> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Customer Workspace Onboarding

> Step-by-step guide for customer admins completing onboarding after their service provider has pre-onboarded their workspace.

This guide is for **customer admins** whose service provider has pre-onboarded their workspace in ContraForce. You'll receive an invite email from your service provider. Click the link to start.

<Info>
  **Who is this for?**

  * Customer security or IT admins finishing the workspace their MSP/MSSP started for them
  * Global Administrators in the customer's Microsoft Entra tenant who need to grant ContraForce access
</Info>

If your sign-in fails before you reach your workspace, jump to [Troubleshooting: Sign-in failed](#troubleshooting-sign-in-failed).

***

## Prerequisites

| Requirement                                      | Why                                                                                                                       |
| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- |
| **Microsoft Entra Global Administrator**         | Required to grant ContraForce consent. Microsoft Graph app-only permissions can only be granted by a Global Administrator |
| **Invite email from your service provider**      | The link in this email is your onboarding entry point                                                                     |
| **Pop-ups allowed for `portal.contraforce.com`** | The Microsoft consent prompts open in a popup window                                                                      |
| **Azure Subscription Owner**                     | Only if you'll deploy the **Microsoft Sentinel** module, which deploys supporting Azure infrastructure                    |

<Warning>
  Granting consent requires a **Global Administrator**. Cloud App Admin and Application Admin roles cannot grant the app-only permissions ContraForce needs. If you aren't a Global Administrator, forward your invite link to a Global Admin in your organization and have them sign in instead.
</Warning>

***

## How onboarding works

Your service provider has already created your workspace and pre-selected the **Detection** and **Response** modules you need. Your job is to sign in, grant ContraForce access to your tenant, and grant **Consent** for each module on the **Modules** tab.

There's no completion screen to wait for. Your workspace is onboarded when its **status light turns green** on its card in the Workspace Center. Your service provider receives a real-time notification the moment your workspace goes live.

***

## Step 1: Grant ContraForce Access to Your Tenant

When you click the link in your invite email, you'll be redirected to Microsoft to sign in. The first time anyone from your organization signs in, a Global Administrator must approve the core ContraForce app.

ContraForce requests two core consents — **ContraForce API** and **ContraForce Portal** — as **two separate** Microsoft consent prompts. Accept both.

<Steps>
  <Step title="Click the invite link">
    Open the email from your service provider and click the onboarding link. You'll be taken to **portal.contraforce.com**.
  </Step>

  <Step title="Sign in as a Global Administrator">
    You'll be redirected to Microsoft. Sign in with your Global Admin credentials.
  </Step>

  <Step title="Review and accept the ContraForce API consent">
    Microsoft displays a consent screen listing the permissions ContraForce needs to read security data from your tenant. Check **Consent on behalf of your organization** and click **Accept**.

    <Frame caption="Microsoft consent screen: ContraForce API permissions">
      <img src="https://mintcdn.com/contraforce/WrVM0ufvE8QAC_TC/images/onboarding/customer-images/onboarding-01-customer-api-consent.png?fit=max&auto=format&n=WrVM0ufvE8QAC_TC&q=85&s=6c795bef90f96c825b3d9be9c9fd3e99" alt="Microsoft consent dialog showing ContraForce API permissions" width="663" height="980" data-path="images/onboarding/customer-images/onboarding-01-customer-api-consent.png" />
    </Frame>
  </Step>

  <Step title="Review and accept the ContraForce Portal consent">
    A second Microsoft consent prompt appears for the ContraForce Portal. Check **Consent on behalf of your organization** again and click **Accept**.

    <Frame caption="Second Microsoft consent screen: ContraForce Portal">
      <img src="https://mintcdn.com/contraforce/WrVM0ufvE8QAC_TC/images/onboarding/customer-images/onboarding-02-customer-second-consent.png?fit=max&auto=format&n=WrVM0ufvE8QAC_TC&q=85&s=4f388d348400602809c9394d9253d0c2" alt="Second Microsoft consent screen with the org-wide checkbox highlighted" width="658" height="931" data-path="images/onboarding/customer-images/onboarding-02-customer-second-consent.png" />
    </Frame>
  </Step>
</Steps>

<Tip>
  This is a one-time approval. Once a Global Admin grants both core consents, the rest of your team can sign in normally.
</Tip>

***

## Step 2: Consent to Your Modules

After the core consents are granted, open your workspace and go to the **Modules** tab. The modules your service provider pre-selected are already listed for you — you just grant **Consent** for each one.

<Steps>
  <Step title="Open your workspace">
    From the Workspace Center, open the workspace your service provider created for you.
  </Step>

  <Step title="Go to the Modules tab">
    Each pre-selected detection and response module appears here with a **Consent** action.
  </Step>

  <Step title="Click Consent on each module">
    A Microsoft consent window opens. Sign in if prompted, review the permissions, and click **Accept**. Consent is granted **per module** — repeat for each module on the tab. You can consent to modules in any order.
  </Step>
</Steps>

<Note>
  **Microsoft Sentinel customers:** Consenting to the Sentinel module automatically deploys the supporting Azure infrastructure in your subscription, including the Azure Lighthouse delegation, the Apollo resource group, and the Sentinel-side automation. You don't need to run a separate Azure deployment step. To deploy Sentinel, you must be an **Azure Subscription Owner**. Allow a few minutes for resources to appear.
</Note>

<Tip>
  Response modules (such as Gamebooks for Defender XDR, Identity, Microsoft 365, Azure, and SentinelOne) enable Gamebook actions like isolating devices, disabling users, and quarantining files. Consent to them the same way — a single **Consent** per module.
</Tip>

***

## Step 3: Confirm Your Workspace Is Live

There's no completion screen. Your workspace is onboarded when its **status light turns green** on its card in the Workspace Center.

| Status light | What it means                                                               |
| ------------ | --------------------------------------------------------------------------- |
| **Blue**     | Pre-onboarded — your service provider created the workspace and invited you |
| **Amber**    | A module or agent is still missing — finish consenting to your modules      |
| **Green**    | Onboarded and live — incidents will begin to flow in                        |

<Tip>
  Your service provider receives a real-time notification when your workspace goes live, so they'll know you're ready.
</Tip>

***

## Adding Users (After Onboarding)

Adding users is **not** part of onboarding. Once your workspace is live, add teammates from **Settings → User Management** using the **Invite people to the organization** dialog. Manage groups from **Settings → Group Management**.

***

## Troubleshooting: Sign-in Failed

If you click your invite link and see a **Sign In Failed** page, it's almost always because:

* You aren't a Global Administrator and ContraForce hasn't been pre-approved for your tenant yet
* A previous sign-in attempt got into a bad state

<Frame caption="Consent required">
  <img src="https://mintcdn.com/contraforce/WrVM0ufvE8QAC_TC/images/onboarding/customer-non-admin/onboarding-01-non-admin-customer-need-approval.png?fit=max&auto=format&n=WrVM0ufvE8QAC_TC&q=85&s=e8cebe48a7f5584ec0576ee1e2ac1eb5" alt="Need admin approval" width="662" height="668" data-path="images/onboarding/customer-non-admin/onboarding-01-non-admin-customer-need-approval.png" />
</Frame>

### What to do

<Steps>
  <Step title="Click Sign out in the top right">
    This clears any stale session that might be blocking sign-in.
  </Step>

  <Step title="If you're a Global Admin, click Try Again">
    Sign in. Microsoft will show the consent screen. Accept both core consents, and you'll proceed into your workspace.
  </Step>

  <Step title="If you're not a Global Admin, click Email Your Admin">
    Or copy the **Admin Consent Link** from the page and send it to a Global Admin in your organization. Once they accept, return to your invite link and click **Try Again**.
  </Step>
</Steps>

<Warning>
  Don't keep retrying the same sign-in repeatedly without signing out. Repeated failures can compound the bad-session state and require a browser cache clear to recover.
</Warning>

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Defender for Endpoint Module" icon="laptop-code" href="/guides/onboarding/defender-for-endpoint-module-deployment">
    Deploy and consent to the Defender for Endpoint module
  </Card>

  <Card title="Command Dashboard" icon="chart-line" href="/guides/getting-started/command-dashboard">
    Your home base for incident triage across your environment
  </Card>

  <Card title="Incident Management" icon="shield-halved" href="/guides/getting-started/incident-management">
    How to triage, investigate, and respond to incidents
  </Card>

  <Card title="What Are Gamebooks?" icon="bolt" href="/guides/getting-started/what-are-gamebooks">
    Automated response workflows you can run from any incident
  </Card>
</CardGroup>

***

<Note>
  **Need help?** Contact us at [support@contraforce.com](mailto:support@contraforce.com).
</Note>
