Skip to main content
This guide walks you through deploying the ContraForce Defender module, enabling you to manage Microsoft Defender for Endpoint incidents, run Gamebook response actions, and monitor endpoints across your managed workspaces.
The Defender module is designed for environments using Microsoft Defender for Endpoint (Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps). If you also use Microsoft Sentinel, consider the XDR + SIEM module instead.

Before You Begin

Prerequisites

Ensure you have the following before starting deployment:
1

Microsoft Defender for Endpoint

An active Microsoft Defender for Endpoint deployment in the target tenant
2

Admin Credentials

Global Administrator access to the Microsoft tenant being onboarded — required to grant admin consent for ContraForce enterprise applications. Cloud Application Administrator and Application Administrator cannot grant consent for Microsoft Graph application permissions.
3

Portal Access

Access to portal.contraforce.com, plus your workspace invite link if you are a customer admin onboarding an invited workspace

Supported Licenses

The Defender module works with the following Microsoft 365 licenses:
LicenseSupportedNotes
Microsoft 365 Business PremiumFull XDR capabilities
Microsoft 365 E3Full XDR capabilities
Microsoft 365 E5Full XDR capabilities + advanced features
Standalone Defender for EndpointEndpoint features only

Capability Matrix

View detailed feature availability by license tier

Module Options

ContraForce offers two deployment modules. Choose based on your security stack:

Defender Module

Microsoft Defender for Endpoint only
  • Defender for Endpoint incidents
  • Endpoint management
  • Identity and email response
  • Gamebook actions
Choose this if you don’t use Microsoft Sentinel

XDR + SIEM Module

Defender for Endpoint + Microsoft Sentinel
  • Everything in Defender module
  • Sentinel incidents
  • Advanced threat hunting
  • Data connectors
  • Custom notifications by severity
Choose this if you use Sentinel alongside Defender

Feature Comparison

FeatureDefender ModuleXDR + SIEM Module
Defender for Endpoint Incidents
Endpoint Management
Gamebook Response Actions
Entity Insights
Sentinel Incidents
Advanced Threat Hunting
Data Connectors
Custom Severity Notifications
Not sure which module to choose? Start with the Defender module if you only use Defender products. You can upgrade to XDR + SIEM later if you add Sentinel.

Deployment Process

You deploy the Defender module directly in the ContraForce portal — there is no separate setup tool to launch. Sign in, grant the core ContraForce app consents, then enable and consent the Defender module from your workspace’s Modules tab.
Granting consent requires the Global Administrator role to authorize the enterprise applications. Cloud Application Administrator and Application Administrator cannot grant consent for Microsoft Graph application permissions. Global Administrator is required for the one-time consent only and is not retained; activate it just-in-time with Privileged Identity Management (PIM) and deactivate afterward.

Step 1: Sign In and Grant Core App Consents

1

Open the portal

Open portal.contraforce.com. If you were invited to a workspace, open your invite link instead — it routes you to the portal sign-in.
2

Sign in with Microsoft

Authenticate with a Global Administrator account from the target tenant.
3

Consent ContraForce API

The first time anyone from your tenant signs in, a Microsoft consent prompt appears for ContraForce API. Review the requested permissions and click Accept.
4

Consent ContraForce Portal

A second, separate Microsoft consent prompt appears for ContraForce Portal. Review the requested permissions and click Accept.
ContraForce API and ContraForce Portal are consented as two separate Microsoft prompts. Both are required for all ContraForce deployments, regardless of module selection.

Step 2: Open the Modules Tab

After the core app consents complete, open the workspace you are onboarding and go to its Modules tab. This is where you enable and consent each module for the workspace.
If a module was pre-selected for your workspace during invitation (for example, Detection and Response), you’ll find it listed here ready to consent.
On the Modules tab, enable and consent the Microsoft Defender for Endpoint module.
1

Locate the module

Find Microsoft Defender for Endpoint in the module list on the Modules tab.
2

Click Consent

Click Consent for the module. A Microsoft consent window opens.
3

Sign in and Accept

Sign in with your Global Administrator account, review the requested permissions, and click Accept.
Consent is granted per module on the Modules tab with a single Consent action. The single Consent authorizes ContraForce to operate the module for the workspace.
To enable Gamebook response actions, consent the response modules you need — each with a single Consent on the Modules tab.
1

Gamebooks for Microsoft Defender for Endpoint

Consent this module to enable endpoint response actions (isolate, scan, offboard).
2

Additional response modules

Consent the response modules that match your environment (see the table below).
ModulePurposeWhen to Consent
Gamebooks for IdentityUser response actions (disable, reset password)If managing Microsoft Entra ID identities
Microsoft 365 ResponseEmail response actions (delete email)If using Defender for Office 365
Azure ResponseAzure resource response actionsIf responding to Azure-based threats
For each module, click Consent, complete the Microsoft authentication flow, and click Accept on the permissions prompt.

Step 5: Confirm the Workspace Is Live

There is no completion screen. Your workspace is onboarded when its status light turns green on its card in the Workspace Center.
1

Check the status light

Open the Workspace Center and find your workspace card. A green status light means the workspace is live. A blue light means it is pre-onboarded and still awaiting consent; amber means a module or agent is still missing.
2

Verify incidents

Defender for Endpoint incidents begin syncing to ContraForce (this may take 15-30 minutes). Open the Command page to confirm incidents are appearing.
3

Test Gamebooks

Open an incident and confirm Gamebook response actions are available.
If you don’t see incidents immediately, verify that incidents exist in Microsoft Defender for Endpoint. ContraForce only displays incidents that exist in the source system.

Adding Users

Adding users is not part of module deployment. Once your workspace is live, invite your team from the organization settings.
1

Invite people

Go to Settings → User Management and open the Invite people to the organization dialog to add users and assign roles.
2

Manage groups

Manage groups in Settings → Group Management.
RoleBest For
AdminTeam leads, workspace owners
Incident ResponderSOC analysts who need response capabilities
Incident AnalystJunior analysts, read-only access
Data Source AdminIntegration specialists

User Roles Reference

View detailed permissions for each role

Defender Module Limitations

When using the Defender module (without SIEM), the following features are not available:
FeatureStatusAlternative
SIEM IncidentsNot availableUpgrade to XDR + SIEM
Sentinel Advanced Threat HuntingNot availableUpgrade to XDR + SIEM
Data Connectors pageEmptyUpgrade to XDR + SIEM
Custom severity notificationsNot availableUpgrade to XDR + SIEM

Notifications

Defender Module Notification Behavior:
  • Email notifications are not generated by ContraForce for new Defender for Endpoint incidents
  • Email notifications are sent for Gamebook runs
  • ContraForce does not interrupt existing Defender notification configurations

Notifications Guide

Learn more about ContraForce notification options

Troubleshooting

Common Issues

IssuePossible CauseSolution
Consent failsInsufficient permissionsVerify you’re using a Global Administrator account. Cloud Application Administrator and Application Administrator cannot grant consent for Microsoft Graph application permissions
Consent window doesn’t openPop-up blockerDisable the pop-up blocker for portal.contraforce.com and click Consent again
No incidents appearingSync in progressWait 15-30 minutes for initial sync
No incidents appearingNo incidents in DefenderVerify incidents exist in the Microsoft Defender for Endpoint portal
No MDE device dataMDE consent incompleteRe-consent the Microsoft Defender for Endpoint module on the Modules tab
Gamebooks unavailableModule not consentedConsent Gamebooks for Microsoft Defender for Endpoint on the Modules tab
Status light not greenModule or agent still missingConfirm every required module shows consented on the Modules tab

Getting Help

If you encounter issues during deployment:
  1. Check consent status on the workspace Modules tab
  2. Verify admin permissions in the target tenant
  3. Review error messages for specific guidance
  4. Contact support at support@contraforce.com

Enterprise Applications

Enterprise Applications Overview

Overview of all ContraForce service principals

Microsoft Defender for Endpoint Application

Detailed permissions reference

Gamebooks for Defender for Endpoint

Endpoint response permissions

Portal Application

Core portal permissions

Next Steps

Incident Management Guide

Learn the incident workflow

Gamebooks

Start using response actions

User Management

Add and manage users

Command Dashboard

Navigate your dashboard
Questions about Defender module deployment? Contact us at support@contraforce.com.