> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Defender for Endpoint Module

This guide walks you through deploying the ContraForce Defender module, enabling you to manage Microsoft Defender for Endpoint incidents, run Gamebook response actions, and monitor endpoints across your managed workspaces.

<Info>
  The Defender module is designed for environments using Microsoft Defender for Endpoint (Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps). If you also use Microsoft Sentinel, consider the **XDR + SIEM** module instead.
</Info>

## Before You Begin

### Prerequisites

Ensure you have the following before starting deployment:

<Steps>
  <Step title="Microsoft Defender for Endpoint">
    An active Microsoft Defender for Endpoint deployment in the target tenant
  </Step>

  <Step title="Admin Credentials">
    **Global Administrator** access to the Microsoft tenant being onboarded — required to grant admin consent for ContraForce enterprise applications. Cloud Application Administrator and Application Administrator cannot grant consent for Microsoft Graph application permissions.
  </Step>

  <Step title="Portal Access">
    Access to [portal.contraforce.com](https://portal.contraforce.com), plus your workspace **invite link** if you are a customer admin onboarding an invited workspace
  </Step>
</Steps>

### Supported Licenses

The Defender module works with the following Microsoft 365 licenses:

| License                              | Supported | Notes                                     |
| ------------------------------------ | :-------: | ----------------------------------------- |
| **Microsoft 365 Business Premium**   |     ✓     | Full XDR capabilities                     |
| **Microsoft 365 E3**                 |     ✓     | Full XDR capabilities                     |
| **Microsoft 365 E5**                 |     ✓     | Full XDR capabilities + advanced features |
| **Standalone Defender for Endpoint** |     ✓     | Endpoint features only                    |

<Card title="Capability Matrix" icon="table" href="/guides/technical/microsoft-defender-capability-matrix">
  View detailed feature availability by license tier
</Card>

***

## Module Options

ContraForce offers two deployment modules. Choose based on your security stack:

<CardGroup cols={2}>
  <Card title="Defender Module" icon="shield-halved">
    **Microsoft Defender for Endpoint only**

    * Defender for Endpoint incidents
    * Endpoint management
    * Identity and email response
    * Gamebook actions

    *Choose this if you don't use Microsoft Sentinel*
  </Card>

  <Card title="XDR + SIEM Module" icon="layer-group">
    **Defender for Endpoint + Microsoft Sentinel**

    * Everything in Defender module
    * Sentinel incidents
    * Advanced threat hunting
    * Data connectors
    * Custom notifications by severity

    *Choose this if you use Sentinel alongside Defender*
  </Card>
</CardGroup>

### Feature Comparison

| Feature                         | Defender Module | XDR + SIEM Module |
| ------------------------------- | :-------------: | :---------------: |
| Defender for Endpoint Incidents |        ✓        |         ✓         |
| Endpoint Management             |        ✓        |         ✓         |
| Gamebook Response Actions       |        ✓        |         ✓         |
| Entity Insights                 |        ✓        |         ✓         |
| Sentinel Incidents              |        —        |         ✓         |
| Advanced Threat Hunting         |        —        |         ✓         |
| Data Connectors                 |        —        |         ✓         |
| Custom Severity Notifications   |        —        |         ✓         |

<Tip>
  Not sure which module to choose? Start with the Defender module if you only use Defender products. You can upgrade to XDR + SIEM later if you add Sentinel.
</Tip>

***

## Deployment Process

You deploy the Defender module directly in the ContraForce portal — there is no separate setup tool to launch. Sign in, grant the core ContraForce app consents, then enable and consent the Defender module from your workspace's **Modules** tab.

<Warning>
  Granting consent requires the **Global Administrator** role to authorize the enterprise applications. Cloud Application Administrator and Application Administrator cannot grant consent for Microsoft Graph application permissions. Global Administrator is required for the one-time consent only and is not retained; activate it just-in-time with Privileged Identity Management (PIM) and deactivate afterward.
</Warning>

### Step 1: Sign In and Grant Core App Consents

<Steps>
  <Step title="Open the portal">
    Open [portal.contraforce.com](https://portal.contraforce.com). If you were invited to a workspace, open your **invite link** instead — it routes you to the portal sign-in.
  </Step>

  <Step title="Sign in with Microsoft">
    Authenticate with a **Global Administrator** account from the target tenant.
  </Step>

  <Step title="Consent ContraForce API">
    The first time anyone from your tenant signs in, a Microsoft consent prompt appears for **ContraForce API**. Review the requested permissions and click **Accept**.
  </Step>

  <Step title="Consent ContraForce Portal">
    A second, separate Microsoft consent prompt appears for **ContraForce Portal**. Review the requested permissions and click **Accept**.
  </Step>
</Steps>

<Info>
  **ContraForce API** and **ContraForce Portal** are consented as two separate Microsoft prompts. Both are required for all ContraForce deployments, regardless of module selection.
</Info>

***

### Step 2: Open the Modules Tab

After the core app consents complete, open the workspace you are onboarding and go to its **Modules** tab. This is where you enable and consent each module for the workspace.

<Tip>
  If a module was pre-selected for your workspace during invitation (for example, **Detection** and **Response**), you'll find it listed here ready to consent.
</Tip>

***

### Step 3: Consent the Microsoft Defender for Endpoint Module

On the **Modules** tab, enable and consent the Microsoft Defender for Endpoint module.

<Steps>
  <Step title="Locate the module">
    Find **Microsoft Defender for Endpoint** in the module list on the **Modules** tab.
  </Step>

  <Step title="Click Consent">
    Click **Consent** for the module. A Microsoft consent window opens.
  </Step>

  <Step title="Sign in and Accept">
    Sign in with your **Global Administrator** account, review the requested permissions, and click **Accept**.
  </Step>
</Steps>

<Info>
  Consent is granted **per module** on the **Modules** tab with a single **Consent** action. The single Consent authorizes ContraForce to operate the module for the workspace.
</Info>

***

### Step 4: Consent Response (Gamebook) Modules

To enable Gamebook response actions, consent the response modules you need — each with a single **Consent** on the **Modules** tab.

<Steps>
  <Step title="Gamebooks for Microsoft Defender for Endpoint">
    Consent this module to enable endpoint response actions (isolate, scan, offboard).
  </Step>

  <Step title="Additional response modules">
    Consent the response modules that match your environment (see the table below).
  </Step>
</Steps>

| Module                     | Purpose                                         | When to Consent                           |
| -------------------------- | ----------------------------------------------- | ----------------------------------------- |
| **Gamebooks for Identity** | User response actions (disable, reset password) | If managing Microsoft Entra ID identities |
| **Microsoft 365 Response** | Email response actions (delete email)           | If using Defender for Office 365          |
| **Azure Response**         | Azure resource response actions                 | If responding to Azure-based threats      |

For each module, click **Consent**, complete the Microsoft authentication flow, and click **Accept** on the permissions prompt.

***

### Step 5: Confirm the Workspace Is Live

There is no completion screen. Your workspace is onboarded when its **status light turns green** on its card in the **Workspace Center**.

<Steps>
  <Step title="Check the status light">
    Open the **Workspace Center** and find your workspace card. A **green** status light means the workspace is live. A **blue** light means it is pre-onboarded and still awaiting consent; **amber** means a module or agent is still missing.
  </Step>

  <Step title="Verify incidents">
    Defender for Endpoint incidents begin syncing to ContraForce (this may take 15-30 minutes). Open the **Command** page to confirm incidents are appearing.
  </Step>

  <Step title="Test Gamebooks">
    Open an incident and confirm Gamebook response actions are available.
  </Step>
</Steps>

<Tip>
  If you don't see incidents immediately, verify that incidents exist in Microsoft Defender for Endpoint. ContraForce only displays incidents that exist in the source system.
</Tip>

***

## Adding Users

Adding users is **not** part of module deployment. Once your workspace is live, invite your team from the organization settings.

<Steps>
  <Step title="Invite people">
    Go to **Settings → User Management** and open the **Invite people to the organization** dialog to add users and assign roles.
  </Step>

  <Step title="Manage groups">
    Manage groups in **Settings → Group Management**.
  </Step>
</Steps>

| Role                   | Best For                                    |
| ---------------------- | ------------------------------------------- |
| **Admin**              | Team leads, workspace owners                |
| **Incident Responder** | SOC analysts who need response capabilities |
| **Incident Analyst**   | Junior analysts, read-only access           |
| **Data Source Admin**  | Integration specialists                     |

<Card title="User Roles Reference" icon="users" href="/guides/general-support/roles-and-permissions-reference">
  View detailed permissions for each role
</Card>

***

## Defender Module Limitations

When using the Defender module (without SIEM), the following features are **not available**:

| Feature                          | Status        | Alternative           |
| -------------------------------- | ------------- | --------------------- |
| SIEM Incidents                   | Not available | Upgrade to XDR + SIEM |
| Sentinel Advanced Threat Hunting | Not available | Upgrade to XDR + SIEM |
| Data Connectors page             | Empty         | Upgrade to XDR + SIEM |
| Custom severity notifications    | Not available | Upgrade to XDR + SIEM |

### Notifications

<Info>
  **Defender Module Notification Behavior:**

  * Email notifications are **not** generated by ContraForce for new Defender for Endpoint incidents
  * Email notifications **are** sent for Gamebook runs
  * ContraForce does not interrupt existing Defender notification configurations
</Info>

<Card title="Notifications Guide" icon="bell" href="/guides/technical/notifications-configuration">
  Learn more about ContraForce notification options
</Card>

***

## Troubleshooting

### Common Issues

| Issue                           | Possible Cause                | Solution                                                                                                                                                                               |
| ------------------------------- | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Consent fails**               | Insufficient permissions      | Verify you're using a **Global Administrator** account. Cloud Application Administrator and Application Administrator cannot grant consent for Microsoft Graph application permissions |
| **Consent window doesn't open** | Pop-up blocker                | Disable the pop-up blocker for portal.contraforce.com and click **Consent** again                                                                                                      |
| **No incidents appearing**      | Sync in progress              | Wait 15-30 minutes for initial sync                                                                                                                                                    |
| **No incidents appearing**      | No incidents in Defender      | Verify incidents exist in the Microsoft Defender for Endpoint portal                                                                                                                   |
| **No MDE device data**          | MDE consent incomplete        | Re-consent the Microsoft Defender for Endpoint module on the **Modules** tab                                                                                                           |
| **Gamebooks unavailable**       | Module not consented          | Consent **Gamebooks for Microsoft Defender for Endpoint** on the **Modules** tab                                                                                                       |
| **Status light not green**      | Module or agent still missing | Confirm every required module shows consented on the **Modules** tab                                                                                                                   |

### Getting Help

If you encounter issues during deployment:

1. **Check consent status** on the workspace **Modules** tab
2. **Verify admin permissions** in the target tenant
3. **Review error messages** for specific guidance
4. **Contact support** at [support@contraforce.com](mailto:support@contraforce.com)

***

## Related Documentation

### Enterprise Applications

<CardGroup cols={2}>
  <Card title="Enterprise Applications Overview" icon="key" href="/guides/technical/enterprise-applications">
    Overview of all ContraForce service principals
  </Card>

  <Card title="Microsoft Defender for Endpoint Application" icon="shield-halved" href="/guides/technical/contraforce-defender-for-endpoint-enterprise-application">
    Detailed permissions reference
  </Card>

  <Card title="Gamebooks for Defender for Endpoint" icon="bolt" href="/guides/technical/contraforce-gamebooks-for-defender-for-endpoint-enterprise-application">
    Endpoint response permissions
  </Card>

  <Card title="Portal Application" icon="browser" href="/guides/technical/contraforce-portal-enterprise-application">
    Core portal permissions
  </Card>
</CardGroup>

### Next Steps

<CardGroup cols={2}>
  <Card title="Incident Management Guide" icon="book" href="/guides/getting-started/incident-management">
    Learn the incident workflow
  </Card>

  <Card title="Gamebooks" icon="bolt" href="/guides/getting-started/what-are-gamebooks">
    Start using response actions
  </Card>

  <Card title="User Management" icon="users" href="/guides/general-support/contraforce-user-management">
    Add and manage users
  </Card>

  <Card title="Command Dashboard" icon="gauge" href="/guides/getting-started/command-dashboard">
    Navigate your dashboard
  </Card>
</CardGroup>

***

<Note>
  Questions about Defender module deployment? Contact us at [support@contraforce.com](mailto:support@contraforce.com).
</Note>
