> ## Documentation Index > Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt > Use this file to discover all available pages before exploring further. # Customer Workspace Onboarding > Step-by-step guide for customer admins completing onboarding after their service provider has pre-onboarded their workspace. This guide is for **customer admins** whose service provider has pre-onboarded their workspace in ContraForce. You'll receive an invite email from your service provider. Click the link to start. **Who is this for?** * Customer security or IT admins completing the wizard their MSP/MSSP started for them * Global Administrators in the customer's Microsoft Entra tenant who need to grant ContraForce access If your sign-in fails before you reach the wizard, jump to [Troubleshooting: Sign-in failed](#troubleshooting-sign-in-failed). *** ## Prerequisites | Requirement | Why | | ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- | | **Microsoft Entra Global Administrator** | Required the very first time anyone from your tenant signs in, to grant ContraForce permission to read your security data | | **Invite email from your service provider** | The link in this email is your onboarding entry point | | **Pop-ups allowed for `portal.contraforce.com`** | The Microsoft consent prompts open in a popup window | If you aren't a Global Administrator, ContraForce will not be able to complete consent. Forward your invite link to a Global Admin in your organization and have them click it instead, or use the **Email Your Admin** option on the sign-in failed page. *** ## Step 1: Grant ContraForce Access to Your Tenant When you click the link in your invite email, you'll be redirected to Microsoft to sign in. The first time anyone from your organization signs in, a Global Administrator must approve ContraForce. Open the email from your service provider and click the onboarding link. You'll be redirected to Microsoft. Sign in with your Global Admin credentials. Microsoft displays a consent screen listing the permissions ContraForce needs to read security data from your tenant. Microsoft consent dialog showing ContraForce API permissions

Microsoft consent dialog showing ContraForce API permissions

Check **Consent on behalf of your organization** and click **Accept**. Second Microsoft consent screen with the org-wide checkbox highlighted

This is a one-time approval. Once a Global Admin grants consent, the rest of your team can sign in normally. *** ## Step 2: Sign In After consent is granted, sign in with your admin account. ContraForce recognizes that your service provider has already created your workspace, so you'll skip account creation and go straight into the **Setup Wizard**. *** ## Step 3: The Setup Wizard The wizard walks you through connecting your security tools to ContraForce. It's mostly automatic. The modules your service provider pre-selected are already chosen for you, and you just confirm them and grant consent for each one. ### 3a. Connect Detection Sources The wizard shows the detection modules your MSP pre-selected (for example, Microsoft Sentinel and Defender XDR). Each module your service provider chose appears with a **Connect** button. Wizard detection step showing pre-selected modules

Wizard detection step showing pre-selected modules

Detection modules with Connect buttons highlighted

A Microsoft consent prompt opens. Sign in if prompted, review the permissions, and click **Accept**. Microsoft sign-in step for the detection module consent

Microsoft sign-in step for the detection module consent

Permissions review step for the detection module consent

Final accept step for the detection module consent

Each module shows **Connected** once consent succeeds. You can connect modules in any order. Wizard with detection modules showing the Connected state

Wizard with detection modules showing the Connected state

**Microsoft Sentinel customers:** Connecting Sentinel triggers ContraForce to deploy the supporting Azure infrastructure in your subscription automatically. You don't need to run a separate Azure deployment step. The deployment runs in the background after you grant consent. Allow a few minutes for resources to appear. ### 3b. Connect Response Modules Same flow as detection. Confirm each pre-selected response module and grant consent. Response modules enable Gamebook actions like isolating devices, disabling users, and quarantining files. Wizard response step showing pre-selected modules

Wizard response step showing pre-selected modules

Complete the Microsoft consent prompt for each one. Microsoft sign-in step for the response module consent

Permissions review step for the response module consent

Final accept step for the response module consent

### 3c. Wizard Complete When every module is connected, the wizard shows a completion screen and hands you off to the **Command** page. Wizard completion screen with the Go to Dashboard button

Wizard completion screen with the Go to Dashboard button

Your service provider receives a real-time notification when you finish the wizard, so they know your workspace is ready. *** ## Step 4: Get Started Checklist The first time you land on the **Command** page, you'll see the **Get started with ContraForce** panel. It lists what's left to do. The customer checklist is shorter than the MSP version because your service provider already handled the agent center and account setup. | Item | What it means | | ----------------------------- | ------------------------------------------------------ | | **Connect detection sources** | Finish any detection modules you skipped in the wizard | | **Connect response modules** | Finish any response modules you skipped in the wizard | Get started checklist on the Command page

Get started checklist on the Command page

If you completed every module in the wizard, both items will already be checked and the panel will hide itself. ### Re-opening the Detection or Response Picker Click **Start** next to either item. ContraForce takes you straight to your **Workspace settings â†’ Modules** tab with the matching drawer (Detection or Response) already open. Workspace settings Modules tab with the Detection drawer open

Workspace settings Modules tab with the Detection drawer open

Select any module that wasn't in your wizard set, click **Add**, and complete the Microsoft consent prompt. Workspace settings Modules tab with the Response drawer open

Workspace settings Modules tab with the Response drawer open

If you close these panels, you can always re-open them by clicking the **Add Module** buttons on the Modules tab.

*** ## Troubleshooting: Sign-in Failed If you click your invite link and see a **Sign In Failed** page, it's almost always because: * You aren't a Global Administrator and ContraForce hasn't been pre-approved for your tenant yet * A previous sign-in attempt got into a bad state Need admin approval

### What to do This clears any stale session that might be blocking sign-in. Sign in. Microsoft will show the consent screen. Accept it, and you'll proceed into the wizard. Or copy the **Admin Consent Link** from the page and send it to a Global Admin in your organization. Once they accept, return to your invite link and click **Try Again**. Don't keep retrying the same sign-in repeatedly without signing out. Repeated failures can compound the bad-session state and require a browser cache clear to recover. *** ## Next Steps Your home base for incident triage across your environment How to triage, investigate, and respond to incidents Automated response workflows you can run from any incident The investigation command center *** **Need help?** Contact us at [support@contraforce.com](mailto:support@contraforce.com).