Module Only)

Skip this step if you selected the XDR-only module.
For the XDR + SIEM module, ContraForce deploys Azure resources to enable Sentinel integration.
1

Select Azure Subscription

Choose the subscription containing your Sentinel workspace
2

Select Sentinel Workspace

Choose your Microsoft Sentinel workspace from the dropdown
3

Deploy Apollo Infrastructure

Click Deploy to create the incident streaming infrastructure
4

Wait for Deployment

Deployment takes 2-5 minutes. Do not close the browser.

What Gets Deployed

ResourcePurpose
Azure LighthouseCross-tenant management delegation
Apollo Resource GroupIncident notification infrastructure
Logic AppStreams incidents to ContraForce
Role AssignmentsGrants ContraForce access to Sentinel

Azure Resources Reference

Complete list of deployed resources

Step 8: Authorize Gamebook Service Principals

Gamebooks require additional authorization to execute response actions in your environment.
1

Navigate to Gamebook Authorization

In the onboarding wizard, proceed to the Gamebook authorization step
2

Click Authorize

Click Authorize for each Gamebook service principal
3

Consent as Admin

Complete the admin consent flow for each authorization

Gamebook Capabilities by Authorization

Service PrincipalEnables
MDE GamebooksIsolate device, run AV scan, collect investigation package
Identity GamebooksDisable user, reset password, revoke sessions
Email GamebooksSoft delete email, release from quarantine

Step 9: Add Your Team

Now add your team members so they can access the platform.

For Internal Security Teams

1

Go to Settings → User Management

Navigate to organization-level user management
2

Add Users

Click Add User and enter team member email addresses
3

Assign Organization Role

  • Organization Admin for platform administrators
  • Organization Member for analysts and engineers
4

Assign to Workspace

Go to your workspace settings → Users & Groups → Add each user with a workspace role

For Partners (Setting Up Parent Tenant)

1

Create Organization Groups

Go to Settings → User Management → Groups → Create groups like:
  • SOC Tier 1
  • SOC Tier 2
  • SOC Managers
2

Add Team to Groups

Add your analysts and engineers to the appropriate groups
3

Assign Groups to Workspace

Go to your workspace → Settings → Users & Groups → Add your groups with roles
Team MemberWorkspace Role
Security Director / ManagerAdmin
Senior AnalystIncident Responder
AnalystIncident Analyst
Security EngineerData Source Admin

Roles & Permissions Reference

Complete role capabilities and permissions

Step 10: Verify Your Deployment

Confirm everything is working correctly.

Verification Checklist

  • Workspace shows “Active” status
  • All enterprise applications show green checkmarks
  • Module shows “Configured” status
  • Team members can sign in and see the workspace
  • Incidents are appearing on the Command Page (may take 5-15 minutes)

Test Gamebook Actions

1

Open an Incident

Click on any incident from the Command Page
2

Select an Entity

Click on a user, device, or IP entity
3

View Available Actions

Confirm Gamebook actions are available in the actions menu
Don’t test response actions on production entities! Gamebook actions like “Isolate Device” or “Disable User” execute immediately. Use a test account or device if you want to verify functionality.

Configure Notifications (SIEM Module)

If you deployed the SIEM module, configure email notifications:
1

Go to Workspace Settings

Open your workspace → Settings → Notifications
2

Configure Severity Filters

Select which severity levels should trigger notifications
3

Save Settings

Click Save to apply notification preferences

Distribution Group Setup

To send notifications to a team inbox:
  1. Contact [email protected]
  2. Provide the distribution group email address
  3. ContraForce Engineering will configure the routing

Notifications Configuration

Complete notification setup guide

Next Steps

Troubleshooting

IssueCauseSolution
Consent popup blockedBrowser popup blockerAllow popups for portal.contraforce.com
Consent failsNot Global AdminUse Global Admin credentials
Azure deployment failsInsufficient permissionsVerify Subscription Owner access
No incidents appearingNo active incidents in sourceCheck Defender/Sentinel for existing incidents
Team member can’t see workspaceNo workspace roleAssign user to workspace with a role
Gamebook actions unavailableService principal not authorizedComplete Gamebook authorization step

Getting Help

Contact Support

Email [email protected] for assistance

Request Onboarding Support

Schedule a call for hands-on help with your first deployment
Questions about platform onboarding? Contact us at [email protected].